Documentation
Administration
Authentication and Authorization

Authentication and Authorization

All API calls to Couic require an authentication token. Couic provides a straightforward authentication and authorization mechanism to control access to its API.

Client file

Client definitions are stored as TOML files in Couic’s working directory.

            • couicctl.toml
            • monitoring.toml

        • Each file is named after the client and contains its authentication token (UUIDv4) and associated group.

        For security, client files must be restricted so that only the couic user has read/write access (chmod 600).

        Couic verifies the validity of file permissions, the token format, and the uniqueness of tokens. If any errors are detected, Couic will refuse to start, or a log entry will be generated to indicate the issue.

        Example of client file:

        /var/lib/couic/rbac/clients/monitoring.toml
        token = "ae976197-2602-447d-a281-b29e20abb7c1"
group = "monitoring"

        Default client couicctl

        When Couic starts, it automatically creates a default client file for couicctl if it does not already exist. This command-line tool is assigned to the admin group, granting it full administrative privileges (See RBAC).

        Role-Based Access Control (RBAC)

        Each client/token is associated with a user group, which is currently hardcoded within the application according to the following matrix of permissions:

        Action/Roleadminclientrwclientropeeringmonitoring
        client add
        client get
        client list
        client delete
        drop/ignore add
        drop/ignore get
        drop/ignore list
        drop/ignore delete
        drop peer
        stats get
        stats list
        sets add
        sets get
        sets list
        sets delete
        sets reload

        Manage client using CLI

        Add a new client to clientrw group

        command
        couicctl clients add -n superclient -g clientrw
        output
        ┌─────────────┬──────────┬──────────────────────────────────────┐
│ Name        ┆ Group    ┆ Token                                │
╞═════════════╪══════════╪══════════════════════════════════════╡
│ superclient ┆ clientrw ┆ 01115f88-fd3d-4fbd-b205-44c90e81dae5 │
└─────────────┴──────────┴──────────────────────────────────────┘

        List all clients

        command
        couicctl clients list
        output
        ┌─────────────┬────────────┬──────────────────────────────────────┐
│ Name        ┆ Group      ┆ Token                                │
╞═════════════╪════════════╪══════════════════════════════════════╡
│ superclient ┆ clientrw   ┆ 01115f88-fd3d-4fbd-b205-44c90e81dae5 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ prometheus  ┆ monitoring ┆ d6ac883a-8050-4408-bf1e-5b07e9965191 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ couicctl    ┆ admin      ┆ 79deb94f-5dd1-417f-8842-667d8dff4480 │
└─────────────┴────────────┴──────────────────────────────────────┘

        Delete a client

        command
        couicctl clients delete prometheus
        couicctl provides full control of Couic through its REST API. For more details, see the couicctl reference.
        AdministrationReverse Proxy