apps/core
1
0
Fork 0
mirror of https://github.com/datarhei/core.git synced 2025-10-06 00:17:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Simplify IAM user config, only create users and policies if not previously run

Browse Source
This commit is contained in:
Ingo Oppermann
2023-05-24 22:28:24 +02:00
parent 9f1071bf1a
commit 10df8d51b1
6 changed files with 179 additions and 322 deletions
Download Patch File Download Diff File Expand all files Collapse all files

247
app/api/api.go
View File

@@ -389,13 +389,7 @@ func (a *api) start() error {
Superuser: true,
Auth: iam.UserAuth{
API: iam.UserAuthAPI{
Userpass: iam.UserAuthPassword{
Enable: cfg.API.Auth.Enable,
Password: cfg.API.Auth.Password,
},
Auth0: iam.UserAuthAPIAuth0{
Enable: cfg.API.Auth.Auth0.Enable,
},
Auth0: iam.UserAuthAPIAuth0{},
},
Services: iam.UserAuthServices{
Token: []string{
@@ -406,6 +400,10 @@ func (a *api) start() error {
},
}
if cfg.API.Auth.Enable {
superuser.Auth.API.Password = cfg.API.Auth.Password
}
if cfg.API.Auth.Auth0.Enable {
superuser.Auth.API.Auth0.User = cfg.API.Auth.Auth0.Tenants[0].Users[0]
superuser.Auth.API.Auth0.Tenant = iam.Auth0Tenant{
@@ -415,126 +413,6 @@ func (a *api) start() error {
}
}
// Create policies and users in order to mimic the behaviour before IAM
policies := []iam.Policy{
{
Name: "$anon",
Domain: "$none",
Resource: "fs:/**",
Actions: []string{"GET", "HEAD", "OPTIONS"},
},
{
Name: "$anon",
Domain: "$none",
Resource: "api:/api",
Actions: []string{"GET", "HEAD", "OPTIONS"},
},
{
Name: "$anon",
Domain: "$none",
Resource: "api:/api/v3/widget/process/**",
Actions: []string{"GET", "HEAD", "OPTIONS"},
},
}
users := []iam.User{}
if !cfg.Storage.Memory.Auth.Enable {
policies = append(policies, iam.Policy{
Name: "$anon",
Domain: "$none",
Resource: "fs:/memfs/**",
Actions: []string{"ANY"},
})
} else {
if cfg.Storage.Memory.Auth.Username != superuser.Name {
users = append(users, iam.User{
Name: cfg.Storage.Memory.Auth.Username,
Auth: iam.UserAuth{
Services: iam.UserAuthServices{
Basic: []iam.UserAuthPassword{
{
Enable: cfg.Storage.Memory.Auth.Enable,
Password: cfg.Storage.Memory.Auth.Password,
},
},
},
},
})
} else {
superuser.Auth.Services.Basic = append(superuser.Auth.Services.Basic, iam.UserAuthPassword{
Enable: cfg.Storage.Memory.Auth.Enable,
Password: cfg.Storage.Memory.Auth.Password,
})
}
policies = append(policies, iam.Policy{
Name: cfg.Storage.Memory.Auth.Username,
Domain: "$none",
Resource: "fs:/memfs/**",
Actions: []string{"ANY"},
})
}
for _, s := range cfg.Storage.S3 {
if !s.Auth.Enable {
policies = append(policies, iam.Policy{
Name: "$anon",
Domain: "$none",
Resource: "fs:" + s.Mountpoint + "/**",
Actions: []string{"ANY"},
})
} else {
if s.Auth.Username != superuser.Name {
users = append(users, iam.User{
Name: s.Auth.Username,
Auth: iam.UserAuth{
Services: iam.UserAuthServices{
Basic: []iam.UserAuthPassword{
{
Enable: s.Auth.Enable,
Password: s.Auth.Password,
},
},
},
},
})
} else {
superuser.Auth.Services.Basic = append(superuser.Auth.Services.Basic, iam.UserAuthPassword{
Enable: s.Auth.Enable,
Password: s.Auth.Password,
})
}
policies = append(policies, iam.Policy{
Name: s.Auth.Username,
Domain: "$none",
Resource: "fs:" + s.Mountpoint + "/**",
Actions: []string{"ANY"},
})
}
}
if cfg.RTMP.Enable && len(cfg.RTMP.Token) == 0 {
policies = append(policies, iam.Policy{
