User Authentication and Authorization in Bacalhau v1.3.0
5 Days of Bacalhau (5 min)
In the world of networked systems, security is paramount. Ensuring that your data is protected and access is controlled is a fundamental requirement. With Bacalhau v1.3.0, we are stepping up our security game with more advanced user authentication and authorization control. This ensures that only authorized users can access and manage jobs, improving the security and control over your Bacalhau clusters.
Authentication That Works at Your Level
Bacalhau v1.3.0 introduces a flexible and customizable authentication and authorization system, tailored for both small and large teams and organizations. It’s designed to fit your existing auth frameworks, supporting multiple methods like private keys, shared secrets, usernames and passwords, 2FA, OAuth2/OIDC and SAML SSO.
This new feature is designed to be simple for single-node clusters yet scalable for extensive enterprise use. If you want to run a local cluster with zero ongoing configuration, a shared secret can grant users full access, adding an extra line of defense.
Large enterprises using platforms like Auth0, Google Workspace, Microsoft Azure AD, or similar for user management can integrate their existing user onboarding and offboarding processes with Bacalhau. This ensures access remains current and appropriate.
Authorization That Mirrors Your Organization Structure
Our new auth system offers nuanced access control, enabling distinct permissions for individual users, groups, or entire teams to manage nodes and jobs. For example, Bacalhau allows for personal workspaces for individual job creation, team-wide job management, and specific permissions like downloading job results without the ability to start or stop jobs. This level of authorization in Bacalhau v1.3.0 reflects the intricate trust structures within organizations.
You have the flexibility to use Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), or a custom solution to fit your needs. This allows you to tailor permissions and access rights to match your operational requirements perfectly.
Declarative auth policy in Bacalhau
Bacalhau auth is defined using custom auth policies which are controlled by the node operator. Auth policies are written in a language called Rego, an emerging standard for declarative access control systems used by Kubernetes and Envoy and supported by the Cloud Native Computing Foundation (CNCF). Operators familiar with defining access control for Kubernetes will already have a head-start on applying the same knowledge to Bacalhau.
Defining auth as policies like this is superior to traditional hard-coded configuration:
Flexibility: Declarative authorization and authentication policies offer a high level of customization, allowing you to define precise access control tailored to your unique use case.
Central Control: They make it easier to manage access control, as changes can be made in one place and then propagated across the system, and allow specifying auth requirements as a code-reviewed Infrastructure As Code (IaC) artifact.
Controlled Upgrade Path: Defined policies allows users to upgrade their authentication at their own pace as their cluster grows in size.
Testability: Declarative policies can be tested in isolation to the rest of the system, building confidence that changes don’t leave security gaps in access control.
Simpler Configuration: Declarative policies are typically easier to understand and maintain because they describe the desired state of the system, rather than the steps to achieve it.
Integrated Automation: They facilitate automation and integration with other systems, making it easier to keep your access control up-to-date and secure.
Getting started with our new auth system
To keep things simple, we’ve defined a number of example authentication and authorization policies that are secure for use in a production setting. Feel free to use these as a starting point to quickly develop your own custom policy.
A quick example authorization policy that allows access to only identified users with a valid auth token issued by your Bacalhau cluster could be as simple as:
package bacalhau.authz
import rego.v1
default token_valid = false
token_valid := valid if {
authHeader := input.http.headers["Authorization"][0]
startswith(authHeader, "Bearer ")
accessToken := trim_prefix(authHeader, "Bearer ")
[valid, header, claims] := io.jwt.decode_verify(accessToken, input.constraints)
}
default allow = false
allow if {
# Allow unauthenticated users to authenticate!
input.http.path[2] == "auth"
}
allow if {
token_valid
}The policy expects the user to have submitted a signed JWT in their Authorization HTTP header – which is what the Bacalhau CLI will do – and then grants them blanket access.
Deploying the Policy
Initially, Bacalhau allows all non-authenticated users to make API calls to read-only endpoints:
% curl http://<your-node>:1234/api/v1/agent/alive
{
"Status": "OK"
}Activating the policy is as simple as setting a configuration flag and restarting your Bacalhau node:
bacalhau config set Auth.AccessPolicy ~/path/to/your/policy.regoWith the policy in place,access is now denied to unauthenticated users:
% curl http://<your-node>:1234/api/v1/agent/alive
{
"error": "code=401, message=Invalid token. ",
"message": "Invalid token. "
}Getting an authentication token
The easiest way to get an authentication token is to use the Bacalhau CLI which will handle the authentication process for you. Simply executing any command that interacts with the requester node (e.g. node list) will prompt the CLI to secure a token for you.
Default authentication uses your Bacalhau private key and happens automatically without any input needed from you. You can also choose to install a different authentication policy that uses usernames and passwords, 2FA or OIDC.
Once you have a token, API requests that use it will be successful again:
% curl -H "Authorization: Bearer $(jq -rcM '."http://<your-node>:1234"' <~/.bacalhau/tokens.json)" http://<your-node>:1234/api/v1/agent/alive
{
"Status": "OK"
}The Bacalhau CLI simplifies everything: direct your CLI to your requestor node, and it automatically manages authentication, token usage, and token renewal upon expiration.
Moving forward, you can introduce rules based on JWT claims to manage access - for instance, allowing certain users to view node information but not submit jobs. Additionally, you could implement an entirely different mechanism for external API users, verifying API keys against a known list.
To begin with user authentication, review the auth docs, install a custom policy for managing user access and permissions, and start crafting a policy tailored to your needs.
Conclusion
The introduction of user authentication and authorization in Bacalhau v1.3.0 significantly improves security and control over Bacalhau clusters. Our focus is on creating a secure, flexible, and intuitive auth system for any team size, from small groups to large corporations. By embracing declarative policies and integrating with existing frameworks, we offer precise access control customized to organizational needs. This improvement enhances security and supports the dynamic nature of modern work environments, ensuring that our system is both durable and adaptable for future challenges.
If you’re interested in learning more about distributed computing and how it can benefit your work, there are several ways to connect with us. Visit our website, sign up to our bi-weekly office hour, join our Slack or send us a message.
How to Get Involved
We're looking for help in various areas. If you're interested in helping, there are several ways to contribute. Please reach out to us at any of the following locations.
Commercial Support
While Bacalhau is open-source software, the Bacalhau binaries go through the security, verification, and signing build process lovingly crafted by Expanso. You can read more about the difference between open source Bacalhau and commercially supported Bacalhau in our FAQ. If you would like to use our pre-built binaries and receive commercial support, please contact us!
