In Flumotion, authentication is handled by a bouncer component. A component receives keycards and accepts or rejects them. These keycards can represent connections to the manager, or to a consumer, or to some other resource inside Flumotion. The bouncer component doesn't know - it only deals with keycards.
The bouncer that handles authentication to the manager is always started as part of the manager configuration. It is unlike any other component in the planet, since it's not started by a job on a worker, but integrated into the manager daemon.
Different bouncer types can exist, depending on what types of keycards they can authenticate, and the back-end mechanism they use for authentication. Currently, Flumotion ships with one bouncer type controlled by an Apache-style htpasswd format using crypted passwords. More types will be added in the future.
Keycards represent authentication information from an object requesting access to some part of Flumotion. A client requesting access creates a keycard itself (for example, an admin client logging in to the manager) or gets a keycard created for it (for example, a stream client logging into a streamer consumer).
Keycards are created from credentials provided by the client. A new streaming client could for example provide a username and a plaintext password. A worker could provide a username and a crypted password, or an SSH public key. The keycard will encode the credentials provided. Then it gets sent to the bouncer reponsible for authentication of that resource. If necessary, the keycard is sent back and forth (for example, for challenge-response types), until the keycard is accepted or rejected.
The sample manager configuration, which is also used when you install from packages, uses an htpasswdcrypt bouncer. One set of credentials is provided: a user with username “user” and password “test”. Of course, in your deployment, you should change these.
This type of bouncer can be configured with either in-line data inside the configuration file, or by providing an external file with this information. In both cases, you can create the credentials using htpasswd as provided by the Apache web server package.
For example, to create a file containing credentials for username “someone” and password “s3kr3t”:
htpasswd -d -c passwords someone
The program will ask you to type the password twice:
New password: Re-type new password: Adding password for user someone
Check the generated file by typing
cat passwords
which will show [6]
someone:5jKUrPB0Xbzos
While it is possible to specify passwords on the command line when creating this file, this is bad for security reasons. The command line is visible to anyone logged in to the machine, as well as recorded in the shell's history.