Python Basic

Attention

This requires the python build feature, which is enabled by default.

This group authenticates users by invoking a Python script that provides a check_password(username, password) function. It returns True when the credentials are valid and False otherwise.

Static and dynamic users are still supported. The Python script verifies the presented password, then vey-proxy loads the rest of the user policy from the static list, the dynamic source, or unmanaged_user.

A thread-local LRU cache is used to avoid calling the script for every request.

The following common keys are supported:

script

required, type: file path

Path to the Python script file.

The script must define a check_password(username, password) function that accepts two string arguments and returns a boolean.

The script is re-read from disk on each authentication attempt, so changes take effect without reloading the user group.

unmanaged_user

optional, type: user

Configures and enables unmanaged users.

This is a template user configuration for users who authenticate successfully with the Python script but are not defined in either the static or dynamic user lists.

If not set, only static or dynamic users will be allowed.

default: not set

check_timeout

optional, type: humanize duration

Timeout for each Python check_password() call.

default: 4s

cache_user_count

optional, type: non-zero usize

Maximum number of users stored in the thread-local LRU cache.

default: 128

cache_expire_time

optional, type: humanize duration

Expiration time for valid passwords in the thread-local LRU cache.

default: 5min

Example

name: script-auth
type: python_basic
script: /etc/vey-proxy/auth_check.py
cache_user_count: 256
cache_expire_time: 10min
unmanaged_user:
  name: python-template
  explicit_sites: []

Example Python script:

def check_password(username, password):
    # Implement your authentication logic here
    # Return True if the credentials are valid, False otherwise
    return username == "admin" and password == "secret"