Enabling authentication for a Service Locator server - 7.1

Talend ESB Infrastructure Services Configuration Guide

Version
7.1
Language
English (United States)
Product
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
Module
Talend ESB
Talend Runtime
Content
Design and Development
Installation and Upgrade

About this task

Part of this configuration involves specifying users with corresponding passwords and roles. It depends on type of your JAAS login module where and how this information is specified. For example, if the JDBCLoginModule is used then user, passwords and roles are stored in a database.

Please take a look at the Security framework section of the Karaf Developers Guide (http://karaf.apache.org/) to get information on how to configure and use these different JAAS login modules in the container.

The configuration steps needed are as follows:

Procedure

  1. Enable authentication in a server container, by setting the corresponding property in the ZooKeeper server configuration file <container>/etc/org.talend.esb.locator.server.cfg: authentication = true
    Warning: Do not switch off authentication after Service Locator is secured and services have been registered with the Service Locator.
  2. Specify users with corresponding passwords and roles.
    By default all information about users is stored in <container>/etc/users.properties. So, modify this file in the container where the Service Locator is running, and add roles for the user(s).
    For example, add the following lines to <container>/etc/users.properties:
    # tadmin is user with administrator privileges
    tadmin=tadmin,admin,sl_admin
    # sluser is a user for the client side that is just able to lookup 
    # endpoints on Service Locator
    sluser=upassword,sl_read
    # slservice is a user for server side that is able to register and  
    # lookup endpoints on Service Locator
    slservice=spassword,sl_maintain
    Note that the following roles are available for Service Locator clients:

    Role

    Description
    sl_read

    This role is for clients, that only lookup endpoints.

    If the sl_read role is given to a user, they can get data from a node and list its children.

    sl_maintain
    This role is for users that register endpoints on the Service Locator server. The user can:
    • get data from a node and list its children

    • create a child node

    • set data for a node

    • delete a child node

    sl_admin It is the same as sl_maintain, but in addition, the user can set permissions.
    Note: Roles are case insensitive - you can use either uppercase or lowercase letters for roles in configuration files.
    Warning: For production use, the sample passwords used here will need to be replaced with your project's own passwords.