Manage Service Accounts for Beatbox
The Beatbox is a standalone service without a backing identity provider or API gateway. To allow authentication and authorization you can configure service accounts directly in the Beatbox configuration.
Service accounts are defined in the file-based configuration for the Beatbox instance, e.g. in the config/utilihive-flow-server-override.properties file. Note that all secrets must be BCrypt-encoded.
NOTE: The name of a service account is user-defined but must be unique for each account.
Basic Authentication
To authenticate using basic authentication, the username is the service account name, and the password is the plain-text password corresponding to the BCrypt-encoded password.
mc.flow-server.security.users.<Service-Account>.credentials=<bcryptEncodedPassword>Flow Authentication with API Keys
The service account name is not used for authentication with API keys, but the service account still needs access to the flow.
The API key is sent in the x-api-key header.
mc.flow-server.security.users.<Service-Account>.apiKey=<bcryptEncodedApiKey>BCrypt Encoding of Passwords and API Keys
| Use only ASCII characters in the passphrase. Other characters will not be handled correctly. To generate a BCrypt-encoded password or API key, use the following command: |
docker run --rm httpd:alpine \
sh -c 'htpasswd -nbBC 10 "" "<passphrase>"' | sed 's/\$2y\$/\$2a\$/' | tr -d ':\n'Replace 10 with the desired cost factor (we recommend 10 or 12) and <passphrase> with the password or API key you want to encode.
Flow Access Control
Flow access control can be configured in the same file; however, it is recommended to use the flow-access.properties file, which can be deployed with the flows.
See the Flow Access Properties documentation for more details.
Example configuration:
mc.flow-server.security.users.<Service-Account>.resourceAccesses=my-flow, my-other-flow
mc.flow-server.security.users.<Service-Account>.resourceAccesses=.*