...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
[main] # Public LDAP Server for testing purposes # see http://www.forumsys.com/en/tutorials/integration-how-to/ldap/online-ldap-test-server/ # Active Directory realm configuration # See http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.userDnTemplate = uid={0},dc=example,dc=com ldapRealm.searchBase = dc=example,dc=com ldapRealm.contextFactory.url = ldap://ldap.forumsys.com:389 ldapRealm.groupNameAttribute=ou ldapRealm.userNameAttribute=uid ldapRealm.userSearchFilter=(uniqueMember=uid=%s,dc=example,dc=com) # Mapping of a LDAP group to roles. You can assign more than one role with separator sign | ldapRealm.groupRolesMap = \ "scientists":"it_operator", \ "mathematicians":"administrator|application_manager" rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager # Session timeout in milliseconds securityManager.sessionManager.globalSessionTimeout = 360000 |
Assigning roles in the shiro.ini when using ldap
Code Block | ||||
---|---|---|---|---|
| ||||
[users]
gauss=, api_user, my_role
[main]
# Public LDAP Server for testing purposes
# see http://www.forumsys.com/en/tutorials/integration-how-to/ldap/online-ldap-test-server/
# Active Directory realm configuration
# See http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.userDnTemplate = uid={0},dc=example,dc=com
ldapRealm.searchBase = dc=example,dc=com
ldapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
ldapRealm.groupNameAttribute=ou
ldapRealm.userNameAttribute=uid
ldapRealm.userSearchFilter=(uniqueMember=uid=%s,dc=example,dc=com)
# Mapping of a LDAP group to roles. You can assign more than one role with separator sign |
# In this example the ldap group mapping is commented out. The user gauss will have the roles api_user and my_role.
# You can mix both role soures, the ini file and the ldap group mapping.
#ldapRealm.groupRolesMap = \
#"scientists":"it_operator", \
#"mathematicians":"administrator|application_manager"
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 360000
[roles]
#Permissions can be assigned to roles with a comma seperated list of permissions. Permissions may have * as a wildcard
all = sos:products
administrator = sos:products:joc_cockpit:jobscheduler_master:view, \
sos:products:joc_cockpit:jobscheduler_master:pause, \
sos:products:joc_cockpit:jobscheduler_master:continue, \
sos:products:joc_cockpit:jobscheduler_master:restart, \
sos:products:joc_cockpit:jobscheduler_universal_agent
application_manager = sos:products:joc_cockpit:jobscheduler_master:view, \
sos:products:joc_cockpit:jobscheduler_master:manage_categories, \
sos:products:joc_cockpit:jobscheduler_master:pause, \
sos:products:joc_cockpit:jobscheduler_master:continue, \
sos:products:joc_cockpit:jobscheduler_master_cluster:view:status, \
sos:products:joc_cockpit:jobscheduler_universal_agent:view:status, \
sos:products:joc_cockpit:daily_plan:view_status, \
sos:products:joc_cockpit:history:view, \
sos:products:joc_cockpit:order, \
sos:products:joc_cockpit:job_chain
sos:products:joc_cockpit:job, \
sos:products:joc_cockpit:process_class, \
sos:products:joc_cockpit:schedule, \
sos:products:joc_cockpit:lock, \
sos:products:joc_cockpit:event, \
sos:products:joc_cockpit:event_action, \
sos:products:joc_cockpit:sos:products:joc_cockpit:holiday_calendar:view, \
sos:products:joc_cockpit:maintenance_window:view, \
sos:products:joc_cockpit:maintenance_window:enable_disable_mainenance_window
it_operator = sos:products:joc_cockpit:jobscheduler_master:view, \
sos:products:joc_cockpit:jobscheduler_master_cluster:view:status, \
sos:products:joc_cockpit:jobscheduler_universal_agent:view:status, \
