Security Realms

A Security Realm provides information about a domain, an authentication mechanism, and the permissions allotted to users from that domain. A Fusion instance can manage multiple security realms, which allows users from different domains to have (different levels of) access to specific Fusion collections.

Realm types

Fusion can be configured for the following kinds of security realm types:

Native

Fusion allows a single native domain named "native". This is the home of the Fusion admin user and is the default realm type. The native realm also provides a fallback mechanism in case of LDAP server or communication failure.

This realm is required to bootstrap Fusion. Since all requests to Fusion require authentication and authorization, on initial startup you must access the Fusion UI to set the admin password. Once Fusion has a valid admin password, it creates the admin account in the Fusion native realm.

For the native realm, Fusion manages all authentication and permissions information directly. Fusion user accounts are created and managed either using the Fusion UI or the REST-API, including the Permissions and Roles APIs. Stored passwords are encrypted using bcrypt, the strongest possible encryption algorithm available to all JDKs.

SSO Trusted HTTP

The "SSO Trusted HTTP" realm type (trusted-http in the REST API) is useful in single sign-on (SSO) environments.

Kerberos

In the case where a host domain uses Kerberos for authentication and LDAP for authorization, Fusion can be configured to do the same, by configuring a realm of type "LDAP" and then specifying Kerberos as the authentication mechanism.

Fusion stores a local user record in ZooKeeper and a mapping to the Kerberos principal.

SPNEGO is used for authentication via Kerberos.

LDAP

If your search application requires search over a collection with document-level security via ACLs, to preserve document-level security access, Fusion user accounts must match the document ACLs. This can be done automatically by creating a security realm which uses LDAP group memberships to assign user roles.

Fusion stores a local user record in ZooKeeper, and authentication is performed by the LDAP server. User accounts can be managed by Fusion, or created automatically, in which case the Fusion user id maps directly to the LDAP Distinguished Name (DN). Fusion permissions can be assigned automatically based on LDAP group membership.

SAML

Fusion stores a local user record in ZooKeeper and the URL and information about the SAML Identity Provider. The SAML 2.0 protocol is used to provide web browser single sign-on.

Managing Security Realms

Only Fusion users with admin privileges can manage security realms. There are two ways to manage security realms:

In the Fusion UI

Navigate to Applications > Access Control > Security Realms.

Using the Realms API

Use the http://localhost:8764/api/realm-configs/ endpoint to manage security realms. See the Realms API reference for details. In production environments, use port 8765.