Security Authentication and Authorization Service (AAS) for IBM InfoSphere Streams V4.0
Click here to load reader
-
Upload
lisanl -
Category
Data & Analytics
-
view
78 -
download
2
Transcript of Security Authentication and Authorization Service (AAS) for IBM InfoSphere Streams V4.0
© 2015 IBM Corporation
Security
Authentication and Authorization
Service (AAS)
IBM InfoSphere Streams Version 4.0
Steve Dickes
Software Engineer
For questions about this presentation contact Steve Dickes
2 © 2015 IBM Corporation
Important Disclaimer
THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONALPURPOSES ONLY.
WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THEINFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTYOF ANY KIND, EXPRESS OR IMPLIED.
IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY,WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE.
IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OROTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.
NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF:
• CREATING ANY WARRANTY OR REPRESENTATION FROM IBM (OR ITS AFFILIATES OR ITS ORTHEIR SUPPLIERS AND/OR LICENSORS); OR
• ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENTGOVERNING THE USE OF IBM SOFTWARE.
IBM’s statements regarding its plans, directions, and intent are subject to change orwithdrawal without notice at IBM’s sole discretion. Information regarding potentialfuture products is intended to outline our general product direction and it should notbe relied on in making a purchasing decision. The information mentioned regardingpotential future products is not a commitment, promise, or legal obligation to deliverany material, code or functionality. Information about potential future products maynot be incorporated into any contract. The development, release, and timing of anyfuture features or functionality described for our products remains at our solediscretion.
THIS INFORMATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE.
IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.
3 © 2015 IBM Corporation
Agenda
High-Level Overview
Use Case
Demo
Details
4 © 2015 IBM Corporation
High-Level Overview
AAS performs two main functions: – User authentication: verifying a user's existence and allowing the user to
access a domain and its instances. Authentication is configured to use PAM or
LDAP. Knowledge Center topic: Configuring > Configuring security
– User authorization: checking that a user has permission to perform a
requested function.
You must use security; it is embedded throughout the product and cannot be
disabled.
– User authorization is performed for nearly all operations within Streams –
Domain Manager, streamtool, JMX, console, studio.
– User authorization at its simplest uses a standard set of permissions as set for
the default roles: DomainAdministrator, DomainUser, InstanceAdministrator,
InstanceUser.
Users may create their own roles: streamtool mkdomainrole, streamtool mkrole
– Domain and Instance Administrators can restrict or allow access by choosing
which Streams users or groups of users are members of which roles.
– Jobs are submitted to job groups and a job group contains the ACLs for all of its
submitted jobs.
5 © 2015 IBM Corporation
Use Case
Provide consistent security configuration at the domain and for each
instance
– Users authenticate to a domain
– Users check for authorization to domain and instance objects
Provide roles to manage permissions for sets of users
– Use roles to quickly authorize users to the appropriate functions in the domain
and instances
– Default roles for the domain and each instance – DomainAdministrator,
DomainUser, InstanceAdministrator, InstanceUser
Provide jobgroups to simplify permission settings for sets of jobs
– Use jobgroups to manage permissions for jobs and to authorize/restrict user
access to jobs
– Use jobgroups to change permissions for all active jobs and newly submitted
jobs
6 © 2015 IBM Corporation
Demo
See Streams security in action using streamtool commands.
Attend the Console presentation to see its security functions.
7 © 2015 IBM Corporation
Details
Security objects: – Domain objects: config, domain, hosts, instances, system-log
– Instance objects: application-log, config, hosts, instance, jobgroup_default, jobs, jobs-
override, system-log
– Every object has default permissions
– Permissions identify which users, groups, or roles have permission to perform
operations against an object
– Streams operations – streamtool command, internal APIs, JMX, Domain
Manager, Console, Studio, Services – check for a specific set of permissions to
determine if a user is authorized. For example, mkinstance requires “add”
permission on the “instances” object in the domain
– Permission types: read, write, add, search, delete, own
– Knowledge Center topics: Configuring > Configuring security
Configuring>Configuring security>User authorization>Security objects and access
permissions>Access permissions for domain and instance objects
8 © 2015 IBM Corporation
Details
Job groups and jobs: – Job groups are “containers” for submitted jobs and provide ACLs for all
submitted jobs in the job group.
– The owner/submitter of a job has all access to the job.
– Every instance has the “default” job group and mkjobgroup creates a job group.
The job group is backed by a security object named “jobgroup_<name>” so
jobgroup_default for the default job group.
– Security object hierarchy : jobs > jobgroup_name > job_id
– Newly created jobgroups inherit ACLs from “jobs” object “default:” ACLs
– Knowledge Center topic: Configuring>Configuring security>User authorization>Job groups
9 © 2015 IBM Corporation
Questions?