sos:products:joc_cockpit:daily_plan:view_status, \
sos:products:joc_cockpit:history:view, \
sos:products:joc_cockpit:order, \
sos:products:joc_cockpit:job_chain, \
sos:products:joc_cockpit:job, \
sos:products:joc_cockpit:process_class, \
sos:products:joc_cockpit:schedule, \
sos:products:joc_cockpit:lock, \
sos:products:joc_cockpit:event, \
sos:products:joc_cockpit:event_action, \
sos:products:joc_cockpit:sos:products:joc_cockpit:holiday_calendar:view, \
sos:products:joc_cockpit:maintenance_window:view
incident_manager = sos:products:joc_cockpit:jobscheduler_master:view, \
sos:products:joc_cockpit:jobscheduler_master_cluster:view:status, \
sos:products:joc_cockpit:jobscheduler_universal_agent:view:status, \
sos:products:joc_cockpit:daily_plan:view_status, \
sos:products:joc_cockpit:history:view, \
sos:products:joc_cockpit:order:view, \
sos:products:joc_cockpit:order:remove_setback, \
sos:products:joc_cockpit:job_chain:view, \
sos:products:joc_cockpit:job:view, \
sos:products:joc_cockpit:process_class:view, \
sos:products:joc_cockpit:schedule:view, \
sos:products:joc_cockpit:lock:view, \
sos:products:joc_cockpit:event:view, \
sos:products:joc_cockpit:event_action:view, \
sos:products:joc_cockpit:sos:products:joc_cockpit:holiday_calendar:view, \
sos:products:joc_cockpit:maintenance_window:view
business_user = sos:products:joc_cockpit:jobscheduler_master:view:status, \
sos:products:joc_cockpit:jobscheduler_master_cluster:view:status, \
sos:products:joc_cockpit:jobscheduler_universal_agent:view:status, \
sos:products:joc_cockpit:daily_plan:view_status, \
sos:products:joc_cockpit:history:view, \
sos:products:joc_cockpit:order:view:status, \
sos:products:joc_cockpit:order:view:order_log, \
sos:products:joc_cockpit:order:view:status, \
sos:products:joc_cockpit:job_chain:view:status, \
sos:products:joc_cockpit:job_chain:view:history, \
sos:products:joc_cockpit:job:view:status, \
sos:products:joc_cockpit:job:view:history, \
sos:products:joc_cockpit:job:view:task_log, \
sos:products:joc_cockpit:process_class:view:_status, \
sos:products:joc_cockpit:schedule:view:status, \
sos:products:joc_cockpit:lock:view:status, \
sos:products:joc_cockpit:sos:products:joc_cockpit:holiday_calendar:view:status, \
sos:products:joc_cockpit:maintenance_window:view:status
api_user = sos:products:joc_cockpit:history:view, \
sos:products:joc_cockpit:order:view:status, \
sos:products:joc_cockpit:order, \
sos:products:joc_cockpit:job_chain, \
sos:products:joc_cockpit:job, \
sos:products:joc_cockpit:order, \
-sos:products:joc_cockpit:job:view:configuration, \
-sos:products:joc_cockpit:job_chain:view:configuration, \
-sos:products:joc_cockpit:order:view:configuration, \
-sos:products:joc_cockpit:order:remove_setback, \
sos:products:joc_cockpit:process_class:view:_status, \
sos:products:joc_cockpit:schedule:view:status, \
sos:products:joc_cockpit:lock:view:status, \
sos:products:joc_cockpit:sos:products:joc_cockpit:holiday_calendar:view:status, \
sos:products:joc_cockpit:maintenance_window:view:status
my_role = sos:products:joc_cockpit:history:view, \
sos:products:joc_cockpit:order:view:status |
It is possible to assign the roles directly in the shiro.ini.Please add a [users] section with the ldap user as the key and a comma seperated list of roles that are assigned to the user. This roles and the roles coming from the ldap group2roles mapping wil be added to the user.
Attention: The list must start with a comma to overread the password.
Database Authentication
System administrators can implement database authentication manually, using a separate database to the JobScheduler(s) and eventually a separate DBMS.
...