Expand description
Embedded HTTP server.
environmentd embeds an HTTP server for introspection into the running process. At the moment, its primary exports are Prometheus metrics, heap profiles, and catalog dumps.
§Authentication/Authorization flow
The server supports several authentication modes, controlled by the
configured listeners::AuthenticatorKind. The general flow is:
-
Authentication. An authentication middleware runs on every protected request and resolves the caller’s identity via one of:
- Credentials in headers. The caller supplies a username/password or
token in the request headers. Supported by all
listeners::AuthenticatorKinds. - Session reuse. If the caller has an active authenticated session
(established via
POST /api/login) and has not supplied credentials in the request headers, the session is reused. Only available forlisteners::AuthenticatorKind::Passwordandlisteners::AuthenticatorKind::Oidc. - Trusted header injection. A trusted upstream proxy (e.g. Teleport)
may inject the caller’s identity into the request headers. Only available
for
listeners::AuthenticatorKind::None.
- Credentials in headers. The caller supplies a username/password or
token in the request headers. Supported by all
-
Authorization. The authentication middleware is followed by an authorization middleware that checks if the caller’s identity is allowed to access the route based on its
listeners::AllowedRoles. -
Session initialization. Once the caller’s identity is known, an adapter session is opened on their behalf. This happens as part of request processing, after all middleware has run.
-
Request handling. The handler executes the request (e.g. runs SQL) using the initialized adapter session.
§WebSocket
The WebSocket flow is identical to the HTTP flow with two differences:
- Credentials are not read from request headers. Instead, the first message sent by the client is treated as the authentication message.
- Authorization and session initialization (step 2 and 3) happen inside the WebSocket handler itself, rather than as separate middleware steps.
Modules§
- catalog 🔒
- Catalog introspection HTTP endpoints.
- cluster 🔒
- HTTP proxy for cluster replica endpoints.
- console 🔒
- HTTP endpoints for the web console.
- mcp 🔒
- Model Context Protocol (MCP) HTTP handlers.
- mcp_
metrics - Prometheus metrics for the MCP HTTP endpoints.
- memory 🔒
- metrics 🔒
- Metrics tracked for
environmentds HTTP servers. - metrics_
public 🔒 - Federated
/metricsendpoint. - metrics_
viz 🔒 - oauth_
metadata 🔒 - OAuth 2.0 Protected Resource Metadata for the MCP endpoints.
- probe 🔒
- Health check HTTP endpoints.
- prometheus 🔒
- root 🔒
- HTTP endpoints for the homepage and static files.
- sql 🔒
- webhook 🔒
- Helpers for handling events from a Webhook source.
Structs§
- Authed
Client - Authed
User - Helm
Chart 🔒Version - Http
Config - Http
Server - Internal
Route Config - Login
Credentials - Metrics
- Route
Allowed 🔒Roles - The
allowed_rolespolicy for a route group, attached as a request extension on each authenticated route group and read byhttp_authz. - SqlResponse
- The response to a
SqlRequest. - Tower
Session Data - Webhook
State - WsState
- WwwAuthenticate
Challenges 🔒 - Per-request decision about which
WWW-Authenticatechallenges to emit on a 401, computed by the auth middleware.
Enums§
Constants§
- MAX_
REQUEST_ SIZE - Maximum allowed size for a request.
- PROFILING_
API_ 🔒ENDPOINTS - SESSION_
DURATION 🔒
Traits§
- Authz
Router 🔒Ext - Router extension for attaching the authorization middleware.
- Default
Layers 🔒 - Default layers that should be applied to all routes, and should get applied to both the internal http and external http routers.
Functions§
- auth 🔒
- check_
role_ 🔒allowed - ensure_
session_ 🔒unexpired - Ensures the session is still valid by checking for expiration, and returns the associated user if the session remains active.
- get_
authenticator 🔒 - group_
claim_ 🔒for - Resolve the dyncfg-configured group claim path from a delayed adapter
client. Callers must already have driven
adapter_client_rxto readiness (e.g. viaget_authenticator), so the await here is non-blocking. - handle_
leader_ promote - handle_
leader_ skip_ catchup - handle_
leader_ status - handle_
load_ 🔒error - Glue code to make
towerwork withaxum. - handle_
login - handle_
logout - http_
auth 🔒 - Authentication middleware.
- http_
authz 🔒 - Authorization middleware. Enforces the route group’s
allowed_rolespolicy against the authenticated user. - init_ws 🔒
- maybe_
get_ 🔒authenticated_ session - Attempts to retrieve session data from a
TowerSession, if available. Session data is present only if an authenticated session has been established viahandle_login. - x_
materialize_ 🔒user_ header_ auth
Type Aliases§
- Delayed 🔒