Contents
The Spotfire Streaming Administration is a web-based application that offers secure cluster management and configuration convenience from one location, including:
-
Dynamic service discovery.
-
Hierarchical views of clusters, with the option to drill down to the specified managed entity.
-
Node lifecycle management, including node install/stop/start/removal.
-
Application lifecycle management.
-
Logging management.
-
Security management.
You log into the Streaming Administration Interface from a running node via Studio or the epadmin command line.
Security monitoring and
administration is done from the node Security sub-menu
under the Node menu. The following commands are accessed
from the Security menu.
-
AddLocalauthentication source. See epadmin add user. -
Export— export the node'slocalauthentication realm's user configuration. See epadmin export configuration. -
Remove— remove a user definition from the node'slocalauthentication realm. See epadmin remove user. -
Reset— change a password in the node'slocalauthentication realm. See epadmin-password(1). -
Update— update a user definition, other than password, in the node'slocalauthentication realm. See epadmin update user.
|
The above figure shows the security information displayed from the Security menu under the Node menu.
This screen consists of these sections:
-
user — all principals defined in the
localauthentication realm for this node. -
realm — all realms being used by this node.
-
trusted — the trusted hosts used by this node.
-
authentication — the authentication administration commands used by this node.
-
password — the user password in the local authentication realm for this node.
-
secret — the master secret commands used by this node.
The user section shows this information for each
principal defined in the node's local authentication
source:
-
Realm Name — realm in which user is defined.
-
User Name — principal name.
-
Password Expiration (Days) — the password expiration time in days. A value of zero indicates that the password does not expire.
-
Account Locked —
trueif the user account is locked,falseif the account can still be accessed. -
Lock Reason — reason account is locked.
-
Time Remaining Before Auto-Unlock (minutes) — time remaining before a locked user is automatically unlocked, or
disabled, if auto-unlock is disabled. -
Failed Login Lockout Threshold —
enabledif failed login lockout is enabled,disabledif lockout is disabled. -
Failed Login Lockout Duration (minutes) — failed login attempt lockout duration in minutes.
-
Roles — roles granted to this principal.
-
Authentication via Secure Communication Allowed — is a password required when connecting over a secure communication channel?
-
Password Always Required — is a password required even when connecting from a trusted host?
-
Trusted Host Membership Required of Client — is user only allowed to connect from a trusted host?
This information can also be displayed using:
epadmin --servicename=<node-service-name> display user
The realm section shows this information for each
configured authentication realm:
-
Realm Name — Authentication realm name.
-
Realm Type — Authentication realm type description.
-
Referenced By — List of entities using this realm.
This information can also be displayed using:
epadmin --servicename=<node-service-name> display realm
The trusted section shows this information for each
trusted host:
-
Network Address — IP address for a trusted host.
-
Host Name — the host name for a trusted host. This field may be empty if a trusted network address cannot be resolved to a host name using a reverse Domain Name Service (DNS) lookup.
-
Source — the source of the trusted host. This field may contain one of:
-
default— this host was discovered using the local machine's network interfaces (see Trusted Hosts), for example::1. -
configured— this trusted host was an explicitly configured IPv4, IPv6, or FQDN network address (see Trusted Hosts), for examplemyhost.acme.com. -
a PQDN — this host is trusted because of a configured PQDN. The network address was resolved to a FQDN using a reverse DNS lookup and then matched to a PQDN, for example
*.acme.com. -
a CIDR block — this host is trusted because of a configured CIDR block. The network address is within the configured CIDR block, for example
192.168.2.0/24.
-
This information can also be displayed using:
epadmin --servicename=<node-service-name> display trusted
Users are added to a node's local authentication realm using the add command accessed from the user
tab.
The fields in the add command are:
-
User Name — A unique name for this user.
-
Password — Initial password for this user.
-
Roles — A space separated list of roles to assign to this user.
-
Password Expiration (Days) — Password expiration in days. A value of zero indicates that the password does not expire.
-
Locked — Locked account setting.
Clicking on the Execute button will add the new user
to the node after validating that the password values match.
Added users are never removed unless explicitly removed as described in epadmin remove user.
Users can also be added using:
epadmin --servicename=<node-service-name> add user \ --username=admin --password=supersecret --roles=administrator
All principals defined in a local authentication realm
on a node can be backed up using the backup command.
This command is accessed from the realm tab. The realm
backup can be reloaded on a node using the restore realm administration command
(see epadmin restore realm).
The field in the backup tab is:
-
Name — Local authentication realm to backup.
When the Execute button is clicked, the realm is
backed up and can be viewed in the Downloads
directory. No sensitive information, such as passwords is visible in the exported
file.
Local authentication realms can also be backed up using this command:
epadmin --servicename=<node-service-name> backup realm --name=default-realm > default-realm.backup
Local authentication realms can be restored using this command:
epadmin --servicename=<node-service-name> restore realm --name=default-realm \
--file=/opt/backups/default-realm.backup
Passwords are changed in a local authentication realm
using the change command accessed from the
password tab.
The fields in the change command are:
-
User Name — User name of password being changed. This field is read-only. It is set to the user selected in the
Principalstable. -
Password — New password.
-
Confirm Password — Confirm password.
When the Execute button is clicked the password has
been changed.
Passwords can also be changed using this command:
epadmin --servicename=<node-service-name> change password --realm=default-realm --username=admin
Users defined in a local authentication realm are
removed from a node by selecting a principal in the Principals table and clicking on the Remove button.
When the Submit button is clicked the user has been
removed.
