Skip to end of metadata
Go to start of metadata

This article only applies to the Classic JOC user interface

The Classic JOC user interface is entering retirement:

FEATURE AVAILABILITY ENDING WITH RELEASE 1.11

The JOC Cockpit user interface is a replacement for the Classic JOC user interface:

FEATURE AVAILABILITY STARTING FROM RELEASE 1.11

See the Authentication and Authorization - Configuration Article for Information about configuring the JOC Cockpit for operation with an LDAP authentication server.

 

  • Job Scheduler provides built-in basic user/password authentication:
    • The easiest way to generate the encrypted passwords is to use JOE.
    • This mechanism does not support more elaborated management of user credentials, e.g. password expiration policies.
  • If you want to authenticate users against an LDAP directory, you can set up a web server as a proxy for JOC. 
    • This grant access to JobScheduler exclusively from the localhost and from the web server (see the element <allowed_hosts> in scheduler.xml).
    • If a user wants to access JOC then the address of the proxy server has to be used. Proxy access can be the secured using plugins of the web server (e.g. Apaches LDAP Plugin).

Configuring a Proxy for the Apache Web Server

Load the proxy modules in httpd.conf of the Apache installation:

 LoadModule proxy_module modules/mod_proxy.so
 LoadModule proxy_http_module modules/mod_proxy_http.so

Configure a proxy address:

Proxy configuration with JobScheduler port 4444
 <Proxy http://scheduler_host:4444/*>
   Order deny,allow
   Allow from all
 </Proxy>
 
 ProxyPass /jobscheduler/ http://scheduler_host:4444/
 ProxyPassReverse /jobscheduler/ http://scheduler_host:4444/

After restarting Apache, JOC should be accessible by using the address

http://proxy_host:80/jobscheduler/

If you want to use the jetty port (default=40444) instead of the JobScheduler port then note that the JobScheduler

  • has an internal redirect from http://scheduler_host:40444 -> http://scheduler_host:40444/jobscheduler/operation_gui, where Jetty find the sources.
  • uses two rest URLs http://scheduler_host:40444/jobscheduler/engine/command/ and http://scheduler_host:40444/jobscheduler/engine-cpp/

So the proxy has a different configuration

Proxy configuration with Jetty port 40444
 <Proxy http://scheduler_host:40444/*>
   Order deny,allow
   Allow from all
 </Proxy>
 
 ProxyPass /jobscheduler/operations_gui/ http://scheduler_host:40444/jobscheduler/operations_gui/
 ProxyPassReverse /jobscheduler/operations_gui/ http://scheduler_host:40444/jobscheduler/operations_gui/
 ProxyPass /jobscheduler/engine/command/ http://scheduler_host:40444/jobscheduler/engine/command/
 ProxyPassReverse /jobscheduler/engine/command/ http://scheduler_host:40444/jobscheduler/engine/command/
 ProxyPass /jobscheduler/engine-cpp/ http://scheduler_host:40444/jobscheduler/engine-cpp/
 ProxyPassReverse /jobscheduler/engine-cpp/ http://scheduler_host:40444/jobscheduler/engine-cpp/

After restarting Apache, JOC should be accessible by using the address

http://proxy_host:80/jobscheduler/operations_gui/

Or you use only one ProxyPass. Then a redirect in Apache is recommended where LoadModule rewrite_module modules/mod_rewrite.so has to be active.

Proxy configuration with Jetty port 40444 and redirect
 <Proxy http://scheduler_host:40444/*>
   Order deny,allow
   Allow from all
 </Proxy>
 
 #"RewriteEngine on" only if is not already done
 RewriteEngine on
 RewriteRule "/jobscheduler/?$" "/jobscheduler/operations_gui/" [R]
 ProxyPass /jobscheduler/ http://scheduler_host:40444/jobscheduler/
 ProxyPassReverse /jobscheduler/ http://scheduler_host:40444/jobscheduler/

After restarting Apache, JOC should be accessible by using the address

http://proxy_host:80/jobscheduler

 

Configuring Basic Authentication

 <Proxy http://scheduler_host:4444/*> 
   Order deny,allow
   Allow from all
   AuthType Basic
   AuthName "JobScheduler"
   AuthUserFile jobscheduler_password.file
   Require valid-user
 </Proxy> 

Create a file jobscheduler_password.file using the htpasswd utility. Store it in the Apache root directory:

 htpasswd -c password.file username

Configuring LDAP Authentication

First, make sure the proxy for JobScheduler is working. Then the proxy can be secured using Apaches LDAP Plugin.

Load LDAP modules:

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

Secure the proxy:

<Proxy http://scheduler_host:4444/*>
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthType Basic
AuthName "LDAP Job Scheduler"
AuthLDAPURL ldap://your_host/ou=People,dc=my-domain,dc=com
require valid-user
</Proxy>

See also

Write a comment…