Traefik plugin: Kuzzle Auth

What?

This is a Traefik Basic Auth Plugin using Kuzzle as authentication provider.

Why?

One authentication system to rule them all 😎

Kuzzle offer a complex and fine-grained RBAC authentication system, why do not use it everywhere?

How?

⚠️ At this time, Traefik Plugin system is still an experimental feature use it with caution. You can freeze your Traefik version to increase stability if you want to use this plugin on a real world use case

Prerequisites

• A valid Traefik Pilot token for your Traefik instance.
• A running Kuzzle server in which one or more users are configured.

Demo

You can found a demonstration Docker Compose file (docker-compose.demo.yml) in the repository root.

TRAEFIK_PILOT_TOKEN="xxxx" docker-compose -f docker-compose.demo.yml up -d

This will launch:

• A complete Kuzzle stack (Kuzzle, Elasticsearch and Redis containers).
• A Traefik instance with dashboard and latest released plugin version enabled and only available using admin Kuzzle user
• A whoami instance available using both admin and developer Kuzzle users

Once all containers are started and healthy, you can use the Kuzzle Admin Console to create your users (admin and developer).

Installation

Declare it in the Traefik configuration:

YAML

pilot:
  token: "xxxx"
experimental:
  plugins:
    traefik-kuzzle-auth:
        moduleName: github.com/alexandrebouthinon/traefik-kuzzle-auth
        version: v0.1.0

TOML

[pilot]
  token = "xxxx"
[experimental.plugins.fail2ban]
    moduleName = "github.com/alexandrebouthinon/traefik-kuzzle-auth"
    version = "v0.1.0"

CLI

--pilot.token=${TRAEFIK_PILOT_TOKEN}
--experimental.plugins.traefik-kuzzle-auth.moduleName=github.com/alexandrebouthinon/traefik-kuzzle-auth
--experimental.plugins.traefik-kuzzle-auth.version=v0.1.0

Configuration

YAML

middlewares:
  your-well-named-middleware:
    plugin:
      traefik-kuzzle-auth:
        customRealm: "Use a valid Kuzzle user to authenticate" # optional
        kuzzle:
          url: "http://localhost:7512" # required
          routes: # optional
            login: /_login/local
            getCurrentUser: /_me # With Kuzzle v1 you must use '/users/_me'
          allowedUsers: # optional
            - admin
            - developer

TOML

[middlewares]
  [middlewares.your-well-named-middleware]
    [middlewares.your-well-named-middleware.plugin]
      [middlewares.your-well-named-middleware.plugin.traefik-kuzzle-auth]
        customRealm = "Use a valid Kuzzle user to authenticate" # optional
        
        [middlewares.your-well-named-middleware.plugin.traefik-kuzzle-auth.kuzzle]
          url = "http://localhost:7512" # required
          allowedUsers = ["admin", "developer"] # optional

          [middlewares.your-well-named-middleware.plugin.traefik-kuzzle-auth.kuzzle.routes] # optional
            login = "/_login/local"
            getCurrentUser = "/_me" # With Kuzzle v1 you must use '/users/_me'

Docker Compose Labels

labels:
  - "traefik.http.middlewares.your-well-named-middleware.plugin.traefik-kuzzle-auth.customRealm=Use a valid Kuzzle user to authenticate" # optional
  - "traefik.http.middlewares.your-well-named-middleware.plugin.traefik-kuzzle-auth.kuzzle.url=http://kuzzle:7512" # required
  - "traefik.http.middlewares.your-well-named-middleware.plugin.traefik-kuzzle-auth.kuzzle.routes.login=/_login/local" # optional
  - "traefik.http.middlewares.your-well-named-middleware.plugin.traefik-kuzzle-auth.kuzzle.routes.getCurrentUser=/_me" # With Kuzzle v1 you must use '/users/_me' (optional)
  - "traefik.http.middlewares.your-well-named-middleware.plugin.traefik-kuzzle-auth.kuzzle.allowedUsers=admin,developer" # optional

Development

You can found a development Docker Compose file (docker-compose.dev.yml) in the repository root.

TRAEFIK_PILOT_TOKEN="xxxx" docker-compose -f docker-compose.dev.yml up -d

This will launch:

• A complete Kuzzle stack (Kuzzle, Elasticsearch and Redis containers).
• A Traefik instance with dashboard and latest released plugin version enabled and only available using admin Kuzzle user
• A whoami instance available using both admin and developer Kuzzle users

Once all containers are started and healthy, you can use the Kuzzle Admin Console to create your users (admin and developer).

Roadmap

• Users greenlisting
• Profiles greenlisting
• Kuzzle API Key authentication

New ideas are welcome, feel free to fill out an issue and let's discuss it 😉

What is Kuzzle?

Kuzzle is a generic backend offering the basic building blocks common to every application.

Rather than developing the same standard features over and over again each time you create a new application, Kuzzle proposes them off the shelf, allowing you to focus on building high-level, high-value business functionalities.

Kuzzle enables you to build modern web applications and complex IoT networks in no time.

• API First: use a standardised multi-protocol API.
• Persisted Data: store your data and perform advanced searches on it.
• Realtime Notifications: use the pub/sub system or subscribe to database notifications.
• User Management: login, logout and security rules are no more a burden.
• Extensible: develop advanced business feature directly with the integrated framework.
• Client SDKs: use our SDKs to accelerate the frontend development.