Acra requires authentication for all incoming connections that process data (encryption/masking/tokenization happening in AcraServer, AcraTranslator or AnyProxy), connections to the database (AcraServer), all KMS-related operations, and privileged operations.
Data processing connections #
Client app <> AcraServer #
AcraServer authenticates each incoming connection from client application. We strongly suggest using mutual authentication every time. Authentication happens via:
client app <> [TLS] <> AcraServer
By default, AcraServer will request and validate a client’s TLS certificate. See AcraServer’s TLS configuration flags.
- AcraConnector (deprecated since 0.91.0).
client app <> AcraConnector <> [TLS or Themis Secure Session] <> AcraServer.
AcraServer authenticates connections from AcraConnector. If TLS is used as underlying transport encryption, mutual authentication is desired but optional, if Themis Secure Session is used, mutual authentication is enabled by default. See AcraServer’s configuration flags for AcraConnector.
AcraServer returns error on non-authenticated queries. Authenticated queries can get access only for the data associated with client app
ClientID or for known ZoneIDs (deprecated since 0.94.0, will be removed in 0.95.0).
AcraServer <> database #
AcraServer doesn’t affect authentication process on database protocol level between client application and database. We strongly recommend using TLS when connecting to the database and providing database TLS certificate in AcraServer configuration.
Refer to AcraServer TLS configuration params.
Also, AcraServer does not intervene in the PostgreSQL authentication, so you can still use login/password for authentication between the app and the database. We actually encourage you to do that and to add one extra layer of protection against attackers that target your PostgreSQL installation.
We’ve tested all the authentication methods compatible with PostgreSQL (excluding RADIUS authentication), and found out that all of them are working correctly through Acra.
Client app <> AcraTranslator #
client app <> [TLS] <> AcraTranslator
AcraTranslator requires authentication for all API requests. Mutual authentication may be turned on or off. In first case applications may get access only for own data related to ClientID or known ZoneIDs. Without mutual authentication all authenticated applications have access to all data if they know related ClientID or ZoneID.
AcraTranslator doesn’t validate applications identifiers before data manipulations. All ownership mapping is applications' responsibility and may be implemented in different ways according to business requirements.
Client app <> AnyProxy #
AnyProxy authentication works similarly to AcraTranslator’s.
Key management connections #
External key stores #
AcraServer, AcraTranslator and AnyProxy require authenticated connections when working with external key stores (Redis, BoltDB).
Read more about configuring external key stores.
AcraServer, AcraTranslator and AnyProxy require authenticated connections when working with KMS.
Read more about connection configuration to popular KMS.
Privileged operations #
AcraWebConfig tool and AcraConnector are deprecated and will not be available since 0.91.0.
AcraServer supports changing configuration in runtime using AcraWebConfig’s. AcraWebConfig is a simple web UI service that requires HTTP basic authentication.
Privileged operations (changing configuration of AcraServer, restarting it) are available only for authenticated and authorized users. You should add users first using acra-authmanager utility, then use these users' credentials to access AcraWebConfig.
AcraWebConfig communicates with AcraServer through AcraConnector and can use Themis Secure Session or TLS as transport encryption. There is no requirement to use mutual authentication. TLS may be configured without sending client’s certificates. Themis Secure Session uses mutual authentication by design and cannot be changed.