Example VTAdmin Authenticator implementation

user_key_authenticator.go

package main

import (
	"ctx"
	"http"
	"strings"
	
	"google.golang.org/grpc/metadata"

	"vitess.io/vitess/go/vt/log"
	"vitess.io/vitess/go/vt/vtadmin/rbac"
)

type userKeyAuthenticator struct{}

func (authn *userKeyAuthenticator) Authenticate(ctx context.Context) (*rbac.Actor, error) {
	md, ok := metadata.FromIncomingContext(ctx)
	if !ok {
		return nil, nil
	}

	if user := md.Get("user"); len(user) > 0 {
		name := user[0]
		roles := user[1:]
		return &rbac.Actor{
			Name:  name,
			Roles: roles,
		}, nil
	}

	return nil, nil
}

func (authn *userKeyAuthenticator) AuthenticateHTTP(r *http.Request) (*rbac.Actor, error) {
	cookie, err := r.Cookie("user")
	if err != nil {
		log.Infof(`no "user" cookie: %v`, err)
		return nil, nil
	}

	// expect the cookie to be a CSV of "name,role1,role2,...,roleN"
	if user := strings.Split(cookie.Value, ","); len(user) > 0 {
		name := user[0]
		roles := user[1:]

		return &rbac.Actor{
			Name:  name,
			Roles: roles,
		}, nil
	}

	log.Infof(`empty "user" cookie`)

	return nil, nil
}

// Required to use plugin-mode
func NewAuthenticator() rbac.Authenticator { return &userKeyAuthenticator{} }