Authentication

Configuration

Since connections to the Hopskotch server require authentication, there are several utilities exposed to generate and provide credentials for both the CLI and python API. hop auth provides command line options to generate a configuration file with proper credentials needed to authenticate.

In order to generate a configuration file, one can run hop auth add, which prompts for a username and password to connect to Hopskotch to publish or subscribe to messages. If you have the credentials csv file, you can use it directly with hop auth add <CREDENTIALS_FILE>.

The default location for the authentication data file can be found with hop auth locate, which points by default to ${XDG_CONFIG_HOME}/hop/auth.toml or ${HOME}/.config/hop/auth.toml if the XDG_CONFIG_HOME variable is not set.

Using Credentials

Authentication is enabled by default and will read credentials from the path resolved by hop auth locate.

Multiple credentials may be stored together using this mechanism. Additional credentials may be added using hop auth add, while the currently available credentials may be displayed with hop auth list and unwanted credentials can be removed with hop auth remove. Credentials can be added either interactively or from CSV files. For removal, credentials are specified by username, or <username>@<hostname> in case of ambiguity.

When using the hop CLI to connect to connect to a kafka server, a credential will be selected according to the following rules:

  1. A credential with a matching hostname will be selected, unless no stored credential has a matching hostname, in which case a credential with no specific hostname can be selected.

  2. If a username is specified as part of the authority component of the URL (e.g. kafka://username@example.com/topic) only credentials with that username will be considered.

  3. If no username is specified and there is only one credential, which is not specifically associated with any hostname, it will be used for all hosts.

For the python API, one can modify various authentication options by passing in an Auth instance with credentials to a Stream instance. This provides a similar interface to authenticating as with the requests library.

from hop import Stream
from hop.auth import Auth

auth = Auth("my-username", "my-password")
stream = Stream(auth=auth)

with stream.open("kafka://hostname:port/topic", "w") as s:
    s.write({"my": "message"})

A list of multiple Auth instance may also be passed, in which case the best match for the connection being opened will be selected as described above.

In order to disable authentication in the command line interface, you can pass --no-auth for various CLI commands. For the python API, you can set auth to False.