In Datafari, we propose a user management following the standard Role Based Access Control mechanism.
We use two steps:
- the authentication step, to ensure a user is who he claims to be (using credentials validation),
- the authorization step, to ensure the authenticated user is allowed to see a certain part of Datafari (be it admin pages or secured documents in the search results list).
To manage that propery, we rely on the Tomcat Realm mechanisms. Still, there was no existing realm to satisfy our needs, which are to do the authentication either on a remote LDAP/AD or on our MongoDB, and to do the authorization on our MongoDB (and Solr for the search part, but this is another story). This is why we have created CustomCombinedRealm and a user data model in our MongoDB.
CustomCombinedRealm is a class that belongs to the package com.francelabs.datafari.realm.
This class inherits from CombinedRealm and differs from its super class by collecting the roles.
We developed this class to retrieve the roles of a user from our MongoDB database, and the user authentication either from AD/LDAP or from MongoDB. That means that even if we use LDAP for authentication, we will get the corresponding roles from MongoDB and not from LDAP.
The process is as follows:
- we start by requesting an authentication in Mongodb.
- In case of success, we get the corresponding roles from it but if it fails we use LDAP for authentication.
- If the authentication succeeds, we get then the roles from MongoDB and if it fails we return an error to the user.
You can see below the illustration of these steps.
As shown above, CustomCombinedRealm communicates with the two Realm : MongoDBRealm and the JNDIRealm (AD/Ldap Realm). These classes will communicate respectively to there databases and check if the authentication succed and return the response to the CustomCombinedRealm.
Here is the overall architecture to understand the way it works:
...