Skip to main content

Module http

Module http 

Source
Expand description

Embedded HTTP server.

environmentd embeds an HTTP server for introspection into the running process. At the moment, its primary exports are Prometheus metrics, heap profiles, and catalog dumps.

§Authentication/Authorization flow

The server supports several authentication modes, controlled by the configured listeners::AuthenticatorKind. The general flow is:

  1. Authentication. An authentication middleware runs on every protected request and resolves the caller’s identity via one of:

  2. Authorization. The authentication middleware is followed by an authorization middleware that checks if the caller’s identity is allowed to access the route based on its listeners::AllowedRoles.

  3. Session initialization. Once the caller’s identity is known, an adapter session is opened on their behalf. This happens as part of request processing, after all middleware has run.

  4. Request handling. The handler executes the request (e.g. runs SQL) using the initialized adapter session.

§WebSocket

The WebSocket flow is identical to the HTTP flow with two differences:

  • Credentials are not read from request headers. Instead, the first message sent by the client is treated as the authentication message.
  • Authorization and session initialization (step 2 and 3) happen inside the WebSocket handler itself, rather than as separate middleware steps.

Modules§

catalog 🔒
Catalog introspection HTTP endpoints.
cluster 🔒
HTTP proxy for cluster replica endpoints.
console 🔒
HTTP endpoints for the web console.
mcp 🔒
Model Context Protocol (MCP) HTTP handlers.
mcp_metrics
Prometheus metrics for the MCP HTTP endpoints.
memory 🔒
metrics 🔒
Metrics tracked for environmentds HTTP servers.
metrics_public 🔒
Federated /metrics endpoint.
metrics_viz 🔒
oauth_metadata 🔒
OAuth 2.0 Protected Resource Metadata for the MCP endpoints.
probe 🔒
Health check HTTP endpoints.
prometheus 🔒
root 🔒
HTTP endpoints for the homepage and static files.
sql 🔒
webhook 🔒
Helpers for handling events from a Webhook source.

Structs§

AuthedClient
AuthedUser
HelmChartVersion 🔒
HttpConfig
HttpServer
InternalRouteConfig
LoginCredentials
Metrics
RouteAllowedRoles 🔒
The allowed_roles policy for a route group, attached as a request extension on each authenticated route group and read by http_authz.
SqlResponse
The response to a SqlRequest.
TowerSessionData
WebhookState
WsState
WwwAuthenticateChallenges 🔒
Per-request decision about which WWW-Authenticate challenges to emit on a 401, computed by the auth middleware.

Enums§

AuthError 🔒
ConnProtocol 🔒
Credentials 🔒
WebSocketAuth
WebSocketResponse

Constants§

MAX_REQUEST_SIZE
Maximum allowed size for a request.
PROFILING_API_ENDPOINTS 🔒
SESSION_DURATION 🔒

Traits§

AuthzRouterExt 🔒
Router extension for attaching the authorization middleware.
DefaultLayers 🔒
Default layers that should be applied to all routes, and should get applied to both the internal http and external http routers.

Functions§

auth 🔒
check_role_allowed 🔒
ensure_session_unexpired 🔒
Ensures the session is still valid by checking for expiration, and returns the associated user if the session remains active.
get_authenticator 🔒
group_claim_for 🔒
Resolve the dyncfg-configured group claim path from a delayed adapter client. Callers must already have driven adapter_client_rx to readiness (e.g. via get_authenticator), so the await here is non-blocking.
handle_leader_promote
handle_leader_skip_catchup
handle_leader_status
handle_load_error 🔒
Glue code to make tower work with axum.
handle_login
handle_logout
http_auth 🔒
Authentication middleware.
http_authz 🔒
Authorization middleware. Enforces the route group’s allowed_roles policy against the authenticated user.
init_ws 🔒
maybe_get_authenticated_session 🔒
Attempts to retrieve session data from a TowerSession, if available. Session data is present only if an authenticated session has been established via handle_login.
x_materialize_user_header_auth 🔒

Type Aliases§

Delayed 🔒