|
|
10.1 An Overview
10.2 Architecture
10.7 Configuring Views
A Multi-Protocol agent exposes critical information about the device or application being managed through its management interface. To ensure security to the system, a check has to be kept on the unauthorized people who try to access and modify such information by performing operations on it.
Authentication mechanism helps you in restricting the users who can access the system. Authenticated users are configured with the help of a user name and password.
Authorization mechanism enables you to curtail the access level of a user by allowing him to work with only a subset of the management information exposed by the agent. Thus, strict security from unauthorized person would be ensured, who would be denied permission to accessing information.
The Authentication service is implemented as a dynamic MBean. Authentication service MBean can be configured only if Authentication is enabled for at least one of them viz. RMI, CORBA. The parameters necessary for enabling authentication (user name and password) are gathered from the UI and written into an XML file named AuthInfo.xml found under <Agent Toolkit Home>/jmxprojects/projectname/agent/bin/conf. MD5 is an encryption mechanism for encrypting the password.
If authentication service is enabled and the authentication context is configured, any request originating from the client would be checked for authentication before being processed. The client can establish a connection with the server (MBean server of the agent) only on providing the user name and password of the context. When the client tries to establish connection with the server, the authenticate operation of the Authentication Service MBean registered with the MBean server is invoked. It prompts the client for the user name and password of the context. If the user name and password furnished on the client side match the ones available on the server side, the connection is established.
Each request that comes in is processed through the adaptor meant specifically to cater to the needs of the protocol in which the request is framed.
The method for enabling/disabling authentication is present in each adaptor and it would be invoked at the outset. The Boolean variable used for the purpose could be set as true or false depending on whether authentication is enabled or not. If the feature is inactive, the query is directed to the MBean Server for undergoing the routine processing.
|
|
Note: Authorization is enabled only if the Authentication is enabled. |
Authentication can be enabled/disabled for all the adaptors supported by the Multi-Protocol agent. The following are the sections that can be referred to for details about authentication of the respective adaptors,
1. Authentication and Authorization section of SNMP Adaptor for SNMP Adaptors.
2. Authentication in HTML Adaptor section of HTML Adaptor for HTML Adaptors.
3. Authentication in HTTP Connector section of HTTP Connector for HTTP connector.
4. System Access Control section of Security in TL1 agent for TL1 Adaptors.
Authentication for RMI and CORBA using JMX Compiler UI and API is explained below:
Using JMX Compiler UI
Authentication support can be enabled for a particular adaptor (RMI and CORBA ) which involves two steps as follows:
Enabling Authentication
1. Click Settings-->Adaptor.
2. Select RMI/CORBA or both for which the authentication should be enabled.
3. Select the check box labeled Enable Authentication.
4. Click OK to finish configuration.
Adding Users
1. Click Settings-->AdventNet Services.
2. Select Authentication from the left panel.
3. Click the Add button. AuthenticationEntry dialog pops up.
4. Enter the user name and password as applicable to the enabled adaptor(s).
5.
The adaptors enabled for authentication are reflected in the Choose
Context section. It can also be
enabled/ disabled here.
6. Click OK to finish configuration, which closes the AuthenticationEntry dialog.
Using API
The authentication feature can be enabled by adding the following code to the registerAdventNetAdaptors() method in the agent's main file:
RMI adaptor
|
rmiadaptor.enableAuthentication(true); |
CORBA adaptor
|
corbaadaptor.enableAuthentication(true); |
10.4 Enabling Authorization (View-Based Access)
View-Based Access Support provides an authorization mechanism to restrict the users' access to a subset of the information exposed by a Multi-Protocol agent. The users entitled to log on to the system alone would be configured with a user name and password, along with the details of the privileges they can avail, i.e., the extent of access allowed. The unauthorized client would not be able to infiltrate.
After enabling authentication, you can proceed to authorize the authenticated users. The method for enabling authorization is available in the respective adaptors. A Boolean is used to check whether authorization is enabled or not. If false (i.e., authorization is not enabled), the request proceeds to the MBean Server for getting processed. If true, the request passes through the authorization module.
Authorization support can be enabled for all the adaptors, using the JMX Compiler UI or using API.
