Authentication Quick Reference
Version: 1.0.0 Last Updated: 2025-10-09
Quick Commands
Login
provisioning auth login <username> # Interactive password
provisioning auth login <username> --save # Save to keyring
MFA
provisioning auth mfa enroll totp # Enroll TOTP
provisioning auth mfa verify --code 123456 # Verify code
Status
provisioning auth status # Show auth status
provisioning auth verify # Verify token
Logout
provisioning auth logout # Logout current session
provisioning auth logout --all # Logout all sessions
Protected Operations
| Operation | Auth | MFA (Prod) | MFA (Delete) | Check Mode |
|---|---|---|---|---|
server create | ✅ | ✅ | ❌ | Skip |
server delete | ✅ | ✅ | ✅ | Skip |
server list | ❌ | ❌ | ❌ | - |
taskserv create | ✅ | ✅ | ❌ | Skip |
taskserv delete | ✅ | ✅ | ✅ | Skip |
cluster create | ✅ | ✅ | ❌ | Skip |
cluster delete | ✅ | ✅ | ✅ | Skip |
batch submit | ✅ | ✅ | ❌ | - |
Bypass Authentication (Dev/Test Only)
Environment Variable
export PROVISIONING_SKIP_AUTH=true
provisioning server create test
unset PROVISIONING_SKIP_AUTH
Check Mode (Always Allowed)
provisioning server create prod --check
provisioning taskserv delete k8s --check
Config Flag
[security.bypass]
allow_skip_auth = true # Only in dev/test
Configuration
Security Settings
[security]
require_auth = true
require_mfa_for_production = true
require_mfa_for_destructive = true
auth_timeout = 3600
[security.bypass]
allow_skip_auth = false # true in dev only
[plugins]
auth_enabled = true
[platform.control_center]
url = "http://localhost:3000"
Error Messages
Not Authenticated
❌ Authentication Required
Operation: server create web-01
To login: provisioning auth login <username>
Fix: provisioning auth login <username>
MFA Required
❌ MFA Verification Required
Operation: server delete web-01
Reason: destructive operation
Fix: provisioning auth mfa verify --code <code>
Token Expired
Error: Token verification failed
Fix: Re-login: provisioning auth login <username>
Troubleshooting
| Error | Solution |
|---|---|
| Plugin not available | plugin add target/release/nu_plugin_auth |
| Control center offline | Start: cd provisioning/platform/control-center && cargo run |
| Invalid MFA code | Get fresh code (expires in 30s) |
| Token expired | Re-login: provisioning auth login <username> |
| Keyring access denied | Grant app access in system settings |
Audit Logs
# View audit log
cat provisioning/logs/audit.log
# Filter by user
cat provisioning/logs/audit.log | jq '. | select(.user == "admin")'
# Filter by operation
cat provisioning/logs/audit.log | jq '. | select(.operation == "server_create")'
CI/CD Integration
Option 1: Skip Auth (Dev/Test Only)
export PROVISIONING_SKIP_AUTH=true
provisioning server create ci-server
Option 2: Check Mode
provisioning server create ci-server --check
Option 3: Service Account (Future)
export PROVISIONING_AUTH_TOKEN="<token>"
provisioning server create ci-server
Performance
| Operation | Auth Overhead |
|---|---|
| Server create | ~20ms |
| Taskserv create | ~20ms |
| Batch submit | ~20ms |
| Check mode | 0ms (skipped) |
Related Docs
- Full Guide:
docs/user/AUTHENTICATION_LAYER_GUIDE.md - Implementation:
AUTHENTICATION_LAYER_IMPLEMENTATION_SUMMARY.md - Security ADR:
docs/architecture/ADR-009-security-system-complete.md
Quick Help: provisioning help auth or provisioning auth --help