Identities

Pebble has the concept of named “identities”, which lets administrators manage users’ access to the API.

Each identity has a name, an access level, and an authentication type with type-specific configuration. Admins use the identities CLI commands to manage identities, and the identity configuration is persisted to disk.

The identity configuration must be provided to Pebble, and is read from Pebble, in the following YAML format:

identities:
    <name>:
        # (Required) Access level of this identity. Possible values are:
        #
        # - untrusted: has access to open-access endpoints only
        # - metrics: has access to the metrics endpoint only
        # - read: has access to read-access endpoints
        # - admin: has access to all endpoints
        access: untrusted | metrics | read | admin

        # Configure local, peer credential-based authentication.
        #
        # Currently the supported authentication types are "local" and "basic".
        # You may configure an identity with one or more authentication types.
        local:
            # (Required) Peer credential UID.
            user-id: <uid>
        basic:
            # (Required) Hashed password in sha512-crypt format.
            password: <password hash>

For example, a local identity named “bob” with UID 42 that is granted admin access would be defined as follows:

identities:
    bob:
        access: admin
        local:
            user-id: 42

For another example, a basic identity named “alice” that is granted metrics access would be defined as follows:

identities:
    alice:
        access: metrics
        basic:
            # The password is hashed using sha512-crypt, as generated by "openssl passwd -6".
            password: <password hash>

The password is hashed using sha512-crypt, as generated by “openssl passwd -6”.