Compose deployments run on a private VLAN. The only way user connections get in is via a Portal, a specially configured access capsule.
There are two common types of portal, "haproxy" and "ssh"
The "haproxy" portal is used to handle TCP connections, including HTTP and HTTPS sessions. It generally passes the connection to the underlying database for authentication. In some cases, specifically, Elasticsearch, it will enforce basic authentication on the incoming connection using a stored list of portal users.
The "ssh" portal allows SSH tunnels to be created from one system into the VLAN. Users are authenticated through certificates that are also stored as portal users. This portal type is supported by Elasticsearch, Redis, RethinkDB, and Scylla.
There are also specialized portals for some databases deployments, such as RethinkDB and MongoDB which are a combination of an "haproxy" and the database's own proxy. They are reported as "rethinkdb" and "mongodb".
There may be one or more portals of different types, depending on the database. Consult the main documentation's Portal Management section for current configurations.
The Compose API allows you to view, add and remove portals to a deployment.
Portal Users are a set of credentials which various portals can use to authenticate incoming connections. There are two types of portal user, "haproxy" and "ssh".
Most "haproxy" portals either pass their connection down to the underlying database for authentication or use the underlying database's data to authenticate the connection. They don't need portal users.
There are two exceptions, Elasticsearch, which use portal user credentials to validate basic authentication on HTTP/HTTPS requests. An "haproxy" portal user consists of a username and a password.
The "ssh" portal, available on Elasticsearch, Redis, RethinkDB, and Scylla, uses SSH public key certificates to authenticate incoming connections. That means that an "ssh" portal user consists of a descriptive name and an SSH public key. The public key will be used when an SSH tunnel is created and that a connecting user must have the appropriate private key available to get access.
The Compose API allows you to view, add and remove portal users to a deployment.
Updated about 5 years ago