Access Control

User Authentication and Authorization

Fusion provides application security by restricting access to known Users via a two-stage process consisting of:

  • Authentication - users must sign on using a username and password.

  • Authorization - each username is associated with one or more permissions which specify the Fusion UI components and REST-API requests that user has access to. Permissions can be restricted to specific endpoints and path parameters. Roles are named sets of permissions which provide access to a specific function.

The access control component runs in the same process as the Fusion UI. It referred to as the "auth proxy" because it handles authentication and authorization for all requests to the Fusion REST-API services.

All requests to Fusion must be authenticated, as described in section User Access Request Params.

User Account Admininistration

A Fusion Security Realm encapsulates a user database together with specific authentication and authorization mechanisms. This information is stored in ZooKeeper so that is it always available to all Fusion components across the deployment.

Fusion’s native security realm manages both authentication and authorization directly. All user information is stored in ZooKeeper: usernames, passwords, roles, and permissions. Stored passwords are encrypted using bcrypt, the strongest possible encryption algorithm available to all JDKs. Authentication consists of a password-hash comparison between the login password and the encrypted password. The native realm is the home of the Fusion admin user and is the default realm type.

Fusion can be configured to use the host domain’s security mechanism for user administration. The following configurations are possible:

  • LDAP - Fusion stores a local user record in ZooKeeper. Authentication is performed by the LDAP server. LDAP group membership can be used to assign Fusion permissions.

  • Kerberos - Fusion stores a local user record in ZooKeeper. SPNEGO is used for authentication via Kerberos.

  • Kerberos authentication, LDAP authorization - Fusion stores a local user record in ZooKeeper. SPNEGO is used for authentication via Kerberos. LDAP group membership can be used to assign Fusion permissions.

  • SAML - Fusion stores a local user record in ZooKeeper. The SAML 2.0 protocol is used to provide web-browser single sign-on.

See also:

Video tutorial