- Endpoint identification by endpoint token.
- Client authentication by username/password combination.
- Client authentication by client SSL certificate (using the issuer field and certificate serial number).
CM provides REST APIs to manage client and endpoint credentials and their states. CM maintains a credential state machine summarized in the following diagram.
Credentials can be in one of the following states:
- Inactive is the initial state for newly provisioned credential that has not been used to authenticate an endpoint or a client.
- Active is the state credentials automatically move to after they were first used for endpoint or client authentication. Credentials can be suspended or revoked from the active state.
- Suspended state is for temporarily disabled credentials. CM service will reject authentication requests with suspended credentials. Suspended credentials can be re-activated.
- Revoked state is the terminal state for credentials that are no longer valid.
CM persists all credentials-related data to MariaDB.
CM supports a number of interfaces to perform its functional role. The key supported interfaces are summarized in the following diagram.
For inter-service communication, Kaa services mainly use REST APIs and messaging protocols that run over NATS messaging system.
CM supports Endpoint and Client Authentication Protocol for Communication services to validate credentials presented by endpoints and clients.
CM broadcasts endpoint token revocation events and client credential revocation events whenever, respectively, endpoint or client credentials transition from active to suspended or revoked state, or get deleted.
CM provides a REST-based interface to manage endpoint and client credentials:
- provisioning new credentials
- transitioning credentials states
- deleting credentials
EP unregistered events
CM listens to endpoint unregistered events to keep the list of valid endpoint credentials up to date. After receiving such events, CM deletes corresponding endpoint tokens from the database.
CM is integrated with the Kaa Tekton for centralized application configuration management. It receives configuration update messages from Tekton over 17/SCMP and uses Tekton REST API to retrieve current configs.
See configuration for more information.
Kaa Tenant Manager integration
CM supports multi-tenancy with each tenant using a separate OAuth 2.0 issuer for authentication, authorization, and resource management. The list of the existing tenants is managed by [the Kaa Tenant Manager][Tenant Manager], which provides REST API for retrieving tenant security configs.
See the security configuration for more details on how to enable multi-tenancy in CM.