Introduction
The JOC Cockpit brings user authentication - usually against an LDAP directory - and authorization to the JobScheduler. The JOC Cockpit is able to handle authentication of multiple users and their authorization for multiple JobSchedulers simultaneously.
Authentication and Authorization
- The JOC Cockpit makes use of Apache Shiro to authenticate and authorize users.
- Authentication and Authorization can be mapped
- to a directory service that provides an LDAP interface, e.g. Microsoft Active Directory
- to a local configuration file (shiro.ini) that includes user names, roles and permission
- to database that complies to the Shiro data model requirements and that is managed (and populated) by an administrator.
Authentication
- The JOC Cockpit accepts the user name and password from the login screen and
- either tries to login to the Active Directory service with the given credentials
- or tries to verify the credentials from its local configuration file,
- or checks the credentials in a Shiro compliant database.
- The credentials are subsequently used for HTTP Authentication with each http request that is created by the JOC Cockpit to the JobScheduler Web Services.
- Browsers may cache credentials during a session, i.e. they are re-used for single sign-on when opening the JOC Cockpit in a new browser tab. The credentials cache is cleared on termination of the browser.
- This behavior might vary depending on the browser and version.
Authorization
- After successful authentication the JOC Cockpit will check the assignement of roles to the given user
- either by using a configurable LDAP query that checks membership of the user with a number of Active Directory groups. An LDAP query is configured for each role and in case of a positive match for group membership the user is assigned the respective role.
- or by using its local configuration file that includes a assignment of users and roles.
- The assignment of permissions to roles is configured with the local shiro.ini configuration file.
- By default the JOC Cockpit ships with a number of predefined roles and assigned permission, see below Matrix of Roles and Permissions.
- Roles can be added.
- The assignment of permissions to roles can be changed.
Matrix of Roles and Permissions
Document: joc-role-operation-permission.xlsx
Additional Information
Roles and permissions are configurable to the following extent:
- What cannot be changed:
- The number and type of permissions is fixed.
- What can be changed:
- The number of roles can be changed.
- The permission value yes/no can be changed for each permisison in each role.
- A user can be assigned any number of the roles offered.
- Role/permissions configuration file:
- The configuration of the permissions for each role is stored in a shiro.ini file.
- Users can be added to groups in an Active Directory for which queries have to be configured with shiro.ini.