To restrict user access through the access control system, a user must have a defined role. This role must be associated with resources and authorized actions for the resource.
Roles
Roles are equivalent to group names, which are defined in the security provider server. In the access control process, the security provider server determines if the user belongs to a particular group. If so, the group is considered to be his or her role, and limits the available resources and actions the user can access.
There is also the option of the *any role, which implies that everyone is part of the role. If the *any role is used, no call is made to the security provider server to check whether the user is part of the role.
Resources
There are two types of resources: cluster and project server. Cluster resources are divided into the following categories:
- Application – add, remove, start, stop, and get projects
- Workspace – add, remove, and get workspaces
- Security – for adding RSA users and reloading the policy file
- Node – get controller and manager nodes, and stop nodes
Resources such as streams and windows are considered project (which runs in project server) resources. Resources in the policy file are defined in a tree like format using "/" to indicate children. For example, if you have a project called workspace1/project1 which has stream1 and window1 elements, you can define these resources in various ways in the policy file:
- workspace1
- workspace1/project1
- workspace1/project1/stream1
- workspace1/project1/window1
Event Stream Processor supports hierarchical resource entitlement, which means if a user is authorized for an action for resource workspace1, then the user is automatically authorized the same action for all resources under the workspace1.
The *any option can also be used as part of the resources. It refers to all the resources in the cluster. You cannot define the *any resource option in a granular fashion, such as workspace1/*any.
Actions
There are four action types (access methods) available for all resources:
| Action Type |
Description |
|---|
| READ |
Ability to open, get, and subscribe to a specific resource, but not make any changes. |
| WRITE |
Ability to write, add, remove, and update a specific resource. |
| START |
Ability to start a project. |
| STOP |
Ability to stop a project or node. |
Access Control Scenario
When the client makes a login call, the security services authenticate the user. When a user of Role A tries to access Resource B, verification ensures the user is authorized to access the resource and perform the desired action on the resource.
Example 1
A policy file is configured where Resource B can be accessed by users of Role A with Action READ. If a user with Role A tries to perform a WRITE action in Resource B, the user is not authorized. However, if the user is trying to READ Resource B, this action is authorized.