Configuring Cascading Authentication Methods

Configure Event Stream Processor to cascade through the list of authentication methods to automatically enable the first available method.

If, for example, you are using LDAP authentication and your LDAP server goes down, users will no longer be able to authenticate using LDAP. Cascading through the authentication methods allows the ESP server to continue authenticating users without manual intervention.

As with systems using singularly-enabled authentication methods, the <node_name>.xml file references a csi_*.xml file that contains the authentication parameters. The difference with a system using cascading authentication is that this csi_*.xml file contains the <authenticationProvider> definitions for all the authentication methods you want to make available.

To configure your system for cascading authentication, use one of the csi_*.xml files provided in ESP_HOME/security, such as csi_kerberos.xml, as a basis for a new CSI file, called, for example, csi_all.xml. Into the new csi_all.xml file, copy the <authenticationProvider> definitions from each of the csi_*.xml files corresponding to the authentication methods you want to enable. For example, if you want to cascade through the Kerberos, RSA, and LDAP authentication methods, copy the <authenticationProvider> definition from each of the csi_kerberos.xml, csi_rsa_xml, and csi_ldap.xml files.

The ESP server iterates through the list of providers in order, starting with the first one in the list. Under normal circumstances, this will be the authentication method for your system. If that method becomes unavailable, the server looks at the second method in the list and tries to use it. If this attempt is successful, users can continue authenticating against the server (using the new authentication method) with no manual intervention required.

With each subsequent authentication request, the server returns to the top of the list of authentication providers and tries them in order. Therefore, when the preferred authentication method becomes available again, the server reverts to that method; there is no need to restart the server or the cluster managers.

To configure Event Stream Processor to use cascading authentication:

  1. Open the desired csi_*.xml file and save it with a different name, such as csi_all.xml.
  2. For each authentication method you want to make available, open the corresponding csi_*.xml file.
  3. In each file, copy the <authenticationProvider> section and paste it into csi_all.xml. Place the sections in the order you want them enabled. The authentication method placed earliest in the file is used first. If that method is not available, the server cascades through the list, in order, until it encounters an authentication method it can use.
  4. Save and close csi_all.xml.
  5. Use a text editor to open the cluster configuration file, ESP_HOME/cluster/<node-name>/<node-name>.xml.
  6. Within the <Security> section of the cluster configuration file, in the <CSI> section, change the <File> value to csi_all.xml, as follows:
    <Csi>
  <File>csi_all.xml</File>
<Csi>
  7. Save and close the file.
  8. Restart the server, including all cluster managers.
Parent topic: Authentication