CustomCombinedRealm - Architecture and mechanism
Valid from Datafari 3.0
In Datafari, we propose a user management following the standard Role Based Access Control mechanism.
We use two steps:
the authentication step, to ensure a user is who he claims to be (using credentials validation),
the authorization step, to ensure the authenticated user is allowed to see a certain part of Datafari (be it admin pages or secured documents in the search results list).
To manage that propery, we rely on the Tomcat Realm mechanisms. Still, there was no existing realm to satisfy our needs, which are to do the authentication either on a remote LDAP/AD or on our Cassandra, and to do the authorization on our Cassandra (and Solr for the search part, but this is another story). This is why we have created CustomCombinedRealm
and a user data model in our Cassandra.
CustomCombinedRealm
is a class that belongs to the package com.francelabs.datafari.realm
.
This class inherits from CombinedRealm
and differs from its super class by collecting the roles.
We developed this class to retrieve the roles of a user from our Cassandra database, and the user authentication either from AD/LDAP or from Cassandra. That means that even if we use LDAP for authentication, we will get the corresponding roles from Cassandra and not from LDAP.
The process is as follows:
we start by requesting an authentication in Cassandra.
In case of success, we get the corresponding roles from it but if it fails we use LDAP for authentication.
If the authentication succeeds, we get then the roles from Cassandra and if it fails we return an error to the user.Â
You can see below the illustration of these steps.
As shown above, CustomCombinedRealm
communicates with the two Realm : CassandraRealm
and the JNDIRealm
(AD/Ldap Realm
). These classes will communicate respectively to there databases and check if the authentication succed and return the response to the CustomCombinedRealm.
Here is the overall architecture to understand the way it works: