To
enable access control, set the location of the policy file in
<node-name>.xml. To disable it, comment the policy line
out.
Prerequisites
- Create role-based access control policies in the policy.xml
file.
- Enable access
control role
checking for native OS or preconfigured logins in CSI files.
(Role
checking is enabled by default for LDAP.)
- (Optional) Configure role mappings.
Task
By
default, the location of the policy file is commented out of the cluster node
configuration
file.
-
To enable access
control,
edit
the node’s configuration file, ESP_HOME/cluster/nodes/<nodename>/<node-name>.xml.
Uncomment
the line that points to the policy file. In the Csi element in the Security section,
change this:
<!--Policy>${ESP_HOME}/security/policy.xml</Policy-->
To
this:
<Policy>${ESP_HOME}/security/policy.xml</Policy>
When access
control is enabled,
a
login call from a client
causes
the security provider
to
authenticate
the user. When
the
user tries to perform an action on a resource, the server determines
whether
the user’s role grants access to the action and resource. If so, the user is
authorized for the action for the resource. Otherwise, action is denied.
- To disable access control, open ESP_HOME/cluster/nodes/<nodename>/<node-name>.xml
and comment out the Policy element (in Csi in the Security section):
<!--Policy>${ESP_HOME}/security/policy.xml</Policy-->
When access
control is disabled,
the
server performs no access control checking; any authenticated user can perform any
action on any resource.