From ac79824ade5021920a5b215e8abe24030442107d Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <stirnamanj@gmail.com>
Date: Mon, 21 Apr 2025 12:54:13 -0500
Subject: [PATCH] feat(auth): Core and Enterprise: add ABAC auth reference

---
 .../reference/internals/authentication.md     | 18 ++++++++
 .../reference/internals/authentication.md     | 18 ++++++++
 .../authentication.md                         | 42 +++++++++++++++++++
 3 files changed, 78 insertions(+)
 create mode 100644 content/influxdb3/core/reference/internals/authentication.md
 create mode 100644 content/influxdb3/enterprise/reference/internals/authentication.md
 create mode 100644 content/shared/influxdb3-internals-reference/authentication.md

diff --git a/content/influxdb3/core/reference/internals/authentication.md b/content/influxdb3/core/reference/internals/authentication.md
new file mode 100644
index 000000000..8c7a0ae2b
--- /dev/null
+++ b/content/influxdb3/core/reference/internals/authentication.md
@@ -0,0 +1,18 @@
+---
+title: InfluxDB 3 Core authentication and authorization 
+description: >
+  {{% product-name %}} uses an Attribute-Based Access Control (ABAC) model to manage permissions
+  for authentication (authn) and authorization (authz). 
+menu:
+  influxdb3_core:
+    name: Authentication and authorization 
+    parent: Core internals 
+weight: 107
+related:
+  - /influxdb3/core/admin/tokens/
+source: /shared/influxdb3-internals-reference/authentication.md
+---
+
+<!-- The content for this page is at
+// SOURCE /content/shared/influxdb3-internals-reference/authentication.md
+// -->
\ No newline at end of file
diff --git a/content/influxdb3/enterprise/reference/internals/authentication.md b/content/influxdb3/enterprise/reference/internals/authentication.md
new file mode 100644
index 000000000..95ebeac5a
--- /dev/null
+++ b/content/influxdb3/enterprise/reference/internals/authentication.md
@@ -0,0 +1,18 @@
+---
+title: InfluxDB 3 Enterprise authentication and authorization 
+description: >
+  {{% product-name %}} uses an Attribute-Based Access Control (ABAC) model to manage permissions
+  for authentication (authn) and authorization (authz). 
+menu:
+  influxdb3_enterprise:
+    name: Authentication and authorization 
+    parent: Enterprise internals 
+weight: 107
+related:
+  - /influxdb3/enterprise/admin/tokens/
+source: /shared/influxdb3-internals-reference/authentication.md
+---
+
+<!-- The content for this page is at
+// SOURCE /content/shared/influxdb3-internals-reference/authentication.md
+// -->
\ No newline at end of file
diff --git a/content/shared/influxdb3-internals-reference/authentication.md b/content/shared/influxdb3-internals-reference/authentication.md
new file mode 100644
index 000000000..25a70ee84
--- /dev/null
+++ b/content/shared/influxdb3-internals-reference/authentication.md
@@ -0,0 +1,42 @@
+<!-->
+{{% product-name %}} uses an Attribute-Based Access Control (ABAC) model to
+manage permissions.
+
+{{% show-in "enterprise" %}}
+This model allows for fine-grained control over access to resources and actions
+within an {{% product-name %}} instance.
+{{% /show-in %}}
+
+The ABAC model includes the following components:
+
+- **Authentication (authn)**: The process through which a user verifies their identity.
+  In {{% product-name %}}, this occurs when a token is validated.
+  Users may be human or machine (for example, through automation).
+  {{% product-name %}} tokens represent previously verified authenticated users that facilitate automation.
+
+- **Authorization (authz)**: The process that determines if an authenticated user can perform a requested action.
+  In {{% product-name %}}, authorization evaluates whether a token has permissions to perform actions on specific resources.
+
+- **Context**: The system may use contextual information, such as location or time,
+  when evaluating permissions.
+
+- **Subject**: The identity requesting access to the system.
+  In {{% product-name %}}, the subject is a _token_ (similar to an "API key" in other systems).
+  Tokens include attributes such as identifier, name, description, and expiration date.
+
+- **Action**: The operations (for example, CRUD) that subjects may perform on resources.
+
+- **Permissions**: The set of actions that a specific subject can perform on a specific resource.
+  Authorization compares the incoming request against the permissions set to decide if the request is allowed or not.
+  {{% show-in "core" %}}
+  In {{% product-name %}}, _admin_ tokens have all permissions.
+  {{% /show-in %}} 
+  {{% show-in "enterprise" %}}
+  In {{% product-name %}}, _admin_ tokens have all permissions, while _resource_ tokens have specific permissions.
+  Resource tokens have fine-grained permissions for specific resources of a specific type.
+  For example, a database token can have permissions to read from a specific database but not write to it.
+  {{% /show-in %}}
+
+- **Resource**: The objects that can be accessed or manipulated.
+  In {{% product-name %}}, resources include databases and system information endpoints.
+  Resources have attributes such as identifier and name.
\ No newline at end of file