User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

Server Security

ONE Runtime Server uses Keycloak for user authentication. Access to the server can be restricted in the following areas:

  • Access to the ONE Runtime Server Admin content. See xref:one-runtime-server-admin:authentication-

  • Access to a functionality provided by a server component.

  • Access to the online services.

  • Access from command line tools via the internal server communication port.

How to secure the refresh filesystem functionality

It is possible to secure access to the functionality of the Versioned File System Component. If the requiredRole is specified, only users with that role can do a filesystem refresh. Role assignment to users is managed using Keycloak.

<component class="com.ataccama.dqc.server.services.VersionedFileSystemComponent" requiredRole="admin">
    ...
</component>

How to secure online services

Do not set the requiredRole attribute in the .online configuration file.

To secure online services:

  1. Create a new client in Keycloak. This client is used to secure all services running on ONE Runtime Server.

  2. Define the Keycloak client configuration either in the client adapter JSON file or inside the Runtime Configuration (see Keycloak deployment connection). Select the security settings depending on how the service will be accessed:

    • Basic authentication (with or without the option to authenticate using a bearer token) is used for services accessed from outside of ONE Runtime Server. In this case, make sure the file contains the "enable-basic-auth": "true", property.

    • Authentication using a bearer token only (basic authentication not allowed) is used for services accessed solely from Ataccama applications. In this case, make sure the file contains the "bearer-only": "true", property.

      For examples, see Sample client configurations.
  3. For basic authentication, enable Direct Access Grants Enabled option in the Keycloak client.

  4. Configure the Keycloak Security in HTTP Dispatcher server component.

    Make sure to set the following properties:

    • The pattern property in the interceptUrl element points to the location where the online service is running; the location is defined in the method location property of the .online file (for example, method location="/services/soap" in the following example).

    • The configFile in the deploymentContext refers to the keycloak.json for the service client. Alternatively, set the clientId and configName to specify the service client configuration in the runtime configuration file (for more information, see HTTP Dispatcher).

      With HTTP Dispatcher configured as in this example, any user can access SOAP services and any authenticated user can access all other services:

      <component disabled="false" class="com.ataccama.dqc.web.HttpDispatcher">
          <filters/>
          <listeners>
              <listenerBean backlog="50" port="8888" threadPoolTimeout="10000" readTimeout="5000" name="default" threads="10" persistentConnectionTimeout="10000" servletOnly="false" ssl="false">
                  <handlerSecurity adminUser="admin" appName="APP" class="com.ataccama.dqc.web.security.KeycloakSecurity">
                      <deploymentContexts>
                          <deploymentContext configFile="keycloak.json" pattern="/**"/>
                          <!-- Alternative definition using the client configuration in the runtimeConfig. -->
                          <!-- <deploymentContext clientId="new-keycloak-client" pattern="/**"/> -->
                      </deploymentContexts>
                      <interceptUrls>
                          <interceptUrl access="permitAll" pattern="/services/soap"/>
                          <interceptUrl access="isAuthenticated()" pattern="/services/**"/>
                      </interceptUrls>
                  </handlerSecurity>
              </listenerBean>
          </listeners>
      </component>

Sample client configurations

Starting from 14.5.1, only the following properties are taken into account: realm, resource, auth-server-url, credentials, and secret. Other properties (such as ssl-required and confidential-port) are ignored.

Option 1: Client configuration via the JSON file

Create a keycloak.json client adapter configuration file according to the following example:

  • Basic authentication:

    {
      "realm": "ataccamaone",
      "resource": "new-keycloak-client",
      "auth-server-url": "http://localhost:8083/auth",
      "ssl-required": "external",
      "enable-basic-auth": "true",
      "credentials": {
        "secret": "new-keycloak-client-s3cret"
      },
      "principal-attribute": "preferred_username"
    }
  • Authentication using a bearer token:

    {
      "realm": "ataccamaone",
      "resource": "new-keycloak-client",
      "auth-server-url": "http://localhost:8083/auth",
      "ssl-required": "external",
      "bearer-only": "true",
      "credentials": {
        "secret": "new-keycloak-client-s3cret"
      },
      "principal-attribute": "preferred_username"
    }

    Keycloak is case sensitive. Make sure to use lowercase if referring to the Keycloak server URL via hostname.

Option 2: Client configuration in the runtime configuration

Add the following KeycloakDeploymentContributor element to the runtime configuration:

<config class="com.ataccama.server.keycloak.KeycloakDeploymentContributor">
    <keycloakConfigs>
        <keycloakConfig name="localKeycloak">
            <url>http://localhost:8083/auth</url>
            <realm>ataccamaone</realm>
            <attributes>
                <attribute name="ssl-required" value="external"/>
            </attributes>
            <clients>
                <client id="new-keycloak-client">
                    <secret>new-keycloak-client-s3cret</secret>
                    <attributes>
                        <attribute name="enable-basic-auth" value="true"/> <!-- For basic authentication, set enable-basic-auth to true. -->
                        <!-- <attribute name="principal-attribute" value="preferred_username"/> --> <!-- For authentication via bearer-token only, set bearer-only to true. -->
                    </attributes>
                </client>
            </clients>
        </keycloakConfig>
    </keycloakConfigs>
</config>

Keycloak is case sensitive. Make sure to use lowercase if referring to the Keycloak server URL via hostname.

How to secure access to the server from the command line

To secure access to ONE Runtime Server from command line tools via the internal server communication port, configure user authentication methods and assign roles to users in Authentication Service Component.

Was this page useful?