Name: "$anon",
Domain: "$none",
Resource: "rtmp:/**",
Actions: []string{"ANY"},
})
}
if cfg.SRT.Enable && len(cfg.SRT.Token) == 0 {
policies = append(policies, iam.Policy{
Name: "$anon",
Domain: "$none",
Resource: "srt:**",
Actions: []string{"ANY"},
})
}
fs, err := fs.NewRootedDiskFilesystem(fs.RootedDiskConfig{
Root: filepath.Join(cfg.DB.Dir, "iam"),
})
@@ -547,7 +425,7 @@ func (a *api) start() error {
secret = cfg.API.Auth.Username + cfg.API.Auth.Password + cfg.API.Auth.JWT.Secret
}
iam, err := iam.NewIAM(iam.Config{
manager, err := iam.NewIAM(iam.Config{
FS: fs,
Superuser: superuser,
JWTRealm: "datarhei-core",
@@ -558,24 +436,111 @@ func (a *api) start() error {
return fmt.Errorf("iam: %w", err)
}
for _, user := range users {
if _, err := iam.GetIdentity(user.Name); err == nil {
continue
// Check if there are already file created by IAM. If not, create policies
// and users based on the config in order to mimic the behaviour before IAM.
if len(fs.List("/", "/*.json")) == 0 {
policies := []iam.Policy{
{
Name: "$anon",
Domain: "$none",
Resource: "fs:/**",
Actions: []string{"GET", "HEAD", "OPTIONS"},
},
{
Name: "$anon",
Domain: "$none",
Resource: "api:/api",
Actions: []string{"GET", "HEAD", "OPTIONS"},
},
{
Name: "$anon",
Domain: "$none",
Resource: "api:/api/v3/widget/process/**",
Actions: []string{"GET", "HEAD", "OPTIONS"},
},
}
err := iam.CreateIdentity(user)
if err != nil {
return fmt.Errorf("iam: %w", err)
users := map[string]iam.User{}
if cfg.Storage.Memory.Auth.Enable && cfg.Storage.Memory.Auth.Username != superuser.Name {
users[cfg.Storage.Memory.Auth.Username] = iam.User{
Name: cfg.Storage.Memory.Auth.Username,
Auth: iam.UserAuth{
Services: iam.UserAuthServices{
Basic: []string{cfg.Storage.Memory.Auth.Password},
},
},
}
policies = append(policies, iam.Policy{
Name: cfg.Storage.Memory.Auth.Username,
Domain: "$none",
Resource: "fs:/memfs/**",
Actions: []string{"ANY"},
})
}
for _, s := range cfg.Storage.S3 {
if s.Auth.Enable && s.Auth.Username != superuser.Name {
user, ok := users[s.Auth.Username]
if !ok {
users[s.Auth.Username] = iam.User{
Name: s.Auth.Username,
Auth: iam.UserAuth{
Services: iam.UserAuthServices{
Basic: []string{s.Auth.Password},
},
},
}
} else {
user.Auth.Services.Basic = append(user.Auth.Services.Basic, s.Auth.Password)
users[s.Auth.Username] = user
}
policies = append(policies, iam.Policy{
Name: s.Auth.Username,
Domain: "$none",
Resource: "fs:" + s.Mountpoint + "/**",
Actions: []string{"ANY"},
})
}
}
if cfg.RTMP.Enable && len(cfg.RTMP.Token) == 0 {
policies = append(policies, iam.Policy{
Name: "$anon",
Domain: "$none",
Resource: "rtmp:/**",
Actions: []string{"ANY"},
})
}
if cfg.SRT.Enable && len(cfg.SRT.Token) == 0 {
policies = append(policies, iam.Policy{
Name: "$anon",
Domain: "$none",
Resource: "srt:**",
Actions: []string{"ANY"},
})
}
for _, user := range users {
if _, err := manager.GetIdentity(user.Name); err == nil {
continue
}
err := manager.CreateIdentity(user)
if err != nil {
return fmt.Errorf("iam: %w", err)
}
}
for _, policy := range policies {
manager.AddPolicy(policy.Name, policy.Domain, policy.Resource, policy.Actions)
}
}
iam.SaveIdentities()
for _, policy := range policies {
iam.AddPolicy(policy.Name, policy.Domain, policy.Resource, policy.Actions)
}
a.iam = iam
a.iam = manager
}
diskfs, err := fs.NewRootedDiskFilesystem(fs.RootedDiskConfig{

