Client Credentials

Greenlight utilizes various components, such as mTLS certificates and runes, to provide secure access to a node. Various pieces of data must be persisted and made available to the client at runtime. Check out the Security page for more information.

To simplify data management for users and developers, Greenlight uses Credentials as a centralized location for the necessary information. Credentials can be reconstructed in various ways and exported in byte-encoded format for persistence.

Tip

If you registered your greenlight node before the release of gl-client v0.2, please see the section Instantiating a Credential from device certificates below.

Credential Types

There are two types of Credentials, the Nobody credential and the Device credential.

Reference instantiations of both credentials types can be found below. Complete files can be viewed from the examples folder from which these code snippets were taken.

Nobody Credentials

The Nobody credentials are used when there is no registered node associated with the requests made with the credential. They can be initialized using the developer certificates acquired from the Greenlight Developer Console and are used for registering and recovering greenlight nodes.

RustPython

let developer_cert = std::fs::read(developer_cert_path).unwrap_or_default();
let developer_key = std::fs::read(developer_key_path).unwrap_or_default();
let developer_creds = Nobody {
    cert: developer_cert,
    key: developer_key,
    ..Nobody::default()
};

developer_cert = Path(developer_cert_path).open(mode="rb").read()
developer_key = Path(developer_key_path).open(mode="rb").read()

developer_creds = Credentials.nobody_with(developer_cert, developer_key)

Device Credentials

The Device credentials are used when there is a registered node associated with the requests made with the credential. They can be restored from a path to a encoded credentials file, as well as from a byte array that carries the same data. Credentials for the device can also be constructed by their components or a combination of all of the above.

RustPython

let device_creds = Device::from_bytes(registration_response.creds);
save_to_file("creds", device_creds.to_bytes());

device_creds = Credentials.from_bytes(registration_response.creds)
save_to_file("creds", device_creds.to_bytes())

Instantiating a Credential from device certificates

For glclient versions released before v0.2, device certificates were the primary mechanism used for authentication. These certificates can be upgraded by instantiating a Device credential and invoking the upgrade method with a Nobody-instantiated Scheduler and a Signer. This will give the upgrade method everything it needs to construct any missing details and will return a properly functioning Device credential.

Rust

```rust

async fn upgrade_device_certs_to_creds( scheduler: &Scheduler, signer: &Signer, device_cert: Vec, device_key: Vec, ) -> Result { Device { cert: device_cert, key: device_key, ..Default::default() } .upgrade(scheduler, signer) .await .map_err(|e| anyhow!("{}", e.to_string())) } ```

Python

```python

def upgrade_device_certs_to_creds( scheduler: Scheduler, signer: Signer, device_cert: bytes, device_key: bytes ): device_creds = Credentials.from_parts(device_cert, device_key, "") return device_creds.upgrade(scheduler.inner, signer.inner) ```