Appearance

Authentication

DeltaFi uses role-based access control (RBAC) to secure API endpoints. Every endpoint requires a specific permission, and users are granted permissions through roles.

For setup and configuration instructions, see Authentication Configuration and Authorization Configuration.

Auth Modes

DeltaFi supports three authentication modes, configured via the auth.mode system property:

ModeValueDescription
BasicbasicUsername/password authentication (default)
CertificatecertX.509 client certificate authentication via Distinguished Names
DisableddisabledNo authentication; all requests treated as admin. For development only.

Basic Authentication

The default mode. Users authenticate with username and password via HTTP Basic auth. The default admin user's password is set with deltafi set-admin-password.

bash
curl -u admin:password http://deltafi-host/api/v2/status

Certificate Authentication

Uses X.509 client certificates. The Distinguished Name (DN) from the certificate must match a DN configured for a user in the system. Requires a CA certificate chain stored in a Kubernetes secret.

Disabled Mode

All requests are treated as coming from the admin user with full permissions. Intended for local development and testing only.

Request Headers

After initial authentication, the auth gateway populates these headers on forwarded requests:

HeaderDescription
X-DeltaFi-User-NameAuthenticated username (or DN in cert mode)
X-DeltaFi-User-IdUser's UUID
X-DeltaFi-PermissionsComma-separated list of granted permissions

Permission Model

Permissions follow an RBAC hierarchy:

User → Roles → Permissions
  • A user is assigned one or more roles
  • Each role contains one or more permissions
  • Endpoint access requires a specific permission (or the Admin permission)

Admin Override

The Admin permission grants access to every endpoint. All permission checks include an implicit OR Admin clause:

java
@PreAuthorize("hasAnyAuthority('PermissionName', 'Admin')")

Default Roles

RolePermissionsPurpose
AdminAdminFull system access
Ingress OnlyDeltaFileIngressData ingestion service accounts
Read OnlyRead-only permissionsView-only access

Combined Permissions

Some endpoints require multiple permissions simultaneously:

  • DeltaFileReplayAndAcknowledge — requires both DeltaFileReplay and DeltaFileAcknowledge
  • SnapshotCreateAndRevert — requires both SnapshotCreate and SnapshotRevert

Permissions Catalog

Administration

PermissionDescription
AdminFull system access

General

PermissionDescription
UIAccessAccess to the UI
StatusViewView system status
StatusPausePause and resume system status checks
DashboardViewView the UI dashboard
VersionsViewView running versions

Metrics

PermissionDescription
MetricsAdminAdmin role in Grafana
MetricsViewViewer role in Grafana
MetricsEditEditor role in Grafana
SurveyCreatePost survey metrics into the system

DeltaFiles

PermissionDescription
DeltaFileMetadataViewQuery and view DeltaFile metadata
DeltaFileMetadataWriteUpdate DeltaFile metadata
DeltaFileContentViewView DeltaFile content
DeltaFileReplayReplay DeltaFiles
DeltaFileResumeResume DeltaFiles in an ERROR stage
DeltaFileAcknowledgeAcknowledge DeltaFiles in an ERROR stage
DeltaFileCancelCancel processing of a DeltaFile
DeltaFileUserNoteAdd user notes to a DeltaFile
DeltaFilePinningPin or unpin a DeltaFile
DeltaFileIngressIngress DeltaFiles
DeltaFileExportExport DeltaFiles
DeltaFileImportImport DeltaFiles

Flows

PermissionDescription
FlowViewView flows
FlowValidateValidate flows
FlowUpdateChange flow state and update flows
FlowPlanDeleteRemove flow plans from the system plugin
FlowPlanCreateSave flow plans in the system plugin

Plugins

PermissionDescription
PluginsViewView installed plugins
PluginInstallInstall plugins
PluginUninstallUninstall plugins
PluginVariableUpdateEdit plugin variables

System Properties

PermissionDescription
SystemPropertiesReadView System Properties
SystemPropertiesUpdateEdit System Properties

Delete Policies

PermissionDescription
DeletePolicyCreateCreate Delete Policies
DeletePolicyReadView Delete Policies
DeletePolicyUpdateEdit Delete Policies
DeletePolicyDeleteDelete Delete Policies

Snapshots

PermissionDescription
SnapshotCreateCreate Snapshots
SnapshotReadView Snapshots
SnapshotDeleteDelete Snapshots
SnapshotRevertRevert the system to a Snapshot

Users

PermissionDescription
UserCreateCreate Users
UserReadView Users
UserUpdateEdit Users
UserDeleteDelete Users

Roles

PermissionDescription
RoleCreateCreate Roles
RoleReadView Roles
RoleUpdateEdit Roles
RoleDeleteDelete Roles

Events

PermissionDescription
EventCreateCreate Events
EventReadView Events
EventUpdateEdit Events
EventDeleteDelete Events
EventAcknowledgeAcknowledge Events

Stress Tests

PermissionDescription
StressTestExecute Stress Tests

Integration Tests

PermissionDescription
IntegrationTestUpdateSave and start integration tests
IntegrationTestViewView integration test results
IntegrationTestDeleteDelete completed integration test results

Resume Policies

PermissionDescription
ResumePolicyApplyApply Resume Policies to DeltaFiles in an ERROR state
ResumePolicyDryRunPreview which DeltaFiles a policy would affect
ResumePolicyCreateCreate Resume Policies
ResumePolicyReadView Resume Policies
ResumePolicyUpdateEdit Resume Policies
ResumePolicyDeleteDelete Resume Policies

Artifacts

PermissionDescription
ArtifactRegistryReadRead artifacts from the artifact registry
ArtifactRegistryWriteWrite artifacts to the artifact registry

Open Endpoints

The following endpoints do not require authentication:

EndpointPurpose
POST /pluginsPlugin self-registration during startup
GET /api/v2/permissionsList all available permissions
GET /api/v2/meReturn current user info from headers

Contact US

Copyright © 2021-2025 DeltaFi. All rights reserved.