Manage Service Accounts for Beatbox

The Beatbox is a standalone service without a backing identity provider or API gateway. To allow authentication and authorization you can configure service accounts directly in the Beatbox configuration.

Service accounts are defined in the file-based configuration for the Beatbox instance, e.g. in the config/utilihive-flow-server-override.properties file. Note that all secrets must be BCrypt-encoded. NOTE: The name of a service account is user-defined but must be unique for each account.

Basic Authentication

To authenticate using basic authentication, the username is the service account name, and the password is the plain-text password corresponding to the BCrypt-encoded password.

mc.flow-server.security.users.<Service-Account>.credentials=<bcryptEncodedPassword>

Flow Authentication with API Keys

The service account name is not used for authentication with API keys, but the service account still needs access to the flow. The API key is sent in the x-api-key header.

mc.flow-server.security.users.<Service-Account>.apiKey=<bcryptEncodedApiKey>

BCrypt Encoding of Passwords and API Keys

Use only ASCII characters in the passphrase. Other characters will not be handled correctly. To generate a BCrypt-encoded password or API key, use the following command: 
docker run --rm httpd:alpine \
  sh -c 'htpasswd -nbBC 10 "" "<passphrase>"' | sed 's/\$2y\$/\$2a\$/' | tr -d ':\n'

Replace 10 with the desired cost factor (we recommend 10 or 12) and <passphrase> with the password or API key you want to encode.

Flow Access Control

Flow access control is configured in the flow-access.properties file, which is deployed with the flows. See the Flow Access Properties documentation for more details.

Each property key is a Service Account name and the value is a comma-separated list of flow IDs. Regular expressions are supported.

Example flow-access.properties. In the case where a service account named myServiceAccount and myApiUser have been created and the "Connect Owner Id" is gridos:

myServiceAccount=my-flow-id, my-other-flow-id
myApiUser=.*
gridos-poller=my-.*-poller-flow-id