Define access control policies that specify user roles, the actions
available to each role, and the resources on which the actions can be performed. If
Event Stream Processor is configured to authenticate through the native
OS or preconfigured logins, enable access control. Set up role mapping.
Access
control policies are maintained in a single XML policy file used by
all
manager
nodes in a
cluster.
If
no
access control policies are defined, authorization is not restricted
based on user
roles,
and therefore
all authenticated users will have full access.
Access control is enabled by default for LDAP authentication. To enable access control
for native OS or preconfigured login authentication, edit the appropriate csi files in
the security directory, as described in the steps below. If the
roles you configure in the policy file do not have names identical to the names of
groups in LDAP or your OS, you must also configure role mappings in
ESP_HOME/security/csi_role_mapping.xml. Role mappings link roles
in the policy file to OS or LDAP groups.
The
policy file,
policy.xml,
is loaded automatically when you start the cluster manager.
If you modify the
policy file,
use
the cluster admin tool to reload
it
at runtime.
- Use any text editor to open the
policy
file,
ESP_HOME/security/policy.xml.
- To start a new policy, add
<Policy>
tags to the
<Policies> element.
You can include more than one <Policy> within the <Policies> tags.
- Specify the
policy
type as Project,
Node, or
Cluster. For
example:
- To create a new role for the policy, add
<Role>
tags within
<Subjects>
tags.
You can include more than one role in the
<Subjects>
tags.
However,
all the roles
defined in one <Policy> element are associated with the same set
of resources and
actions.
For a role with different resources and actions, create a separate policy using the
<Policy>
tag.
- Add a group or role to the new role being created within the
<Role>
tags.
- To associate resources with the role, specify each resource with
<Resource>
tags, and enclose these in the
<Resources>
element.
- To associate actions with the resources, specify each action (read,
write, start, or stop) with <Action> tags and enclose these in the
<Actions> element.
- Save and exit the file.
- (Optional) If you are configuring access control for use with native OS
authentication, edit ESP_HOME/security/csi_native_nt.xml or
ESP_HOME/security/csi_native_unix.xml to enable access
control.
- Put comment tags (<!-- and -->) around
the line that configures the NoSecAuthorizer provider.
- Uncomment the line that configures the RoleCheckAuthorizer provider.
- If the roles in your policy file do not correspond to existing groups in your
OS, also uncomment the lines that configure the XMLFileRoleMapper provider and
specify the role map file, csi_role_mapping.xml.
This sample
csi_native_unix.xml file enables access control
and role mapping (RoleCheckAuthorizer and XMLFileRoleMapper, which points to
csi_role_mapping.xml, are outside the comment tags, while
NoSecAuthorizer is
inside).
<?xml version="1.0" encoding="UTF-8"?>
<config:configuration xmlns:config=http://www.sybase.com/csi/2.5/config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<config:authenticationProvider controlFlag="sufficient" name="com.sybase.security.os.UnixProxyLoginModule"/>
<config:provider name="com.sybase.security.core.NoSecAttributer" type="attributer"/>
<config:provider name="com.sybase.security.core.RoleCheckAuthorizer" type="authorizer"/>
<config:provider name="com.sybase.security.core.XMLFileRoleMapper" type="roleMapper">
<config:options name="RoleMapFile" value="${esp.home}/security/csi_role_mapping.xml"/>
</config:provider>
<!--
<config:provider name="com.sybase.security.core.NoSecAuthorizer" type="authorizer"/>
-->
</config:configuration>
- (Optional) If you are configuring access control for use with preconfigured logins,
edit ESP_HOME/security/csi_local.xml to enable access
control.
- Put comment tags (<!-- and -->) around
the line that configures the NoSecAuthorizer provider.
- Add this line inside the <configuration> element
<provider name="com.sybase.security.core.RoleCheckAuthorizer" type="authorizer"/>
- (Optional) For preconfigured logins, configure roles in
csi_local.xml that match the ones in
policy.xml.
Add roles in the <options> element, and put the <options> element in the
same <authenticationProvider> element as the login’s user name and password. You
can include multiple role names in the value field—separate them with commas. This
sample <authenticationProvider> defines a login called sybase whose roles are
espAdmin, espUser, and
investment:
<authenticationProvider controlFlag="sufficient" name="com.sybase.security.core.PreConfiguredUserLoginModule">
<options name="username" value="sybase"/>
<options name="password" value="{SHA-256:gIQWZYOPQVM=}jqHtsTPcw8kGkZt1PQeveUAhQncAQhHXJBrjZAqTfk4="/>
<options name="roles" value="espAdmin,espUser,investment"/>
</authenticationProvider>
If
the file contains more than one login, configure roles for each one.
- (Optional) If you are using role mapping with LDAP or native OS authentication,
modify ESP_HOME/security/csi_role_mapping.xml to map roles
specified in your policy file to groups in LDAP, Windows, or UNIX.
Use a Mapping element for each mapping. LogicalName is the role in your policy
file; MappedName is the group whose members need that role. This is a sample
mapping:
<Mapping>
<LogicalName>investment</LogicalName>
<MappedName>espInvestmentRole</MappedName>
</Mapping>
This is a sample policy file. The investment role
enables
users to read, write, start, and stop the two
resources.
<Policies>
<Policy type= "Project">
<Subjects>
<Role>investment</Role>
</Subjects>
<Resources>
<Resource>Default/PassThrough/vwapTrades</Resource>
<Resource>Default/Pass1</Resource>
</Resources>
<Actions>
<Action>read</Action>
<Action>write</Action>
<Action>stop</Action>
<Action>start</Action>
</Actions>
</Policy>
</Policies>
Note: You
assign users to groups through the security
provider
(LDAP, the
operating system, or for preconfigured logins, the csi_local.xml
file).
Next
Enable access control in
node-name.xml.