© 2015 IBM Corporation

Security

Authentication and Authorization

Service (AAS)

IBM InfoSphere Streams Version 4.0

Steve Dickes

Software Engineer

For questions about this presentation contact Steve Dickes

sdickes@us.ibm.com

2 © 2015 IBM Corporation

Important Disclaimer

THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONALPURPOSES ONLY.

WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THEINFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTYOF ANY KIND, EXPRESS OR IMPLIED.

IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY,WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE.

IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OROTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.

NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF:

• CREATING ANY WARRANTY OR REPRESENTATION FROM IBM (OR ITS AFFILIATES OR ITS ORTHEIR SUPPLIERS AND/OR LICENSORS); OR

• ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENTGOVERNING THE USE OF IBM SOFTWARE.

IBM’s statements regarding its plans, directions, and intent are subject to change orwithdrawal without notice at IBM’s sole discretion. Information regarding potentialfuture products is intended to outline our general product direction and it should notbe relied on in making a purchasing decision. The information mentioned regardingpotential future products is not a commitment, promise, or legal obligation to deliverany material, code or functionality. Information about potential future products maynot be incorporated into any contract. The development, release, and timing of anyfuture features or functionality described for our products remains at our solediscretion.

THIS INFORMATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE.

IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.

3 © 2015 IBM Corporation

Agenda

High-Level Overview

Use Case

Demo

Details

4 © 2015 IBM Corporation

High-Level Overview

AAS performs two main functions: – User authentication: verifying a user's existence and allowing the user to

access a domain and its instances. Authentication is configured to use PAM or

LDAP. Knowledge Center topic: Configuring > Configuring security

– User authorization: checking that a user has permission to perform a

requested function.

You must use security; it is embedded throughout the product and cannot be

disabled.

– User authorization is performed for nearly all operations within Streams –

Domain Manager, streamtool, JMX, console, studio.

– User authorization at its simplest uses a standard set of permissions as set for

the default roles: DomainAdministrator, DomainUser, InstanceAdministrator,

InstanceUser.

Users may create their own roles: streamtool mkdomainrole, streamtool mkrole

– Domain and Instance Administrators can restrict or allow access by choosing

which Streams users or groups of users are members of which roles.

– Jobs are submitted to job groups and a job group contains the ACLs for all of its

submitted jobs.

5 © 2015 IBM Corporation

Use Case

Provide consistent security configuration at the domain and for each

instance

– Users authenticate to a domain

– Users check for authorization to domain and instance objects

Provide roles to manage permissions for sets of users

– Use roles to quickly authorize users to the appropriate functions in the domain

and instances

– Default roles for the domain and each instance – DomainAdministrator,

DomainUser, InstanceAdministrator, InstanceUser

Provide jobgroups to simplify permission settings for sets of jobs

– Use jobgroups to manage permissions for jobs and to authorize/restrict user

access to jobs

– Use jobgroups to change permissions for all active jobs and newly submitted

jobs

6 © 2015 IBM Corporation

Demo

See Streams security in action using streamtool commands.

Attend the Console presentation to see its security functions.

7 © 2015 IBM Corporation

Details

Security objects: – Domain objects: config, domain, hosts, instances, system-log

– Instance objects: application-log, config, hosts, instance, jobgroup_default, jobs, jobs-

override, system-log

– Every object has default permissions

– Permissions identify which users, groups, or roles have permission to perform

operations against an object

– Streams operations – streamtool command, internal APIs, JMX, Domain

Manager, Console, Studio, Services – check for a specific set of permissions to

determine if a user is authorized. For example, mkinstance requires “add”

permission on the “instances” object in the domain

– Permission types: read, write, add, search, delete, own

– Knowledge Center topics: Configuring > Configuring security

Configuring>Configuring security>User authorization>Security objects and access

permissions>Access permissions for domain and instance objects

8 © 2015 IBM Corporation

Details

Job groups and jobs: – Job groups are “containers” for submitted jobs and provide ACLs for all

submitted jobs in the job group.

– The owner/submitter of a job has all access to the job.

– Every instance has the “default” job group and mkjobgroup creates a job group.

The job group is backed by a security object named “jobgroup_<name>” so

jobgroup_default for the default job group.

– Security object hierarchy : jobs > jobgroup_name > job_id

– Newly created jobgroups inherit ACLs from “jobs” object “default:” ACLs

– Knowledge Center topic: Configuring>Configuring security>User authorization>Job groups

9 © 2015 IBM Corporation

Questions?