Using JMX Compiler UI
Authorization can be enabled by using JMX Compiler UI as follows:
Select Project -> Settings option. In the Settings Tree Structure, select Source Code Generation -> General, which displays the General Settings dialog on the right side.
Select the option View based Authorization.
Using API
Authorization can also be enabled by adding the relevant code in the agent's main file. Add the following piece of code in the agent's main file to register ViewAuthorizer,
|
/Registering the ViewAuthoriser. |
SNMP adaptor
|
snmpadaptor.setViewBasedAccess(true); |
HTML adaptor
|
htmladaptor.enableAuthorisation(true); |
RMI adaptor
|
rmiadaptor.enableAuthorisation(true); |
CORBA adaptor
|
corbaadaptor.enableAuthorisation(true); |
HTTP adaptor
|
httpconnector.enableAuthorisation(true); |
After verifying that authentication and authorization are enabled, the adaptor creates a ContextInfo for the authorized request using the following information, based on the inputs received from the client/manager,
User name - the name of the user who makes the request.
Context name - the adaptor name through which the request is made.
Object name - the MBean name for which the request is made.
Attribute name - the MBean attribute for which the request is made.
Now, the authorized request with the ContextInfo is passed to the authorization module. This module has the ViewAuthorizer, which implements the ViewAuthoriserMBean interface. This undertakes the responsibility of serving an authorized request. Here, the Contextinfo created by the adaptor is compared with the pre configured user information available in the XML file format.
The administrator would configure the different users of a system in an XML file with the help of UserInfo, GroupInfo, and the ViewInfo. The validity of an incoming request is verified by comparing the ContextInfo with this pre- configured user information.
UserInfo - Comprises the user name, the context of the request, and the name of the group in which the user is configured.
GroupInfo - Comprises the group name and the view name specified for the group.
ViewInfo - The object name together with the various accessible attributes and allowable operations provided for the Viewname.
From the ContextInfo of a request, the user name is compared with the UserInfo for that particular context to find the group to which the user belongs. For that particular group of users, the domains and MBeans accessible are determined from the GroupInfo of that group.
All the configuration details for all the Contexts, Groups, and the Access Level are specified through a configuration file. This configuration is XML based and supports wild card pattern matching.
10.6 Default Views Specified in the XML File
AdventNet has provided the following default views in the XML file vbac.xml in <Agent Toolkit Home>/jmxprojects/projectname/agent/bin/conf directory,
| userName | contextName | groupName | viewName |
|---|---|---|---|
| root | RMI IIOP HTTP | admin | adminView
|
Each user is configured for a particular view that is allowed for him and this view determines the access for that particular User. The granularity level for this configuration can be extended till the methods that are accessible by the User on a particular MBean.
The above table specifies that a user with user name "root" is configured with contextName as RMI / IIOP / HTTP and group name as "admin".
The view name provided for this group is "adminView". This adminView is provided access to all the Attributes and Operations of all the MBeans registered with the MBean server, denoted by "*".
For example, when a request comes from an RMI client with user name as "root" for an MBean name, say xxx, the ContextInfo is formed using the following information:
user name = root
context name = rmi
object name = xxx
The user name "root" is compared with the user name and Context names configured in the table, to find the group to which the user belongs. The group specified for user name "root" with context name "RMI" is "admin". Now, the views provided for the admin group is determined. Because the view for the admin group is provided for all the attributes and operations of all MBeans, the request is processed.
The above user entry is specified in the XML file in the following format,
|
- <accessControl> - <users> - <groups> - <views> <mbean mbeanName="*"> - <attributes> - <operations> - <params> </operation> </mbean> - <mbeanServer> - <operations> </mbeanServer> </view> |
The user views can be configured by the administrator at agent startup or at agent run time.
Configuring View through XML File at Agent Startup
User views can be configured at agent startup, by editing the default vbac.xml available in <Agent Toolkit Home>/jmxprojects/projectname/agent/bin/conf directory. As specified in the previous section, this file contains the default views provided by AdventNet.
The administrators can create new views specific to their requirements, modify existing views, or delete views which are not required in this XML file.
|
|
