Server Security
ONE Runtime Server uses Keycloak for user authentication. Access to the server can be restricted in the following areas:
-
Access to the ONE Runtime Server Admin content. See xref:one-runtime-server-admin:authentication-
-
Access to a functionality provided by a server component.
-
Access to the online services.
-
Access from command line tools via the internal server communication port.
How to secure the refresh filesystem functionality
It is possible to secure access to the functionality of the Versioned File System Component. If the requiredRole is specified, only users with that role can do a filesystem refresh. Role assignment to users is managed using Keycloak.
<component class="com.ataccama.dqc.server.services.VersionedFileSystemComponent" requiredRole="admin">
...
</component>
How to secure online services
Do not set the requiredRole attribute in the .online configuration file.
|
To secure online services:
-
Create a new client in Keycloak. This client is used to secure all services running on ONE Runtime Server.
-
Define the Keycloak client configuration either in the client adapter JSON file or inside the Runtime Configuration (see Keycloak deployment connection). Select the security settings depending on how the service will be accessed:
-
Basic authentication (with or without the option to authenticate using a bearer token) is used for services accessed from outside of ONE Runtime Server. In this case, make sure the file contains the
"enable-basic-auth": "true",
property. -
Authentication using a bearer token only (basic authentication not allowed) is used for services accessed solely from Ataccama applications. In this case, make sure the file contains the
"bearer-only": "true",
property.For examples, see Sample client configurations.
-
-
For basic authentication, enable Direct Access Grants Enabled option in the Keycloak client.
-
Configure the Keycloak Security in HTTP Dispatcher server component.
Make sure to set the following properties:
-
The
pattern
property in theinterceptUrl
element points to the location where the online service is running; the location is defined in themethod location
property of the.online
file (for example,method location="/services/soap"
in the following example). -
The
configFile
in thedeploymentContext
refers to thekeycloak.json
for the service client. Alternatively, set theclientId
andconfigName
to specify the service client configuration in the runtime configuration file (for more information, see HTTP Dispatcher).With HTTP Dispatcher configured as in this example, any user can access SOAP services and any authenticated user can access all other services:
<component disabled="false" class="com.ataccama.dqc.web.HttpDispatcher"> <filters/> <listeners> <listenerBean backlog="50" port="8888" threadPoolTimeout="10000" readTimeout="5000" name="default" threads="10" persistentConnectionTimeout="10000" servletOnly="false" ssl="false"> <handlerSecurity adminUser="admin" appName="APP" class="com.ataccama.dqc.web.security.KeycloakSecurity"> <deploymentContexts> <deploymentContext configFile="keycloak.json" pattern="/**"/> <!-- Alternative definition using the client configuration in the runtimeConfig. --> <!-- <deploymentContext clientId="new-keycloak-client" pattern="/**"/> --> </deploymentContexts> <interceptUrls> <interceptUrl access="permitAll" pattern="/services/soap"/> <interceptUrl access="isAuthenticated()" pattern="/services/**"/> </interceptUrls> </handlerSecurity> </listenerBean> </listeners> </component>
-
Sample client configurations
Starting from 14.5.1, only the following properties are taken into account: |
- Option 1: Client configuration via the JSON file
-
Create a
keycloak.json
client adapter configuration file according to the following example:-
Basic authentication:
{ "realm": "ataccamaone", "resource": "new-keycloak-client", "auth-server-url": "http://localhost:8083/auth", "ssl-required": "external", "enable-basic-auth": "true", "credentials": { "secret": "new-keycloak-client-s3cret" }, "principal-attribute": "preferred_username" }
-
Authentication using a bearer token:
{ "realm": "ataccamaone", "resource": "new-keycloak-client", "auth-server-url": "http://localhost:8083/auth", "ssl-required": "external", "bearer-only": "true", "credentials": { "secret": "new-keycloak-client-s3cret" }, "principal-attribute": "preferred_username" }
Keycloak is case sensitive. Make sure to use lowercase if referring to the Keycloak server URL via hostname.
-
- Option 2: Client configuration in the runtime configuration
-
Add the following
KeycloakDeploymentContributor
element to the runtime configuration:<config class="com.ataccama.server.keycloak.KeycloakDeploymentContributor"> <keycloakConfigs> <keycloakConfig name="localKeycloak"> <url>http://localhost:8083/auth</url> <realm>ataccamaone</realm> <attributes> <attribute name="ssl-required" value="external"/> </attributes> <clients> <client id="new-keycloak-client"> <secret>new-keycloak-client-s3cret</secret> <attributes> <attribute name="enable-basic-auth" value="true"/> <!-- For basic authentication, set enable-basic-auth to true. --> <!-- <attribute name="principal-attribute" value="preferred_username"/> --> <!-- For authentication via bearer-token only, set bearer-only to true. --> </attributes> </client> </clients> </keycloakConfig> </keycloakConfigs> </config>
Keycloak is case sensitive. Make sure to use lowercase if referring to the Keycloak server URL via hostname.
How to secure access to the server from the command line
To secure access to ONE Runtime Server from command line tools via the internal server communication port, configure user authentication methods and assign roles to users in Authentication Service Component.
Was this page useful?