Security Authentication and Authorization Service (AAS) for IBM InfoSphere Streams V4.0
- 1. © 2015 IBM Corporation Security Authentication and Authorization Service (AAS) IBM InfoSphere Streams Version 4.0 Steve Dickes Software Engineer For questions about this presentation contact Steve Dickes sdickes@us.ibm.com
- 2. 2 © 2015 IBM Corporation Important Disclaimer THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: • CREATING ANY WARRANTY OR REPRESENTATION FROM IBM (OR ITS AFFILIATES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS); OR • ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT GOVERNING THE USE OF IBM SOFTWARE. IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. THIS INFORMATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.
- 3. 3 © 2015 IBM Corporation Agenda High-Level Overview Use Case Demo Details
- 4. 4 © 2015 IBM Corporation High-Level Overview AAS performs two main functions: – User authentication: verifying a user's existence and allowing the user to access a domain and its instances. Authentication is configured to use PAM or LDAP. Knowledge Center topic: Configuring > Configuring security – User authorization: checking that a user has permission to perform a requested function. You must use security; it is embedded throughout the product and cannot be disabled. – User authorization is performed for nearly all operations within Streams – Domain Manager, streamtool, JMX, console, studio. – User authorization at its simplest uses a standard set of permissions as set for the default roles: DomainAdministrator, DomainUser, InstanceAdministrator, InstanceUser. Users may create their own roles: streamtool mkdomainrole, streamtool mkrole – Domain and Instance Administrators can restrict or allow access by choosing which Streams users or groups of users are members of which roles. – Jobs are submitted to job groups and a job group contains the ACLs for all of its submitted jobs.
- 5. 5 © 2015 IBM Corporation Use Case Provide consistent security configuration at the domain and for each instance – Users authenticate to a domain – Users check for authorization to domain and instance objects Provide roles to manage permissions for sets of users – Use roles to quickly authorize users to the appropriate functions in the domain and instances – Default roles for the domain and each instance – DomainAdministrator, DomainUser, InstanceAdministrator, InstanceUser Provide jobgroups to simplify permission settings for sets of jobs – Use jobgroups to manage permissions for jobs and to authorize/restrict user access to jobs – Use jobgroups to change permissions for all active jobs and newly submitted jobs
- 6. 6 © 2015 IBM Corporation Demo See Streams security in action using streamtool commands. Attend the Console presentation to see its security functions.
- 7. 7 © 2015 IBM Corporation Details Security objects: – Domain objects: config, domain, hosts, instances, system-log – Instance objects: application-log, config, hosts, instance, jobgroup_default, jobs, jobs- override, system-log – Every object has default permissions – Permissions identify which users, groups, or roles have permission to perform operations against an object – Streams operations – streamtool command, internal APIs, JMX, Domain Manager, Console, Studio, Services – check for a specific set of permissions to determine if a user is authorized. For example, mkinstance requires “add” permission on the “instances” object in the domain – Permission types: read, write, add, search, delete, own – Knowledge Center topics: Configuring > Configuring security Configuring>Configuring security>User authorization>Security objects and access permissions>Access permissions for domain and instance objects
- 8. 8 © 2015 IBM Corporation Details Job groups and jobs: – Job groups are “containers” for submitted jobs and provide ACLs for all submitted jobs in the job group. – The owner/submitter of a job has all access to the job. – Every instance has the “default” job group and mkjobgroup creates a job group. The job group is backed by a security object named “jobgroup_<name>” so jobgroup_default for the default job group. – Security object hierarchy : jobs > jobgroup_name > job_id – Newly created jobgroups inherit ACLs from “jobs” object “default:” ACLs – Knowledge Center topic: Configuring>Configuring security>User authorization>Job groups
- 9. 9 © 2015 IBM Corporation Questions?