Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 55

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 56

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: 'Architecture' updated

...

Excerpt

The JOC Cockpit brings user authentication and authorization to the JobScheduler.

Authentication can either take place against an Apache ShiroTM compliant configuration file, an LDAP compliant directory service or information stored in a database.

Authorization is defined in Roles and Permissions and an example set of Roles and Permissions is provided with the JOC Cockpit installation. System administrators are able to define their own User Roles and Permission sets as required.

The JOC Cockpit is able to handle authentication of multiple users and their authorization for multiple JobSchedulers simultaneously and . It also includes an editor in the Manage Accounts view for the configuration of authentication and authorization.

Architecture

The JOC Cockpit Authentication and Authorization is provided as a part of the JobScheduler Web Services. These services are provided by the JOC Cockpit is provided independently of any JobScheduler instances and this functional independence allows, for example, scalability (see the JOC Cockpit Clusters section below) as well as enabling individual JobScheduler Masters and/or Agents to be used for individual clients. A more detailed description of the JobScheduler / JOC Cockpit architecture is provided in the JOC Cockpit - Architecture article.

...

Multiple instances of the JobScheduler Web Services JOC Cockpit can be synchronized to provide a high availability cluster. (Feature This feature is available with Release 1.12.1 and newer)

To enable clustering of the JOC ClusterCockpit:

  • install one two or more JOC Serversinstances of the JOC Cockpit on separate servers
  • all JOC Servers Cockpit servers must use the same database
  • add the following two lines of code to the shiro.ini in the [main] section of the Shiro configuration for one of the instances:
    • sessionDAO = com.sos.auth.shiro.SOSDistributedSessionDAO
      securityManager.sessionManager.sessionDAO = $sessionDAO
  • Connect all JOC Cockpit servers to a load balancer.

 

Implementation

  • The JOC Cockpit uses Apache Shiro to authenticate and authorize users.
  • Authentication and Authorization information can be read by Shiro from a number of separate resources. These are:
    • a local configuration (shiro.ini) file that may include both authentication and authorization information, depending on the methods of authentication and authorization configured;
    • a authentication service that provides an LDAP interface such as Microsoft Active Directory and
    • a database containing both authentication and authorization information and which complies with the Shiro data model requirements. This database will be managed (and populated) by a system administrator.

Authentication

  • The JOC Cockpit / Web services accepts the user name and password from the login screen and, depending on the configuration in the shiro.ini file, either:
    • tries to verify the credentials against information stored in the shiro.ini file,
    • tries to login to the LDAP directory service with the given credentials or
    • checks the credentials against information stored in a Shiro compliant database.
  • The authentication credentials are subsequently used for HTTP Authentication with each HTTP request that is created by the JOC Cockpit for the JobScheduler Web Services.
    • Browsers may cache credentials during a session, i.e. they are re-used for single sign-on when opening the JOC Cockpit in a new browser tab. The credentials cache is cleared on termination of the browser.
    • This behavior might vary depending on the browser and version.

...