Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 33

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 34

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

The JOC Cockpit brings user authentication and authorization to the JobScheduler.

Authentication can either take place against an Apache ShiroTM compliant configuration file, an LDAP compliant directory service or information stored in a database.

Authorization is defined in roles - an example set of roles is provided with the JOC Cockpit installation archive and users are able to define their own roles.

The JOC Cockpit is able to handle authentication of multiple users and their authorization for multiple JobSchedulers simultaneously.

...

Architecture

The JobScheduler architecture, which allows use of individual JobScheduler Masters for individual clients, also allows authorization - the allocation of user rights and permissions determining what a user is allowed to do - to be granted according to duties or roles. This approach may be contrasted with other systems that allocate rights and permissions according to resources such as files or folders.

The use of role-based rights and permissions brings a number of significant advantages:

  • It simplifies their administration in complex environments. Whilst the administration of the permissions of several hundred folders in a multi-client system is manageable, the administration of several thousand requires brings an extremely high administrative requirement and error susceptibility.
  • Role-based rights and permissions allow the rights and permissions for individual clients to be managed separately.
  • The clear separation of rights and permissions also simplifies meeting compliance requirements.

Implementation

  • The JOC Cockpit uses Apache Shiro to authenticate and authorize users.
  • Authentication and Authorization information can be read by Shiro from a number of separate resources. These are:
    • a local configuration (shiro.ini) file that may include both authentication and authorization information, depending on the methods of authentication and authorization configured;
    • a authentication service that provides an LDAP interface such as Microsoft Active Directory and
    • a database containing both authentication and authorization information and which complies with the Shiro data model requirements. This database will be managed (and populated) by a system administrator.

...

By default the shiro.ini configuration file contains an example mapping of roles and permissions. This mapping can be used with Shiro and LDAP authentication and is shown in the Matrix of Roles and Permissions section in the Authentication and Authorization - Permissions for the JOC Cockpit Web Service Article.

  • System administrators can modify the shiro.ini configuration file by:
    • adding additional roles of their own to the mapping and
    • changing the permissions assigned to roles.
  • It is also possible for system administrators to use database instead of Shiro authorization. However this involves administrators writing their own SQL Insert statements. We have neither a GUI for this nor is batch support provided.
  • Configuration of the shiro.ini file is described in detail in the Authentication and Authorization - Configuration article.

...