Configure Event Stream Processor to cascade through a list of authentication methods and use the first available method.
A single authentication method can be a single point of failure. If you are using only LDAP authentication, for example, and your LDAP server goes down, users will no longer be able to authenticate using LDAP—so no one can log in. Cascading through two or more authentication methods allows the ESP server to continue authenticating users without manual intervention.
As with systems using singularly-enabled authentication methods, the <node_name>.xml file references a csi_*.xml file that contains the authentication parameters. The difference with a system using cascading authentication is that this csi_*.xml file contains the <authenticationProvider> definitions for all the authentication methods you want to make available.
To configure your system for cascading authentication, use one of the csi_*.xml files provided in ESP_HOME/security, such as csi_kerberos.xml, as a basis for a new CSI file, called, for example, csi_all.xml. Into the new csi_all.xml file, copy the <authenticationProvider> definitions from each of the csi_*.xml files corresponding to the authentication methods you want to enable. For example, if you want to cascade through the Kerberos, RSA, and LDAP authentication methods, copy the <authenticationProvider> definition from each of the csi_kerberos.xml, csi_rsa_xml, and csi_ldap.xml files.
The ESP server iterates through the list of providers in order, starting with the first one in the file. Under normal circumstances, this will be the authentication method for your system. If that method becomes unavailable, the server tries to use the second method in the file, then the third, continuing down the list until it finds a working authentication provider. If any attempt is successful, users can continue authenticating (using the new authentication method) with no manual intervention required.
With each subsequent authentication request, the server returns to the top of the list of authentication providers and tries them in order. Therefore, when the preferred authentication method becomes available again, the server reverts to that method; there is no need to restart the server or the cluster managers.
To configure Event Stream Processor to use cascading authentication: