Authentication with CDC
Crossbar.io DevOps Center (CDC) is a multi-tenant cluster manager for networks of Crossbar.io nodes.
CDC is able to manage multiple, fully separate and isolated management domains called management realms.
Consequently, each Crossbar.io node that is to be managed by CDC needs to be paired with exactly one management realm on CDC first.
A management realm is a realm on CDC dedicated to one larger system of a customer with potentially many thousand Crossbar.io nodes attached to and many thousand CDC API clients, like customer operators or tools.
Each management realm is fully isolated from all other management realms, serving different WAMP routing namespaces and with CDC backends running in dedicated processes, effectively preventing any data leakage.
Both Crossbar.io nodes and CDC API clients authenticate to CDC via WAMP-cryptosign.
WAMP-cryptosign is a public-private key authentication mechanism based on elliptic curve Curve25519, namely it adopts Ed25519 to authenticate WAMP peers.
For CDC API clients, the public-private keys are generated by the user with
ssh-keygen, which is part of the standard OpenSSH package:
ssh-keygen -t ed25519 -f mykey
Important: do NOT set a passphrase. For simple use (like demonstrated here), keys should be protected using filesystem permissions, but otherwise not protected by a passphrase. To use a passphrase with your key, load and unlock your key into OpenSSH agent and use the agent support built into Autobahn for WAMP-cryptosign authentication.
Above will generate 2 files:
mykey- the private user key (OpenSSH format)
mykey.pub- the public user key (OpenSSH format)
Users are assigned one of the following authentication roles on the respective management realm upon successfull authentication:
For Crossbar.io nodes, the public-private keys are automatically generated when a node first starts:
CBDIR/.crossbar/key.priv- the private node key (Crossbar.io format)
CBDIR/.crossbar/key.pub- the public node key (Crossbar.io format)
Crossbar.io nodes need to be paired with CDC first. The node pairing makes the node's public key known to CDC, associates the node with a management realm and assign a node ID to the node.
The node ID is identical to the WAMP
authidassigned by CDC during the authentication to the Crossbar.io node.
All Crossbar.io nodes are assigned the authentication role
on the respective management realm after successfull authentication.
During the alpha-testing of the first CDC ready Crossbar.io release 16.10, pairing of Crossbar.io nodes and CDC API clients with CDC is not yet available and provisioning of new management realms and users involves some manual steps beginning with sending us
- your desired management realm name,
- the owner's user public key (OpenSSH format) and
- optionally, one or more Crossbar.io node public keys (Crossbar.io format) and
- optionally, one or more CDC API client public keys (OpenSSH format)
Drop us an email at
support at crossbario dot com with subject line
alpha-16.10 and we'll setup your management realm on our CDC alpha hosting service and provide you access from Web UIs, command line tools or programmatic and remote access to your Crossbar.io nodes.
API based Registration¶
The Crossbar.io release key (which changes with each release) is displayed together with version information
(cpy351_5) oberstet@thinkpad-t430s:~$ crossbar version __ __ __ __ __ __ __ __ / `|__)/ \/__`/__`|__) /\ |__) |/ \ \__,| \\__/.__/.__/|__)/~~\| \. |\__/ Crossbar.io : 16.10.dev1 Autobahn : 0.16.0 (with JSON, MessagePack, CBOR, UBJSON) Twisted : 16.3.0-EPollReactor LMDB : 0.89/lmdb-0.9.18 Python : 3.5.1/CPython OS : Linux-3.13.0-92-generic-x86_64-with-debian-jessie-sid Machine : x86_64 Release key : RWQ2MDk26PKBMNUZG2Jok1tMBB1SKyci+N7dtcep8jrikTl4NvI1Rnux
The node public key is printed when the node starts:
(cpy351_5) oberstet@thinkpad-t430s:~/foo$ crossbar start 2016-08-14T22:25:45+0200 [Controller 20410] New node key pair generated! 2016-08-14T22:25:45+0200 [Controller 20410] File permissions on node public key fixed! 2016-08-14T22:25:45+0200 [Controller 20410] File permissions on node private key fixed! 2016-08-14T22:25:45+0200 [Controller 20410] Node configuration loaded from 'config.json' 2016-08-14T22:25:45+0200 [Controller 20410] __ __ __ __ __ __ __ __ 2016-08-14T22:25:45+0200 [Controller 20410] / `|__)/ \/__`/__`|__) /\ |__) |/ \ 2016-08-14T22:25:45+0200 [Controller 20410] \__,| \\__/.__/.__/|__)/~~\| \. |\__/ 2016-08-14T22:25:45+0200 [Controller 20410] 2016-08-14T22:25:45+0200 [Controller 20410] Crossbar.io Version: 16.10.dev1 2016-08-14T22:25:45+0200 [Controller 20410] Node Public Key: 0a439d8ec8a36c2a7ecd4388ed6f0221fa6e2e46a8e6c8481ab7950a4dc27735 2016-08-14T22:25:45+0200 [Controller 20410] 2016-08-14T22:25:45+0200 [Controller 20410] Running from node directory '/home/oberstet/foo/.crossbar'
There is also a new
crossbar keys command which prints both the release and node key in hex and as a qr code for scanning.