RBAC Built-in Roles
Each REST API operation (to list/view items, or to perform changes) is authenticated to check if the user has the required privileges.
There is a plugin architecture to allow different entitlement mechanisms to be used. One mechanism available is io.cloudsoft.amp.entitlements.rbac.PerRoleEntitlementManager. This allows plugins for the various decision points.
Note: these package names may change if the code moves to org.apache.brooklyn. Configuration
This reads from brooklyn.cfg, such as:
The userToRole refers to a class of type io.cloudsoft.amp.entitlements.rbac.RoleResolver
, available in a bundle whose
symbolic name is com.acme.amp.rbac
, which maps from a user to the role(s) for that user. If a user is in multiple roles, then the user has permission if any of the roles grant that permission.
The roleCacheExpiryDuration is the duration that the roles of a user will be cached for. Note that an extreme (!) way to flush the cache is to “reload properties”, which will replace this EntitlementManager with a new instance.
The perRole has an entry per role name. This value can be to a pre-defined build-in role (i.e. “root”, “readonly” and “minimal”). Alternatively, it can point to a custom brooklyn.management.entitlement.EntitlementManager class. RoleResolver.
In addition to the perRole entries, it’s possible to define mapping between groups defined only as part of the ExplicitUsersAndRolesSecurityProvider.ROLES_FOR_USER
keys or only from the groups from LDAP. See example
An instance of the class will be instantiated reflectively. The constructor should have a signature that is one of:
If the class also implements {@link ManagementContextInjectable}
, then the management context will be injected immediately after construction.
Custom EntitlementManager
The RBAC configuration allows one to plugin a custom entitlement manager to be associated with a given role, to meet your exact needs.
The EntitlementManager interface has a single method: isEntitled. This is passed details of the what is being done, and to what, allowing a boolean to be returned to indicate if it is permitted.
LdapGroupsResolver
The class io.cloudsoft.amp.entitlements.rbac.LdapGroupsResolver
implements RoleResolver
and looks for the user roles inside the request EntitlementContext
Using io.cloudsoft.amp.security.DomainLocalSecurityProvider
or org.apache.brooklyn.rest.security.provider.LdapSecurityProvider
as Security Provider and the proper configuration will put on the EntitlementContext the
user LDAP groups mapped with the prefix passed to the config key brooklyn.webconsole.security.ldap.group_config_key
.
DomainLocalSecurityProvider example
DomainLocalSecurityProvider extends the functionality of the LdapSecurityProvider adding also the local definition of users and grops using alternatively ExplicitUsersAndRolesSecurityProvider when the LDAP authentication fails.
This example will use a hybrid set of user and entitlements, two users defined in the config file and their groups, and also the mapping for the groups for the LDAP user
# Local user names
brooklyn.webconsole.security.users=admin,readonlyPlusLogs
# Plain text password
brooklyn.webconsole.security.user.admin.password=password
brooklyn.webconsole.security.user.readonlyPlusLogs.password=password
# user "admin" group
brooklyn.webconsole.security.user.admin.groups=amp_administrators_local_group
# user "readonlyPlusLogs" groups
brooklyn.webconsole.security.user.readonlyPlusLogs.groups=readonly_local_group,log_viewer_group
# UI module for replace default browser login
brooklyn.webconsole.security.login.form=brooklyn-ui-login
brooklyn.webconsole.security.unauthenticated.endpoints=brooklyn-ui-login
# Security provider
brooklyn.webconsole.security.provider=io.cloudsoft.amp.security.DomainLocalSecurityProvider
# LDAP configuration. See LDAP conf
brooklyn.webconsole.security.ldap.url=ldap://<server>:389/
brooklyn.webconsole.security.ldap.realm=realm
brooklyn.webconsole.security.ldap.ou=OU
brooklyn.webconsole.security.ldap.fetch_user_group=true
brooklyn.webconsole.security.ldap.login_info_log=true
# AMP will ignore LDAP groups not mapped with the next key
brooklyn.webconsole.security.ldap.group_config_key=io.cloudsoft.amp.entitlements.rbac.perGroupLdapOnly
# Entitlement manager
brooklyn.entitlements.global=io.cloudsoft.amp.rbac:io.cloudsoft.amp.entitlements.rbac.PerRoleEntitlementManager
# Group Resolver
io.cloudsoft.amp.entitlements.rbac.userToRole=io.cloudsoft.amp.rbac:io.cloudsoft.amp.entitlements.rbac.LdapGroupsResolver
# Mapping for the LDAP groups amp_administrators_group, log_viewer_group and readonly_group
io.cloudsoft.amp.entitlements.rbac.perGroupLdapOnly.amp_administrators_group=root
io.cloudsoft.amp.entitlements.rbac.perGroupLdapOnly.readonly_group=readonly
# Mapping for the AMP groups amp_administrators_group, readonly_group and log_viewer_group
io.cloudsoft.amp.entitlements.rbac.perGroupAmpOnly.amp_administrators_local_group=root
io.cloudsoft.amp.entitlements.rbac.perGroupAmpOnly.readonly_local_group=readonly
# Valid mapping for groups defined in LDAP or in this file
io.cloudsoft.amp.entitlements.rbac.perRole.log_viewer_group=logViewer
This example user the ...perRole
entry to be mapped with the logViewer
entitlement for user on the LDAP group named “log_viewer_group” but also to the readonlyPlusLogs group defined in the same file.