Principals can also be removed using this command:
epadmin --servicename=<node-service-name> remove user --realm=default-realm --username=admin
User defined in a local authentication realm are
updated using the update command accessed from the
user tab.
The fields in the update command are:
-
User Name — User name being updated. This field is read-only. It is set to the user selected in the
Principalstable. -
Roles — A space separated list of roles for this principal.
-
Password Expiration (Days) — Password expiration in days. A value of zero indicates that the password does not expire.
-
Locked — Optionally lock the user account.
The fields contain the current values for the user when the dialog is initially
displayed. When the Execute button is clicked any
changed values are updated for the user.
Users can also be updated using this command:
epadmin --servicename=<node-service-name> update user \
--username=admin --roles=administrator
The authentication realm associated with node administration is set by default to a local authentication realm when a node is installed (see Default Security). The default node administration authentication realm cannot be changed using configuration. For example the following fails:
//
// New configuration using an
// authentication realm name of default-realm
// (the default authentication realm name)
//
name = "my-local-authentication-realm"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration =
{
LocalAuthenticationRealm =
{
name = "default-realm"
requirePassword = false
initialPrincipals =
[
{
userName = "guest"
password = ""
roles =
[
"administrator"
]
}
]
}
}
//
// Load configuration
//
epadmin --servicename=A.X load configuration --source=realm.conf
[A.X] type = com.tibco.ep.dtm.configuration.security
[A.X] name = my-local-authentication-realm
[A.X] version = 1.0.0
//
// Activation fails because default local authentication realm
// cannot be changed
//
epadmin --servicename=A.X activate configuration \
--type=com.tibco.ep.dtm.configuration.security \
--name=my-local-authentication-realm --version=1.0.0
[A.X] Audit failed: TIBCO-EP-DTM-00277: configuration (my-local-authentication-realm,
com.tibco.ep.dtm.configuration.security, 1.0.0) contains an authentication realm with
name "default-realm", which already exists in
(default-realm-config, com.tibco.ep.dtm.configuration.security, 1.0.0)
However, it is possible to change the authentication realm associated with node administration to either a different local authentication realm or an LDAP authentication realm. Here are the required steps to change the node administration realm:
-
Load and activate a local (see Configuration of Local Authentication Realm) or LDAP (see Configuration of LDAP Authentication Realm) realm configuration using the configuration administration target (see epadmin-configuration(1)), or as default configuration deployed with an application (see Overriding Default Configuration).
-
Use the setadmin realm administration command to change to the new realm (see epadmin setadmin realm).
This example defines a single administration user named admin in a new local authentication realm and then updates node
administration to use this new realm.
name = "my-local-authentication-realm"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration =
{
LocalAuthenticationRealm =
{
name = "my-local-authentication-realm"
requirePassword = false
initialPrincipals =
[
{
userName = "admin"
password = "admin"
roles =
[
"administrator"
]
}
]
}
}
//
// Display the current node administration realm
// This command is using the operating system
// user that installed the node so no
// user name or password is required from a trusted host
//
epadmin --servicename=A.X getadmin realm
[A.X] Realm Name = default-realm
//
// Load the realm configuration
//
epadmin --servicename=A.X load configuration --source=realm.conf
[A.X] type = com.tibco.ep.dtm.configuration.security
[A.X] name = my-local-authentication-realm
[A.X] version = 1.0.0
//
// Activate the new realm configuration
//
epadmin --servicename=A.X activate configuration --type=com.tibco.ep.dtm.configuration.security \
--name=my-local-authentication-realm --version=1.0.0
//
// Set node administration to use this realm
//
epadmin --servicename=A.X setadmin realm --name=my-local-authentication-realm \
--newrealmuser=admin --newrealmpassword=admin
//
// Display the updated node administration realm
// The new administrator user name and password must be
// specified since admin is not the operating system user
// that installed the node.
//
epadmin --servicename=A.X --username=admin --password=admin getadmin realm
[A.X] Realm Name = my-local-authentication-realm
When changing the node administration realm the new realm must have at least one
user defined with the administrator role to ensure
that the node can be managed in the new realm. This is verified by the setadmin realm
command by requiring the username and password of an administration user in the new
realm.
Attempting to remove the last administration user in a local authentication realm is also prevented to ensure that a node can always by administered.
epadmin --servicename=A.X --username=admin --password=admin remove user \
--realm=my-local-authentication-realm --username=admin
[A.X] Error: TIBCO-EP-DTM-00481: "admin" is the last remaining user in the realm and cannot be removed.
Warning
There is no audit preventing the last administration user from being removed when using an LDAP authentication realm. If the last administration user is removed from the LDAP server, the node can no longer be accessed for management and must be forcefully removed using operating system facilities.
There are cases where administrators can unintentionally lock out all node administration users. Examples are:
-
Remove the last user with administration privileges.
-
Password expires for administration user.
-
Explicitly lock the administration user's account.
-
Switch to a realm that has no administration users defined.
-
etc.
There are two choices at this point:
-
Remove the node directory and processes using operating system specific mechanisms. This causes an application outage and loss of any data stored on the node.
-
Use the reset authentication command to restore the default authentication set up when a node was installed (see Default Security Configuration).
To reset node authentication, the reset authentication command is executed on the same machine on which the node is installed. Operating system write access privileges to the node installation directory must be available to the user running the command.
epadmin reset authentication --installpath=A.X
See epadmin-authentication(1) for more details.
Every administrative command is recorded in an audit log (see Logging). For each command executed the audit log reports on:
-
the command and target executed.
-
the principal that executed the command.
-
whether the command succeeded or failed.
-
the failure cause, if the command failed.