28 lines
1.2 KiB
Markdown
28 lines
1.2 KiB
Markdown
## Supervisor Authentication
|
|
|
|
The supervisor has two authentication systems:
|
|
|
|
1. An authentication system based on scoped symmetric API keys.
|
|
2. An authentication of the signatures of a job's canonical representation.
|
|
|
|
The first is used to control access to the supervisor API, the second is used to authenticate the signatories of a job, such that the runners can implement access control based on the signatories.
|
|
|
|
#### API Key Management
|
|
|
|
API keys are used to authenticate requests to the supervisor. They are created using the `auth.key.create` method and can be listed using the `key.list` method.
|
|
|
|
#### API Key Scopes
|
|
|
|
API keys have a scope that determines what actions they can perform. The following scopes are available:
|
|
|
|
- `admin`: Full access to all supervisor methods.
|
|
- `registrar`: Access to methods related to job registration and management.
|
|
- `user`: Access to methods related to job execution and management.
|
|
|
|
#### API Key Usage
|
|
|
|
API keys are passed as a header in the `Authorization` field of the request. The format is `Bearer <key>`.
|
|
|
|
#### API Key Rotation
|
|
|
|
API keys can be rotated using the `key.remove` method. This will invalidate the old key and create a new one. |