Authentication
Goal
Configure and verify transport security (TLS) and client authentication modes so that only identified clients can connect to AngaraBase.
Prerequisites
- Access to the server configuration (TOML config and/or environment variables).
- TLS certificate and key files (for
scramorcertmodes with remote clients). - Ability to restart the server after configuration changes.
Auth modes
AngaraBase supports three authentication modes, set via ANGARABASE_AUTH_MODE or security.auth_mode in the
config:
| Mode | When to use | Identity proof |
|---|---|---|
trust | Local development / testing only | None — any connecting client is accepted |
scram | Production and staging | SCRAM-SHA-256 password challenge |
cert | mTLS environments | Client TLS certificate validated against CA |
Default: trust (requires explicit opt-in flag for remote bind — see Startup safety below).
Steps
1) Configure TLS
TLS is controlled in the [tls] section of angarabase.conf:
[tls]
enabled = true
cert_path = "/etc/angarabase/tls/server.crt"
key_path = "/etc/angarabase/tls/server.key"
require_on_remote_bind = true
Or via environment variables:
export ANGARABASE_TLS_ENABLED=1
export ANGARABASE_TLS_CERT_PATH=/etc/angarabase/tls/server.crt
export ANGARABASE_TLS_KEY_PATH=/etc/angarabase/tls/server.key
export ANGARABASE_TLS_REQUIRE_ON_REMOTE_BIND=1
require_on_remote_bind = true enforces fail-closed behaviour: if the server binds to a non-loopback address
and TLS is not enabled, startup is refused.
2) Set auth mode
export ANGARABASE_AUTH_MODE=scram
Or in angarabase.conf:
[security]
auth_mode = "scram"
3) SCRAM setup
When auth_mode = scram, the superuser must be bootstrapped with a password at init time:
angarabase-server --init /var/lib/angarabase \
--superuser admin \
--superuser-password 'strong-password' \
--auth-mode scram
The password is converted to a SCRAM-SHA-256 verifier before it touches disk — plaintext is never stored.
Additional users are created via SQL:
CREATE USER app_reader WITH PASSWORD 'change-me';
Password storage format: SCRAM-SHA-256$<iterations>:<salt>$<StoredKey>:<ServerKey>.
4) Startup safety
To protect against accidental production use of trust mode:
trustmode on a non-loopback bind address requires the explicit flag--allow-insecure-no-auth.- Without this flag the server refuses to start (fail-closed).
scramorcertmodes do not require the flag.
5) Verify effective config from SQL
After startup, confirm the active settings:
SELECT name, value
FROM sys.settings
WHERE name IN (
'tls.enabled',
'tls.require_on_remote_bind',
'security.auth_mode'
)
ORDER BY name;
No secret material (keys, passwords, verifiers) appears in sys.settings.
Expected result
- In
scrammode, unauthenticated connections are rejected. - In
certmode, clients without a valid certificate are rejected. truston remote bind without--allow-insecure-no-authprevents startup.sys.settingsconfirms the effective auth mode and TLS state without leaking secrets.
Troubleshooting
- Server refuses to start in trust mode
You are binding to a non-loopback address. Either switch to
scram/certor pass--allow-insecure-no-authfor development. authentication failed for user "..."on connect Verify the password or certificate; check thatsecurity.auth_modematches the client’s auth method.- TLS handshake failure
Confirm
cert_pathandkey_pathpoint to valid, non-expired files; verify the client’ssslmodesetting. - Init refused: scram requires password
Provide
--superuser-password(or--superuser-password-file) when--auth-mode scramis set. - Need a bug-report artifact? See ../reference/support.md.
Links
- Security model overview: overview.md
- Hardening runbook: hardening.md
- Configuration reference: ../operations/configuration.md
- Security knobs registry:
angarabook/src/operations/security-operations.md