Add node api key and arming

This is the groundwork for having node authentication. The intent is for calling code to modify api.armed if the administrator wants to opt into a one-time set of credential. This design as is currently does not fit a stateless deploy model. That may suggest an additional manual step for a fully stateless model. Alternatively adding support for credential persistence through sealing to a node's TPM, which would allow more freely retrievable node credentials.
2025-02-06 14:02:38 +00:00 · 2019-08-12 15:28:00 -04:00 · 2019-08-12 15:28:00 -04:00 · 55a0aab548
commit 55a0aab548
parent aaf5aebff7
1 changed files with 9 additions and 0 deletions
--- a/confluent_server/confluent/config/attributes.py
+++ b/confluent_server/confluent/config/attributes.py
@ -97,6 +97,15 @@ node = {
        'description': ('Classification of node as server or switch'),
        'validvalues': ('switch', 'server'),
    },
+    'api.key': {
+        'description': ('Crypt of api key for self api requests by node'),
+    },
+    'api.armed': {
+        'description': ('Indicates whether an insecure api key request is allowed. '
+                        'The format is an expiration time in ISO8601 format. When '
+                        'the indicated time passes or the first time a node claims '
+                        'the key, key grants will not be allowed.'),
+    }
    #'id': {
    #    'description': ('Numeric identifier for node')
    #},