esm auth server #35

Supports: xenial bionic
Add to new model


This Go server coordinates with nginx for handling ESM authorization, using the nginx auth_request system. The server returns a 200 response with an empty body if the access is granted, a 401 response with an empty body otherwise. When a request arrives, we extract the resource token from the auth header and use the /v1/resources/esm?token=... endpoint on the contract service to validate that the resource token can perform the request. The resource token will be provided in the request header, the entitlement will be returned in the response body.

esm-auth-server charm

This charm deploys the esm-auth-server, which provides HTTP credentials validation and management for ESM and any other application requiring basic-auth-check. Credential validation is done with information retrieved from the contract service.

basic-auth-check relation

This charm can be related via basic-auth-check relation with applications that need Basic-Auth credentials validation. This is done by:

juju add-relation esm-auth-server:basic-auth-check <other-service>:basic-auth-check

The related service can use the basic-auth-check interface to implement relation configuration handling.

Multiple units of this application can be deployed in order to achieve high-availability.


(string) The address of the contracts service, optionally including basic auth credentials and port. The contracts service is used for retrieving entitlements associated with resource tokens.
(string) Comma separated list of Kafka brokers. If not provided, the service will still work, but will not be sending audit data to Kafka.
(string) Certificate of the CA that issued Kafka certificates.
(string) Kafka client certificate.
(string) Kafka client key.
(string) The name of the Juju application, previously related to the postgres charm, which originally created the legacy database of ESM credentials.
(string) The log level to apply to the service.
(string) Used by the nrpe subordinate charms. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-myservice-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
(string) A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup
(int) The port on which the service will be listening.
(string) DEPRECATED. Use snap-http-proxy and snap-https-proxy model configuration settings. HTTP/HTTPS web proxy for Snappy to use when accessing the snap store.
(string) DEPRECATED. Use snap-store-proxy model configuration setting. The address of a Snap Store Proxy to use for snaps e.g.
(string) How often snapd handles updates for installed snaps. The default (an empty string) is 4x per day. Set to "max" to check once per month based on the charm deployment date. You may also set a custom string as described in the 'refresh.timer' section here: