Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Security

Enterprise features: RBAC, audit→DB, Google SSO, LDAP, and DB-backed user store require a valid license key. In personal mode, all permissions are allowed and audit logs go to stdout only.

Authentication, authorization, and audit in fungi-security (10 tests).

Features

FeaturePurpose
API Key AuthLong-lived keys for CLI / automation
JWT AuthShort-lived tokens for web UI
RBACRole-based access control with wildcards
Audit LoggingTrack every authenticated action

Configuration

security:
  auth:
    api_keys:
      - key: "fungi-admin-xxxx"
        name: "admin"
        tenant: "team-a"
        permissions: ["*"]
      - key: "fungi-readonly-xxxx"
        name: "viewer"
        tenant: "team-a"
        permissions: ["pipeline:read", "metrics:read"]
    jwt:
      secret: "${JWT_SECRET}"
      expiry_hours: 24
      issuer: "fungi"
  rbac:
    roles:
      admin: { permissions: ["*"] }
      operator:
        permissions:
          - "pipeline:create"
          - "pipeline:read"
          - "pipeline:update"
          - "pipeline:start"
          - "pipeline:stop"
      viewer:
        permissions: ["pipeline:read", "metrics:read"]
  audit:
    enabled: true
    store: stdout

Bootstrap (Env)

export FUNGI_AUTH_ENABLED=true
export FUNGI_JWT_SECRET="your-secret"
export FUNGI_ADMIN_USERNAME=admin
export FUNGI_ADMIN_PASSWORD=admin123
fungi server

API Keys (CLI / Automation)

curl -H "X-API-Key: fungi-admin-xxxx" http://localhost:8080/api/jobs
fungi --api-key fungi-admin-xxxx job list

JWT (Web UI)

TOKEN=$(curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"user":"admin","key":"fungi-admin-xxxx"}' | jq -r .token)

curl -H "Authorization: Bearer $TOKEN" http://localhost:8080/api/jobs

The dashboard stores the JWT in localStorage and attaches it to every request.

RBAC

Permissions are resource:action. * matches anything.

RolePermissions
admin*
operatorpipeline:create, pipeline:read, pipeline:update, pipeline:start, pipeline:stop
viewerpipeline:read, metrics:read

Custom roles in YAML:

rbac:
  roles:
    data-engineer:
      permissions: ["pipeline:create", "pipeline:read", "pipeline:update", "topic:read"]
    sre:
      permissions: ["pipeline:*", "metrics:*", "audit:read"]

Audit Log

{
  "timestamp": "2026-05-27T10:00:00Z",
  "user": "alice",
  "tenant": "team-a",
  "action": "pipeline:start",
  "resource": "analytics-pipeline",
  "ip": "10.0.0.1",
  "success": true
}
StoreStatus
stdoutAvailable
filePlanned
databasePlanned

Best Practices

  • API keys for machines, JWT for humans
  • Rotate FUNGI_JWT_SECRET regularly
  • Store secrets in K8s Secret
  • Pipe audit logs to a SIEM
  • Grant least privilege; start with viewer