HCMS CLI for managing authorization providers

The CLI tool can be used for the essential configuration of an authorization provider, necessary to make it work. For more sophisticated configuration, please refer to the XML representation (configuration asset on the Censhare Server): module.satellite.osgi.configuration or module.satellite.configuration.

Authorization providers are applicable on a configuration level.

Manage authorization providers

Detailed information about this part of the HCMS configuration can be found in this article.

View commands

Command	Argument	Meaning
`hcms authorization list`	configuration key	Lists all authorization providers configured for a given configuration group.
`hcms authorization inspect`	authorization key	Displays the specified authorization provider configuration.

Example output of those commands:

  - type: jwt
    secret: 13g4TKUugjmHSlusWiNMOAB5BbtInfSJHagVr5kSzOIKDBJSRWkAdjM4nMxI
    cookie:
        name: access_token
        maxAge: unlimited
        insecure: false
        http-only: false
  - type: basic
    users:
      - name: system
        password: e292291432703ac801664a66a554c000
        roles:
          - '*'
  - type: ip
    ranges:
      - start: 127.0.0.1
        end: 127.0.0.1
        roles:
          - '*'

CRUD commands

Note One basic authorization provider configuration is created automatically as part of running the command hcms configuration create.

Command	Argument	Meaning
`hcms authorization create`	configuration id	Defines a new satellite authorization provider in the specified configuration.
`hcms authorization update`	configuration id	Updates the specified attributes of the specified authorization provider configuration.
`hcms authorization delete`	configuration id	Deletes the specified attributes of the specified authorization provider configuration (or the entire configuration).

Available options vary depending on the type of autorization provider you want to add, update, or delete. The first option to the command specifies the type of the provider.

Provider	Option	Default option value	Attribute	Default attribute value	Meaning
`--basic`	-	-	-	-	For a new basic HTTP authorization.
-	`--name`	-	-	-	The user name.
-	`--password`	A randomly generated string.	-	-	User password.
-	`--roles`	-	-	-	HCMS user roles. Has to be specified as a comma-separated list for only specific roles or as `*` for assigning all roles.
`--ip`	-	-	-	-	For a new IP range.
-	`--start`	-	-	-	Start of the IP range (IPv4 or IPv6).
-	`--end`	-	-	-	End of the IP range (IPv4 or IPv6).
-	`--roles`	-	-	-	End of the IP range (IPv4 or IPv6).
`--jwt`	-	-	-	-	For a new JWT-based authorization.
-	`--secret`	-	-	-	The string value of the HMAC secret.
-	`--pem`	-	-	-	The entire RSA public key, enclosed in `-----BEGIN PUBLIC KEY-----` and `-----END PUBLIC KEY-----` .
-	`--cookie`	For version `v4.3` and higher, no cookies are accepted and no cookies are produced. For version `v4.2` and lower, cookie with name `access_token` is accepted and produced.	-	-	Name of the authorization cookie.
-	-	-	`--cookie-max-age`	-	A maximum age of the authorization cookie, in seconds. A negative value means that there is no expiration time.
-	-	-	`--cookie-insecure`	`false`	Specifies if authorization cookies can be used in an unencrypted HTTP request.
-	-	-	`--cookie-insecure`	`false`	Specifies if authorization cookies can be used in an unencrypted HTTP request.
-	-	-	`--cookie-http-only`	`true`	Specifies if authorization cookies can be issued with the `HttpOnly` flag. `true` is default since HCMS `v4.3`, before it was `false` (i.e., flag not set).
-	-	-	`--cookie-same-site`	`unset`	Specifies if authorization cookies can be issued with the `SameSite` flag.
`--disable-security`	-	-	-	-	Creates a provider that grants all roles to any request.

For the basic HTTP authorization, you can add as many users as you need. But you have to do it one by one.