Access control
User Authentication and Authorization
Managed Fusion provides application security by restricting access to known users via a two-stage process consisting of:
-
Authentication. users must sign on using a username and password.
-
Authorization. each username is associated with one or more permissions which specify the Managed Fusion UI components and REST API requests that user has access to. Permissions can be restricted to specific endpoints and path parameters. Roles are named sets of permissions which provide access to a specific function.
The access control component runs in the same process as the Managed Fusion UI. It referred to as the "auth proxy" because it handles authentication and authorization for all requests to the Managed Fusion REST API services.
All requests to Managed Fusion must be authenticated, as described in section User Access Request Params.
User Account Administration
A Managed Fusion Security Realm encapsulates a user database together with specific authentication and authorization mechanisms. This information is stored in ZooKeeper so that is it always available to all Managed Fusion components across the deployment.
Managed Fusion’s native security realm manages both authentication and authorization directly. All user information is stored in ZooKeeper: usernames, hashes of passwords, roles, and permissions. Passwords are hashed using bcrypt. Authentication compares a hash of the entered login password with the stored password hash. The native realm is the home of the Managed Fusion admin user and is the default realm type.
Managed Fusion can be configured to use the host domain’s security mechanism for user administration. The following configurations are possible:
-
LDAP. Managed Fusion stores a local user record in ZooKeeper. Authentication is performed by the LDAP server. LDAP group membership can be used to assign Managed Fusion permissions.
-
Kerberos. Managed Fusion stores a local user record in ZooKeeper. SPNEGO is used for authentication via Kerberos.
-
Kerberos authentication and LDAP authorization. Managed Fusion stores a local user record in ZooKeeper. SPNEGO is used for authentication via Kerberos. LDAP group membership can be used to assign Managed Fusion permissions.
-
SAML. Managed Fusion stores a local user record in ZooKeeper. The SAML 2.0 protocol is used to provide web-browser single sign-on.
-
JWT. JSON Web token.
More information
These additional topics explain how to configure the supported authentication methods: