/  Python Yamcs Client  /  General Client  /  Authentication

Authentication

User Accounts

Yamcs Server can be configured for different authentication setups.

The common use case is to entrust Yamcs with validating user credentials (either by locally verifying passwords, or by delegating to an upstream server such as an LDAP tree).

To authenticate in such a scenario, do:

credentials = Credentials(username="admin", password="password")
client = YamcsClient("localhost:8090", credentials=credentials)

In the background this will convert your username/password credentials to an access token with limited lifetime, and a long-lived refresh token for automatically generating new access tokens.

Further HTTP requests do not use your username/password but instead use these tokens.

Service Accounts

Service accounts are useful in server-to-server scenarios. Support for service accounts will be available in future releases.

Types

class yamcs.core.auth.APIKeyCredentials(key: str)

Bases: Credentials

before_request(session: Session, auth_url: str)
is_expired() bool
login(*args, **kwargs)
refresh()
class yamcs.core.auth.BasicAuthCredentials(username: str, password: str)

Bases: Credentials

Data holder for Basic Auth credentials. This includes a username and a password which are passed in the HTTP Authorization header on each request.

before_request(session: Session, auth_url: str)
is_expired() bool
login(*args, **kwargs)
refresh()
class yamcs.core.auth.Credentials(username: Optional[str] = None, password: Optional[str] = None, access_token: Optional[str] = None, refresh_token: Optional[str] = None, expiry: Optional[datetime] = None, client_id: Optional[str] = None, client_secret: Optional[str] = None, become: Optional[str] = None)

Bases: object

Data holder for different types of credentials. Currently this includes:

  • Username/password credentials (fields username and password)

  • Bearer tokens (fields access_token and optionally refresh_token)

access_token

Short-lived bearer token.

become

Name of the user to impersonate. Only service accounts with impersonation authority can use this feature.

before_request(session: Session, auth_url: str)
client_id

The client ID. Currently used only by service accounts.

client_secret

The client secret. Currently used only by service accounts.

expiry

When this token expires.

is_expired() bool
login(session: Session, auth_url: str, on_token_update: Optional[Callable[[Credentials], None]]) Credentials
password

Clear-text password (consider TLS!).

refresh(session: Session, auth_url: str)
refresh_token

Refresh token used to request a new access token.

username

Username (only needed when using username/password credentials).

PREVIOUS HOME NEXT