Skip to main content

Module auth

Module auth 

Source
Expand description

Authentication and authorization for the Cypher Flight SQL server.

§Authentication — who are you?

Three methods, any combination, to cover the clients that matter:

  • Bearer token — a shared secret in authorization: Bearer <token>. More than one token can be valid at once (a token set) so a secret can be rotated without downtime: add the new token, let clients migrate, then drop the old one — both are accepted during the overlap window.
  • Basic (username / password)authorization: Basic <base64>. This is what generic Flight SQL clients on Windows use: Power BI’s ADBC connector and the Arrow Flight SQL ODBC driver send username/password, first through the Flight Handshake (which issues a bearer token) and then on every call.
  • mutual TLS — client-certificate auth, configured at the transport in crate::server (TlsOptions::client_ca_pem); orthogonal to the header methods here.

The same AuthConfig drives both the per-call interceptor and the handshake, so the two can never disagree about who is allowed in.

§Authorization — what may you run?

Authentication answers who; the Authorizer answers what. After a query is resolved to its registered table name, the authorizer is consulted with the caller’s Identity and may deny it (permission_denied). The default is Authorizer::AllowAll — no behavior change — but Authorizer::AllowList restricts each identity to a named subset of registered queries, and Authorizer::Custom takes an arbitrary closure.

Structs§

AuthConfig
Which credentials the server accepts. An empty config (the default) means the server is open — no interceptor is installed.
BasicCredential
A username / password pair accepted via Basic auth.

Enums§

Authorizer
Per-query authorization hook, consulted after a query resolves to its registered name. Dependency-light by design — no external policy engine.
Identity
The authenticated caller, as resolved from the authorization header.