Expand description
Authentication and authorization for the Cypher Flight SQL server.
§Authentication — who are you?
Three methods, any combination, to cover the clients that matter:
- Bearer token — a shared secret in
authorization: Bearer <token>. More than one token can be valid at once (a token set) so a secret can be rotated without downtime: add the new token, let clients migrate, then drop the old one — both are accepted during the overlap window. - Basic (username / password) —
authorization: Basic <base64>. This is what generic Flight SQL clients on Windows use: Power BI’s ADBC connector and the Arrow Flight SQL ODBC driver send username/password, first through the FlightHandshake(which issues a bearer token) and then on every call. - mutual TLS — client-certificate auth, configured at the transport in
crate::server(TlsOptions::client_ca_pem); orthogonal to the header methods here.
The same AuthConfig drives both the per-call interceptor and the
handshake, so the two can never disagree about who is allowed in.
§Authorization — what may you run?
Authentication answers who; the Authorizer answers what. After a
query is resolved to its registered table name, the authorizer is consulted
with the caller’s Identity and may deny it (permission_denied). The
default is Authorizer::AllowAll — no behavior change — but
Authorizer::AllowList restricts each identity to a named subset of
registered queries, and Authorizer::Custom takes an arbitrary closure.
Structs§
- Auth
Config - Which credentials the server accepts. An empty config (the default) means the server is open — no interceptor is installed.
- Basic
Credential - A username / password pair accepted via Basic auth.
Enums§
- Authorizer
- Per-query authorization hook, consulted after a query resolves to its registered name. Dependency-light by design — no external policy engine.
- Identity
- The authenticated caller, as resolved from the
authorizationheader.