50
http/api/iam.go
View File

@@ -14,28 +14,22 @@ func (u *IAMUser) Marshal(user iam.User, policies []iam.Policy) {
u.Superuser = user.Superuser
u.Auth = IAMUserAuth{
API: IAMUserAuthAPI{
Userpass: IAMUserAuthPassword{
Enable: user.Auth.API.Userpass.Enable,
Password: user.Auth.API.Userpass.Password,
},
Password: user.Auth.API.Password,
Auth0: IAMUserAuthAPIAuth0{
Enable: false,
User: "",
Tenant: IAMAuth0Tenant{},
User: user.Auth.API.Auth0.User,
Tenant: IAMAuth0Tenant{
Domain: user.Auth.API.Auth0.Tenant.Domain,
Audience: user.Auth.API.Auth0.Tenant.Audience,
ClientID: user.Auth.API.Auth0.Tenant.ClientID,
},
},
},
Services: IAMUserAuthServices{
Basic: user.Auth.Services.Basic,
Token: user.Auth.Services.Token,
},
}
for _, basic := range user.Auth.Services.Basic {
u.Auth.Services.Basic = append(u.Auth.Services.Basic, IAMUserAuthPassword{
Enable: basic.Enable,
Password: basic.Password,
})
}
for _, p := range policies {
u.Policies = append(u.Policies, IAMPolicy{
Domain: p.Domain,
@@ -51,13 +45,9 @@ func (u *IAMUser) Unmarshal() (iam.User, []iam.Policy) {
Superuser: u.Superuser,
Auth: iam.UserAuth{
API: iam.UserAuthAPI{
Userpass: iam.UserAuthPassword{
Enable: u.Auth.API.Userpass.Enable,
Password: u.Auth.API.Userpass.Password,
},
Password: u.Auth.API.Password,
Auth0: iam.UserAuthAPIAuth0{
Enable: u.Auth.API.Auth0.Enable,
User: u.Auth.API.Auth0.User,
User: u.Auth.API.Auth0.User,
Tenant: iam.Auth0Tenant{
Domain: u.Auth.API.Auth0.Tenant.Domain,
Audience: u.Auth.API.Auth0.Tenant.Audience,
@@ -66,18 +56,12 @@ func (u *IAMUser) Unmarshal() (iam.User, []iam.Policy) {
},
},
Services: iam.UserAuthServices{
Basic: u.Auth.Services.Basic,
Token: u.Auth.Services.Token,
},
},
}
for _, basic := range u.Auth.Services.Basic {
iamuser.Auth.Services.Basic = append(iamuser.Auth.Services.Basic, iam.UserAuthPassword{
Enable: basic.Enable,
Password: basic.Password,
})
}
iampolicies := []iam.Policy{}
for _, p := range u.Policies {
@@ -98,24 +82,18 @@ type IAMUserAuth struct {
}
type IAMUserAuthAPI struct {
Userpass IAMUserAuthPassword `json:"userpass"`
Password string `json:"userpass"`
Auth0 IAMUserAuthAPIAuth0 `json:"auth0"`
}
type IAMUserAuthAPIAuth0 struct {
Enable bool `json:"enable"`
User string `json:"user"`
Tenant IAMAuth0Tenant `json:"tenant"`
}
type IAMUserAuthServices struct {
Basic []IAMUserAuthPassword `json:"basic"`
Token []string `json:"token"`
}
type IAMUserAuthPassword struct {
Enable bool `json:"enable"`
Password string `json:"password"`
Basic []string `json:"basic"`
Token []string `json:"token"`
}
type IAMAuth0Tenant struct {

12
http/middleware/iam/iam_test.go
View File

@@ -45,18 +45,10 @@ func getIAM() (iam.IAM, error) {
Name: "foobar",
Auth: iam.UserAuth{
API: iam.UserAuthAPI{
Userpass: iam.UserAuthPassword{
Enable: true,
Password: "secret",
},
Password: "secret",
},
Services: iam.UserAuthServices{
Basic: []iam.UserAuthPassword{
{
Enable: true,
Password: "secret",
},
},
Basic: []string{"secret"},
},
},
})

