diff --git a/docs/docs/workflows/user-authentication.md b/docs/docs/workflows/user-authentication.md index 1b8250bf..6f0121e6 100644 --- a/docs/docs/workflows/user-authentication.md +++ b/docs/docs/workflows/user-authentication.md @@ -1,32 +1,32 @@ # User authentication -Some privileged workflows require a user to authenticate themselves to the MarbleRun Coordinator. +Privileged workflows require a user to authenticate themselves to the MarbleRun Coordinator. This is done by first [adding a user to the manifest](./define-manifest.md#users) and then using the certificate and matching private key as TLS client credentials when connecting to the Coordinator. -## File based authentication +## File-based authentication -With file based authentication, you need to have access to a private key and certificate as PEM formatted files. +With file-based authentication, you need to have access to a private key and certificate as PEM-formatted files. For example, you can generate your credentials using the following `openssl` command: -```sh +```bash openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout admin_private.pem -out admin_certificate.pem ``` You can then use these files to authenticate with the MarbleRun Coordinator: -```sh +```bash marblerun --cert admin_certificate.pem --key admin_private.pem [COMMAND] ``` -## PKCS#11 based authentication +## PKCS #11-based authentication -MarbleRun's CLI supports authentication with private keys stored in a PKCS#11 compatible device. -To load client credentials using PKCS#11, a [PKCS#11 config file](https://pkg.go.dev/github.com/ThalesGroup/crypto11@v1.2.6#Config) must be provided, which specifies how to access the PKCS#11 token. -Additionally, the ID and/or label of the private key and certificate must be provided to the CLI. +The MarbleRun CLI supports authentication with private keys stored in a PKCS #11-compatible device. +To load client credentials using PKCS #11, you must provide a [PKCS #11 config file](https://pkg.go.dev/github.com/ThalesGroup/crypto11@v1.2.6#Config), which specifies how to access the PKCS #11 token. +Additionally, you must provide the ID and/or label of the private key and certificate to the CLI. -The PKCS#11 config file is a JSON file that should specify the following fields: +The PKCS #11 config file is a JSON file that should specify the following fields: -- `Path` (string) - The full path to the PKCS#11 shared library. +- `Path` (string) - The full path to the PKCS #11 shared library. - `Pin` (string) - The PIN (password) to access the token. - One of: - `TokenSerial` (string) - Serial number of the token to use. @@ -35,16 +35,16 @@ The PKCS#11 config file is a JSON file that should specify the following fields: The following shows an example for authenticating with a key and certificate stored in a token with the label `marblerun-token`: -```json5 +```json { - "Path": "/usr/lib/softhsm/libsofthsm2.so", # Replace with path to your PKCS#11 shared library + "Path": "/usr/lib/softhsm/libsofthsm2.so", # Replace with path to your PKCS #11 shared library "TokenLabel": "marblerun-token", "Pin": "1234" # Replace with your token's actual password } ``` -Assuming the key and certificate have the label `marblerun-key` and `marblerun-cert` respectively, the CLI can be invoked as follows: +Assuming the key and certificate have the label `marblerun-key` and `marblerun-cert` respectively, invoked the CLI as follows: -```sh +```bash marblerun --pkcs11-config /path/to/pkcs11-config.json --pkcs11-key-label marblerun-key --pkcs11-cert-label marblerun-cert [COMMAND] ``` diff --git a/docs/sidebars.js b/docs/sidebars.js index ec164185..112d2686 100644 --- a/docs/sidebars.js +++ b/docs/sidebars.js @@ -160,6 +160,11 @@ const sidebars = { label: 'Backup and restore', id: 'workflows/backup', }, + { + type: 'doc', + label: 'User authentication', + id: 'workflows/user-authentication', + }, { type: 'doc', label: 'Update a manifest',