Product Knowledge Base

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Next »

Introduction

The JOC Cockpit brings user authentication and authorization to the JobScheduler.

Authentication can either take place against an Apache ShiroTM compliant configuration file, an LDAP compliant directory service or information stored in a database.

Authorization is defined in roles - a set of roles is provided with the JOC Cockpit and users are able to define their own roles.

The JOC Cockpit is able to handle authentication of multiple users and their authorization for multiple JobSchedulers simultaneously.

Authentication and Authorization

  • The JOC Cockpit uses Apache Shiro to authenticate and authorize users.
  • Authentication and Authorization information can be read by Shiro from a number of separate resources. These are:
    • a local configuration (shiro.ini) file that may include both authentication and authorization information,
    • a authentication service that provides an LDAP interface such as Microsoft Active Directory and
    • a database that complies with the Shiro data model requirements and which is managed (and populated) by a system administrator.

Authentication

  • The JOC Cockpit accepts the user name and password from the login screen and, depending on the configuration in the shiro.ini file, either:
    • tries to verify the credentials against information stored in the shiro.ini file,
    • tries to login to the LDAP directory service with the given credentials or
    • checks the credentials against information stored in a Shiro compliant database.
  • The authentication credentials are subsequently used for HTTP Authentication with each HTTP request that is created by the JOC Cockpit for the JobScheduler Web Services.
    • Browsers may cache credentials during a session, i.e. they are re-used for single sign-on when opening the JOC Cockpit in a new browser tab. The credentials cache is cleared on termination of the browser.
    • This behavior might vary depending on the browser and version.
  • The configuration of the local shiro.ini file is described in detail in the Authentication and Authorization Configuration article.

The intended purposes of the authentication methods available are:

  • Shiro Authentication:
    • Intended for development and use where security is of relatively low importance.
    • User passwords are saved in the shiro.ini file, which is unencrypted, in plain text.
  • LDAP Authentication:
    • Intended for use in production environments where LDAP is already in use.
    • The shiro.ini file contains information specifying the LDAP service.
  • Database Authentication:
    • Intended for use in production environments.
    • The shiro.ini file contains information specifying the database authentication service.
    • Authentication information is entered manually in the database by a system administrator.

Authorization

After successful authentication the JOC Cockpit will check the assignment of roles to the given user against a mapping of user role(s) against permissions. The method used to specify this mapping depends in the method used for user authentication:

  • Shiro Authentication:
    • Using a mapping of roles to permissions stored in the local shiro.ini configuration file.
  • LDAP Authentication:
    • Using a configurable LDAP query that checks membership of the user with a number of Active Directory groups. An LDAP query is configured for each role and in case of a positive match for group membership the user is assigned a relevant role. This role is then mapped onto a set of permissions using information stored in the local shiro.ini configuration file.
  • Database Authentication:
    • Using a Hibernate query to check the user's role(s) against a table of roles and permissions stored in the same database as used for authentication.

By default the shiro.ini configuration file contains a mapping of roles and permissions. This mapping can be used with Shiro and LDAP authentication and is shown in the Matrix of Roles and Permissions section below.

  • System administrators can:
    • add additional roles of their own to the mapping and
    • change the permissions assigned to roles.
  • System administrators wishing to use database authorization can copy this mapping into database tables.
  • Configuration of the shiro.ini file is described in detail in the Authentication and Authorization Configuration article.

User Profile and Roles

The following screenshot shows the JOC Cockpit User Profile view with the User Details and Roles information:

 

This view is read-only for all users - changes can only be made by a system administrator modifying the authentication and authorization configuration as described in the the Authentication and Authorization Configuration article.

Matrix of Roles and Permissions

The document below shows the default roles and permissions delivered in the JOC Cockpit shiro.ini configuration file. System administrators can define and modify roles and permissions as required.

Document: joc-role-operation-permission.xlsx

Error rendering macro 'viewxls'

com.atlassian.confluence.macro.MacroExecutionException: com.atlassian.confluence.macro.MacroExecutionException: The viewfile macro is unable to locate the attachment "joc-role-operation-permission.xlsx" on this page

 

 

 

  • No labels