72
iam/identity.go
View File

@@ -33,24 +33,18 @@ type UserAuth struct {
}
type UserAuthAPI struct {
Userpass UserAuthPassword `json:"userpass"`
Password string `json:"password"`
Auth0 UserAuthAPIAuth0 `json:"auth0"`
}
type UserAuthAPIAuth0 struct {
Enable bool `json:"enable"`
User string `json:"user"`
Tenant Auth0Tenant `json:"tenant"`
}
type UserAuthServices struct {
Basic []UserAuthPassword `json:"basic"`
Token []string `json:"token"`
}
type UserAuthPassword struct {
Enable bool `json:"enable"`
Password string `json:"password"`
Basic []string `json:"basic"`
Token []string `json:"token"`
}
func (u *User) validate() error {
@@ -65,20 +59,6 @@ func (u *User) validate() error {
return fmt.Errorf("the name can only contain [%s]", chars)
}
if u.Auth.API.Userpass.Enable && len(u.Auth.API.Userpass.Password) == 0 {
return fmt.Errorf("a password for API login is required")
}
if u.Auth.API.Auth0.Enable && len(u.Auth.API.Auth0.User) == 0 {
return fmt.Errorf("a user for Auth0 login is required")
}
for i, basic := range u.Auth.Services.Basic {
if basic.Enable && len(basic.Password) == 0 {
return fmt.Errorf("a password for service basic auth nr. %d is required", i)
}
}
return nil
}
@@ -141,11 +121,11 @@ func (i *identity) VerifyAPIPassword(password string) (bool, error) {
return false, fmt.Errorf("invalid identity")
}
if !i.user.Auth.API.Userpass.Enable {
if len(i.user.Auth.API.Password) == 0 {
return false, fmt.Errorf("authentication method disabled")
}
return i.user.Auth.API.Userpass.Password == password, nil
return i.user.Auth.API.Password == password, nil
}
func (i *identity) VerifyAPIAuth0(jwt string) (bool, error) {
@@ -156,7 +136,7 @@ func (i *identity) VerifyAPIAuth0(jwt string) (bool, error) {
return false, fmt.Errorf("invalid identity")
}
if !i.user.Auth.API.Auth0.Enable {
if len(i.user.Auth.API.Auth0.User) == 0 {
return false, fmt.Errorf("authentication method disabled")
}
@@ -310,24 +290,17 @@ func (i *identity) VerifyServiceBasicAuth(password string) (bool, error) {
return false, fmt.Errorf("invalid identity")
}
valid := false
for _, basic := range i.user.Auth.Services.Basic {
if !basic.Enable {
for _, pw := range i.user.Auth.Services.Basic {
if len(pw) == 0 {
continue
}
if basic.Password == password {
valid = true
break
if pw == password {
return true, nil
}
}
if !valid {
return false, nil
}
return true, nil
return false, nil
}
func (i *identity) GetServiceBasicAuth() string {
@@ -338,12 +311,12 @@ func (i *identity) GetServiceBasicAuth() string {
return ""
}
for _, basic := range i.user.Auth.Services.Basic {
if !basic.Enable {
for _, password := range i.user.Auth.Services.Basic {
if len(password) == 0 {
continue
}
return basic.Password
return password
}
return ""
@@ -374,11 +347,15 @@ func (i *identity) GetServiceToken() string {
return ""
}
if len(i.user.Auth.Services.Token) == 0 {
return ""
for _, token := range i.user.Auth.Services.Token {
if len(token) == 0 {
continue
}
return i.Name() + ":" + token
}
return i.Name() + ":" + i.user.Auth.Services.Token[0]
return ""
}
func (i *identity) isValid() bool {
@@ -469,6 +446,7 @@ func NewIdentityManager(config IdentityConfig) (IdentityManager, error) {
}
im.root = identity
im.autosave = true
return im, nil
}
@@ -524,7 +502,7 @@ func (im *identityManager) create(u User) (*identity, error) {
u = u.clone()
identity := u.marshalIdentity()
if identity.user.Auth.API.Auth0.Enable {
if len(identity.user.Auth.API.Auth0.User) != 0 {
if _, ok := im.auth0UserIdentityMap[identity.user.Auth.API.Auth0.User]; ok {
return nil, fmt.Errorf("the Auth0 user has already an identity")
}
@@ -631,7 +609,7 @@ func (im *identityManager) delete(name string) error {
identity.valid = false
identity.lock.Unlock()
if !identity.user.Auth.API.Auth0.Enable {
if len(identity.user.Auth.API.Auth0.User) == 0 {
if im.autosave {
im.save(im.filePath)
}
@@ -664,7 +642,7 @@ func (im *identityManager) delete(name string) error {
// find out if the tenant's clientid is still used somewhere else
found = false
for _, i := range im.identities {
if !i.user.Auth.API.Auth0.Enable {
if len(i.user.Auth.API.Auth0.User) == 0 {
continue
}

