...
Excerpt |
---|
The JOC Cockpit brings user authentication and authorization to the JobScheduler. Authentication can either take place against an Apache ShiroTM compliant configuration file, an LDAP compliant directory service or information stored in a database. Authorization is defined in roles - an example set of roles is provided with the JOC Cockpit installation archive and users are able to define their own roles. The JOC Cockpit is able to handle authentication of multiple users and their authorization for multiple JobSchedulers simultaneously. |
...
Architecture
The JobScheduler architecture, which allows use of individual JobScheduler Masters for individual clients, also allows authorization - the allocation of user rights and permissions determining what a user is allowed to do - to be granted according to duties or roles. This approach may be contrasted with other systems that allocate rights and permissions according to resources such as files or folders.
The use of role-based rights and permissions brings a number of significant advantages:
- It simplifies their administration in complex environments. Whilst the administration of the permissions of several hundred folders in a multi-client system is manageable, the administration of several thousand requires brings an extremely high administrative requirement and error susceptibility.
- Role-based rights and permissions allow the rights and permissions for individual clients to be managed separately.
- The clear separation of rights and permissions also simplifies meeting compliance requirements.
Implementation
- The JOC Cockpit uses Apache Shiro to authenticate and authorize users.
- Authentication and Authorization information can be read by Shiro from a number of separate resources. These are:
- a local configuration (
shiro.ini
) file that may include both authentication and authorization information, depending on the methods of authentication and authorization configured; - a authentication service that provides an LDAP interface such as Microsoft Active Directory and
- a database containing both authentication and authorization information and which complies with the Shiro data model requirements. This database will be managed (and populated) by a system administrator.
- a local configuration (
...
By default the shiro.ini
configuration file contains an example mapping of roles and permissions. This mapping can be used with Shiro and LDAP authentication and is shown in the Matrix of Roles and Permissions section in the Authentication and Authorization - Permissions for the JOC Cockpit Web Service Article.
- System administrators can modify the
shiro.ini
configuration file by:- adding additional roles of their own to the mapping and
- changing the permissions assigned to roles.
- It is also possible for system administrators to use database instead of Shiro authorization. However this involves administrators writing their own SQL Insert statements. We have neither a GUI for this nor is batch support provided.
- Configuration of the
shiro.ini
file is described in detail in the Authentication and Authorization - Configuration article.
...
- For detailed information how to configure permissions see the Authentication and Authorization - Configuration article.
- For a complete list of permissions see the Authentication and Authorization - Permissions for the JOC Cockpit Web Service article.