Understanding Security Realms

Valid from Datafari 3.0

This document explains how user management is done in Datafari, following the RBAC (Role Based Access Control) model.

Datafari uses three Tomcat Realms for the authentication. This functionality is used to recognize the user and give him a personalized environment.

Also, every user has a specific role which will allow the user to have access to specific areas of Datafari and to prevent others from having this ability.

This functionality is of no use for persons who install Datafari on their personal computers.

The steps for authentication is illustrated in the three pictures below.

As shown above, when a user wants to authenticate, Datafari first calls CombinedRealm.

CombinedRealms triggers CassandraRealm, which will check the authentication using the database of Cassandra. If it fails, CombinedRealm triggers JNDI DirectoryRealm that will check the authentifcation using the AD/LDAP you have configured. These steps are done using the user credentials provided.

It is important to note that AD/LDAP is not required for Datafari to work : You can use only Cassandra without changing any setting.

Since Datafari uses 3 realms, they need to be configured. CustomCombinedRealm and GenericCassandraRealm should not require you to modify their configuration, as they are embedded in the Datafari package. Still, in case you want to customise them, it is feasible. The realm that requires configuration is the JNDIRealm, for the remote AD/LDAP connection. These configurations are done in context.xml, which is in WebContent/META-INF :

<?xml version="1.0" encoding="UTF-8"?>

<Context>

	<Realm
		className="com.francelabs.realm.CustomCombinedRealm">
		<Realm
		   authDB="db-containing"
		   authCollection="users"
		   authUserField="username"
		   authPasswordField="password"
		   authRoleField="role"
		   className="com.francelabs.realm.GenericMongoRealm"
		   defaultDbHost="localhost"
		   defaultDbPass=""
		   defaultDbUser=""
		   defaultRole="user"
		   digest="SHA-256"/>
		<Realm
		   className="org.apache.catalina.realm.JNDIRealm"
		   connectionURL="ldap://ldap.forumsys.com:389"
		   userPattern="uid={0},dc=example,dc=com"
		   connectionName="cn=read-only-admin,dc=example,dc=com"
		   connectionPassword="password"/>
	</Realm>
</Context>

Regarding the last Realm above, which relates to the AD/LDAP, its configuration depends on your AD/LDAP system. To configure it properly, please follow the Tomcat 7 JNDIRrealm howto page (url: https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html )

Regarding the Cassandra realm configuration: by default, the Cassandra database requires no username and password. Still, you should definitely add a password and a username for the connection your Cassandra. Once this is done, fill in these information in defaultDbUser and defaultDbPass.