88
iam/identity_test.go
View File

@@ -22,41 +22,6 @@ func TestUserName(t *testing.T) {
require.Error(t, err)
}
func TestUserAuth(t *testing.T) {
user := User{
Name: "foobar",
}
err := user.validate()
require.NoError(t, err)
user.Auth.API.Userpass.Enable = true
err = user.validate()
require.Error(t, err)
user.Auth.API.Userpass.Password = "secret"
err = user.validate()
require.NoError(t, err)
user.Auth.API.Auth0.Enable = true
err = user.validate()
require.Error(t, err)
user.Auth.API.Auth0.User = "auth0|123456"
err = user.validate()
require.NoError(t, err)
user.Auth.Services.Basic = append(user.Auth.Services.Basic, UserAuthPassword{
Enable: true,
})
err = user.validate()
require.Error(t, err)
user.Auth.Services.Basic[0].Password = "secret"
err = user.validate()
require.NoError(t, err)
}
func TestIdentity(t *testing.T) {
user := User{
Name: "foobar",
@@ -123,8 +88,7 @@ func TestIdentityAPIAuth(t *testing.T) {
require.False(t, ok)
require.Error(t, err)
identity.user.Auth.API.Userpass.Enable = true
identity.user.Auth.API.Userpass.Password = "secret"
identity.user.Auth.API.Password = "secret"
ok, err = identity.VerifyAPIPassword("secret")
require.False(t, ok)
@@ -136,14 +100,13 @@ func TestIdentityAPIAuth(t *testing.T) {
require.True(t, ok)
require.NoError(t, err)
identity.user.Auth.API.Userpass.Enable = false
identity.user.Auth.API.Password = ""
ok, err = identity.VerifyAPIPassword("secret")
require.False(t, ok)
require.Error(t, err)
identity.user.Auth.API.Userpass.Enable = true
identity.user.Auth.API.Userpass.Password = "terces"
identity.user.Auth.API.Password = "terces"
ok, err = identity.VerifyAPIPassword("secret")
require.False(t, ok)
@@ -161,10 +124,7 @@ func TestIdentityServiceBasicAuth(t *testing.T) {
require.False(t, ok)
require.Error(t, err)
identity.user.Auth.Services.Basic = append(identity.user.Auth.Services.Basic, UserAuthPassword{
Enable: true,
Password: "secret",
})
identity.user.Auth.Services.Basic = append(identity.user.Auth.Services.Basic, "secret")
ok, err = identity.VerifyServiceBasicAuth("secret")
require.False(t, ok)
@@ -176,14 +136,13 @@ func TestIdentityServiceBasicAuth(t *testing.T) {
require.True(t, ok)
require.NoError(t, err)
identity.user.Auth.Services.Basic[0].Enable = false
identity.user.Auth.Services.Basic[0] = ""
ok, err = identity.VerifyServiceBasicAuth("secret")
require.False(t, ok)
require.NoError(t, err)
identity.user.Auth.Services.Basic[0].Enable = true
identity.user.Auth.Services.Basic[0].Password = "terces"
identity.user.Auth.Services.Basic[0] = "terces"
ok, err = identity.VerifyServiceBasicAuth("secret")
require.False(t, ok)
@@ -325,8 +284,7 @@ func TestCreateUserAuth0(t *testing.T) {
Auth: UserAuth{
API: UserAuthAPI{
Auth0: UserAuthAPIAuth0{
Enable: true,
User: "auth0|123456",
User: "auth0|123456",
Tenant: Auth0Tenant{
Domain: "example.com",
Audience: "https://api.example.com/",
@@ -344,8 +302,7 @@ func TestCreateUserAuth0(t *testing.T) {
Auth: UserAuth{
API: UserAuthAPI{
