Access Control
These additional topics explain how to configure the supported authentication methods:
User Authentication and Authorization
Fusion provides application security by restricting access to known users via a two-stage process consisting of:
-
Authentication. Users must sign on using a username and password.
-
Authorization. Each username is associated with one or more permissions which specify the Fusion UI components and REST API requests that user has access to. Permissions can be restricted to specific endpoints and path parameters. Roles are named sets of permissions which provide access to a specific function.
The access control component runs in the same process as the Fusion UI. It referred to as the "auth proxy" because it handles authentication and authorization for all requests to the Fusion REST API services.
All requests to Fusion must be authenticated, as described in section User Access Request Params.
User Account Administration
A Fusion Security Realm encapsulates a user database together with specific authentication and authorization mechanisms. This information is stored in ZooKeeper so that is it always available to all Fusion components across the deployment.
Fusion’s native security realm manages both authentication and authorization directly. All user information is stored in ZooKeeper: usernames, hashes of passwords, roles, and permissions. Passwords are hashed using bcrypt. Authentication compares a hash of the entered login password with the stored password hash. The native realm is the home of the Fusion admin user and is the default realm type.
Fusion can be configured to use the host domain’s security mechanism for user administration. The following configurations are possible:
-
LDAP. Fusion stores a local user record in ZooKeeper. Authentication is performed by the LDAP server. LDAP group membership can be used to assign Fusion permissions.
-
Kerberos. Fusion stores a local user record in ZooKeeper. SPNEGO is used for authentication via Kerberos.
-
Kerberos authentication, LDAP authorization - Fusion stores a local user record in ZooKeeper. SPNEGO is used for authentication via Kerberos. LDAP group membership can be used to assign Fusion permissions.
-
SAML. Fusion stores a local user record in ZooKeeper. The SAML 2.0 protocol is used to provide web-browser single sign-on.
-
JWT. JSON Web token.
Cross-origin resource sharing (CORS)
As a security measure, CORS is disallowed by default in Fusion 4.2.0. You can enable it, if needed, by editing the proxy.corsAllowOrigin
property in conf/:corsconfig:
. The default value is a regular expression that matches nothing:
proxy.corsAllowOrigin = (?!)
You can change this to a regular expression that matches the specific hosts or domains that you trust. Setting this to allow all domains (proxy.corsAllowOrigin = .*
) is not recommended.