Document platform-managed authentications#402
Draft
Zedoraps wants to merge 12 commits into
Draft
Conversation
Add a Platform Setup guide that walks operators through configuring named HTTP authentication recipes in the workspace settings and consuming them from from_http and to_http via auth="<name>". The guide explains the four supported strategies, the secret-reference picker, edit-mode constraints (only the reference is mutable; non-secret config is cached on the node until restart), and the missing-secret recovery path. Assisted-by: Claude Opus 4.7 (Claude Code)
github-actions
Bot
added
guide
Contributor
|
📦 Preview · 🟠 Still propagating The deploy completed, but the public URL has not served build |
Remove the two screenshots and replace the 'microsoft-read' code-block example with a vendor-neutral placeholder. The screenshots were taken against a development workspace whose secret was named after a specific vendor; the prose stands on its own and follows the repository convention of keeping examples neutral. Assisted-by: Claude Opus 4.7 (Claude Code)
Apply the Google-derived writing rules used elsewhere in the docs: "config" becomes "configuration", passive constructions become active, "mutable" becomes plain prose, em-dashes are reduced, and procedural steps lead with the location before the action. Replace the unicode arrow in 'Settings > Secrets' to keep the markup ASCII. Assisted-by: Claude Opus 4.7 (Claude Code)
Add the new shared 'auth = string (optional)' section to HttpClientOptions.mdx (renders on both from_http and to_http reference pages), update the operator signatures to list 'auth', and note the local 'tenzir.auth' → platform fallback in the platform-setup guide. Assisted-by: Claude Opus 4.7 (Claude Code)
Add events-read OAuth authentication and events-api-token secret as the placeholder dataset. Both screenshots are recaptured from a clean workspace so the prose can show the list and picker states without referencing any specific vendor. Assisted-by: Claude Opus 4.7 (Claude Code)
Authentications are a workspace setting managed through the UI rather than a platform deployment concern, so the guide fits better next to configure-workspaces than next to configure-secret-store. Update the sidebar entry and the See Also and inline links on the from_http, to_http, and HttpClientOptions partials to point at the new path. Assisted-by: Claude Opus 4.7 (Claude Code)
Today's authentication router rejects workspaces whose default store is AWS or Vault. Add a caution admonition near the intro so readers don't hit the dead end after configuring an external store. Assisted-by: Claude Opus 4.7 (Claude Code)
Add an 'auth' block to tenzir.yaml.example with one commented sample per strategy (oauth-client-credentials, basic, api-key, bearer-static) using the key names accepted by the libtenzir parsers. Surface the location from both the operator partial and the platform-management guide so the fallback path can be discovered from either side. Assisted-by: Claude Opus 4.7 (Claude Code)
Sensitive YAML values pass through 'secret::make_literal' in libtenzir's
auth parsers: anything that's not already a typed 'secret' becomes a
literal in-memory secret. The previous 'secret("KEY")' samples would be
read as the literal 14-character strings, not as references — TQL's
'secret()' function is not available in the YAML config. Replace each
sample value with a representative literal so the contract is clear.
Assisted-by: Claude Opus 4.7 (Claude Code)
This was referenced Jun 16, 2026
When both 'headers' and 'auth' set the same header, the auth strategy wins because every strategy ends up calling http::set after the headers record is applied (set erases then push_back). Make the precedence explicit in the partial so callers don't trip over a clobbered Authorization. Assisted-by: Claude Opus 4.7 (Claude Code)
Describing the platform as a fallback implies its entries are second-class. The two stores are peers; the operator just probes them in a defined order and uses the first match. Reword the operator partial, the platform-management guide, and the YAML example comment to match. Assisted-by: Claude Opus 4.7 (Claude Code)
Three small adjustments to the platform-managed authentications docs: drop the planned-follow-up sentence from the built-in-store caveat so the page doesn't promise unscoped work, narrow the OAuth example to the fields the operator actually consumes (no grant_type), and surface the oauth alias, the X-Api-Key default, the audience-or-scopes constraint, and the file-protection expectation directly in the tenzir.yaml.example comments. Assisted-by: Claude Opus 4.7 (Claude Code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔍 Problem
from_httpandto_httpwill accept anauth="<name>"parameter referencing a named authentication object stored in the Tenzir Platform (tenzir/platform-internal#195). There is no docs page that explains how to configure those objects or how the platform-side picker, secret resolution, and edit-mode constraints work.🛠️ Solution
Add a new Platform Setup guide,
guides/platform-setup/configure-authentications, that covers:secret::make_managedcache resolves the new value on the next request), or rebind in the picker.(workspace, name)cache; TTL-based refresh is a libtenzir follow-up).Reciprocal See Also entries on
from_http.mdxandto_http.mdx. Sidebar entry slotted next toconfigure-secret-store.💬 Review
- The
- Two screenshots (
⚙️ Code PR: tenzir/platform-internal#195auth="<name>"example assumes Implementauthoption forfrom_httpandto_httptenzir#6272 (the operator parameter) and Add platform-managed authentication lookup for from_http and to_http tenzir#6362 (the platform-managed lookup) are both merged. The platform-side feature ships in tenzir/platform-internal#195; merge order should keep these in lockstep.authentications.png,authentications-picker.png) taken from the verification run on the local stack.🔗 Node-side: tenzir/tenzir#6362 · tenzir/tenzir#6272