Auth0: UserAuthAPIAuth0{
Enable: true,
User: "auth0|123456",
User: "auth0|123456",
Tenant: Auth0Tenant{
Domain: "datarhei-demo.eu.auth0.com",
Audience: "https://datarhei-demo.eu.auth0.com/api/v2/",
@@ -383,8 +340,7 @@ func TestCreateUserAuth0(t *testing.T) {
Auth: UserAuth{
API: UserAuthAPI{
Auth0: UserAuthAPIAuth0{
Enable: true,
User: "auth0|123456",
User: "auth0|123456",
Tenant: Auth0Tenant{
Domain: "datarhei-demo.eu.auth0.com",
Audience: "https://datarhei-demo.eu.auth0.com/api/v2/",
@@ -402,8 +358,7 @@ func TestCreateUserAuth0(t *testing.T) {
Auth: UserAuth{
API: UserAuthAPI{
Auth0: UserAuthAPIAuth0{
Enable: true,
User: "auth0|987654",
User: "auth0|987654",
Tenant: Auth0Tenant{
Domain: "datarhei-demo.eu.auth0.com",
Audience: "https://datarhei-demo.eu.auth0.com/api/v2/",
@@ -544,8 +499,7 @@ func TestUpdateUserAuth0(t *testing.T) {
Auth: UserAuth{
API: UserAuthAPI{
Auth0: UserAuthAPIAuth0{
Enable: true,
User: "auth0|123456",
User: "auth0|123456",
Tenant: Auth0Tenant{
Domain: "datarhei-demo.eu.auth0.com",
Audience: "https://datarhei-demo.eu.auth0.com/api/v2/",
@@ -607,19 +561,11 @@ func TestRemoveUser(t *testing.T) {
Superuser: false,
Auth: UserAuth{
API: UserAuthAPI{
Userpass: UserAuthPassword{
Enable: true,
Password: "apisecret",
},
Auth0: UserAuthAPIAuth0{},
Password: "apisecret",
Auth0: UserAuthAPIAuth0{},
},
Services: UserAuthServices{
Basic: []UserAuthPassword{
{
Enable: true,
Password: "secret",
},
},
Basic: []string{"secret"},
Token: []string{"tokensecret"},
},
},
@@ -706,8 +652,7 @@ func TestRemoveUserAuth0(t *testing.T) {
Auth: UserAuth{
API: UserAuthAPI{
Auth0: UserAuthAPIAuth0{
Enable: true,
User: "auth0|123456",
User: "auth0|123456",
Tenant: Auth0Tenant{
Domain: "datarhei-demo.eu.auth0.com",
Audience: "https://datarhei-demo.eu.auth0.com/api/v2/",
@@ -725,8 +670,7 @@ func TestRemoveUserAuth0(t *testing.T) {
Auth: UserAuth{
API: UserAuthAPI{
Auth0: UserAuthAPIAuth0{
Enable: true,
User: "auth0|987654",
User: "auth0|987654",
Tenant: Auth0Tenant{
Domain: "datarhei-demo.eu.auth0.com",
Audience: "https://datarhei-demo.eu.auth0.com/api/v2/",

32
restream/rewrite/rewrite_test.go
View File

@@ -13,24 +13,24 @@ import (
func getIdentityManager(enableBasic bool) iam.IdentityManager {
dummyfs, _ := fs.NewMemFilesystem(fs.MemConfig{})
im, _ := iam.NewIdentityManager(iam.IdentityConfig{
FS: dummyfs,
Superuser: iam.User{
Name: "foobar",
Superuser: false,
Auth: iam.UserAuth{
API: iam.UserAuthAPI{},
Services: iam.UserAuthServices{
Basic: []iam.UserAuthPassword{
{
Enable: enableBasic,
Password: "basicauthpassword",
},
},
Token: []string{"servicetoken"},
},
superuser := iam.User{
Name: "foobar",
Superuser: false,
Auth: iam.UserAuth{
API: iam.UserAuthAPI{},
Services: iam.UserAuthServices{
Token: []string{"servicetoken"},
},
},
}
if enableBasic {
superuser.Auth.Services.Basic = []string{"basicauthpassword"}
}
im, _ := iam.NewIdentityManager(iam.IdentityConfig{
FS: dummyfs,
Superuser: superuser,
JWTRealm: "",
JWTSecret: "",
Logger: nil,