Sybase CEP Engine Enterprise Edition enables users to explicitly permit or deny access to specified resources.
For example, you might allow only certain specific users or computers to subscribe to a stream that contains private financial data.
The Sybase CEP Installation Guide describes the Actions, Resources, and Subjects that may be restricted. In short, a subject is a user, a group, or a computer. A resource is a Sybase CEP Server object, such as a stream or a workspace. An action is a plugin action such as read, write, or create workspace. So, for example, there can be a rule created that allows user Jane Smith to subscribe and publish to the stream StockQuotes, while John Doe is allowed to subscribe to the stream but not to publish to it, and any other user is disallowed from reading or writing to the stream.
To implement this restriction, you can use a plugin that asks a user to enter her username and password before they is allowed to access a particular resource, such as subscribing to a stream. The plugin is passed the username and the password and then returns a value indicating whether the password matched the password for the specified user. If the password does not match, the server will not allow the user to access that particular resource. you can choose whatever software you wish to use to verify that the password is correct for the username.
Sybase CEP provides the following plugins for user authentication:
LDAP: This plugin allows you to use standard LDAP as a way of determining whether a user is who they claim to be.
htpasswd: This is a simple plugin that allows you to use encrypted password files to determine whether a user is who they claims to be.
Pluggable Authentication Module (PAM): This is a tool that lets you use different authentication methods at different times, without re-compiling the program or recompiling the Sybase CEP Server.
In addition to using these plugins, you can write your own plugin, which can connect to some other system to verify the password. If you write your own plugin, specify the library name that contains the plugin, and the names of the initialize(), execute(), and shutdown() functions of the plugin. See the documentation of the htpasswd plugin for an example.
For any of these authentication plugins, you must customize the c8-server.conf file in at least two places. The first place is shown below; you must de-comment the "ACLFile" preference and, optionally, replace the file name "c8-acl.xml" with another file name if you want to use a different file:
<section name="SybaseC8/Security"> <section name="AccessControl"> <!-- The location of the Sybase CEP access control list file --> <!-- Default: empty --> <!-- <preference name="ACLFile" value="C:\Program Files\SybaseC8\Server/conf/c8-acl.xml"/> -->
You must, of course, customize the contents of the c8-acl.xml file. See the Sybase CEP Installation Guide for details.
The second part of the c8-server.conf file that you must customize will depend upon which plugin you are using.
For more information on this topic, please see the following:
User Authentication via Pluggable Authentication Module (PAM).
The Sybase CEP Installation Guide , which explains how to configure the Sybase CEP Server configuration file (c8-server.conf) to tell the server to read the ACL file (c8-acl.xml).
The Sybase CEP Installation Guide , which explains some contents of ACL files (Subjects, Resources, and Actions).