Security Management

epadmin Security Commands

The following epadmin targets allow you to administer various aspects of a node's security configuration, and let you reconfigure settings while the node is running. See epadmin help targetname for usage information about each target.

configuration
password
realm
secret
security
user

Viewing the Current Configuration

Use any of the following commands to understand the current security configuration of a running node, specifying either the node's --adminport or --servicename:

epadmin display security
epadmin display configuration
epadmin display realm
epadmin display user

Activating Configurations

Activating a realm configuration with the epadmin activate configuration command creates the realm; deactivating the realm configuration with epadmin deactivate configuration removes it. You can change the current configuration by activating a new version.

The StreamBase Runtime supports live update of realm configurations. That is, you can activate a new version of a realm configuration version and all authentication and authorization using that realm automatically begin using the new version without requiring an engine restart. Use epadmin load configuration to upload a new configuration file with the same HOCON type and name, but an incremented version string. Then deactivate the current configuration and activate the new one.

Each realm has a unique name. Attempts to activate a configuration containing a different realm with the same name as an existing realm fails.

Realms are referenced by the listener configurations that use them, and by the node administration engine. Attempts to deactivate the configuration of a realm that is referenced fails.

A node can have any number of active realm configurations, except for Kerberos realms, which allow only one.

Note

When updating a Local Admin Realm, the initialPrincipals in the updated version must be identical to those in the original realm. Otherwise validation of the realm fails.

Deprecated Security Commands

The following epadmin security target commands are deprecated as of StreamBase 10.3.0. They can continue to be executed, but are not visible in online help:

add security
display security --type (authenticationsources | audit | principals) only
export security
remove security
reset security
update security

The following epadmin security target commands are deprecated as of StreamBase 10.4.0

display security --type hosts

Use epadmin display trusted instead.

Deprecated LocalAdminAuthenticationRealm

The LocalAdminAuthenticationRealm root object in the security configuration type is deprecated as of the 10.3.0 release. Existing configurations can be loaded and activated on nodes, but it is a best practice to migrate to the LocalAdminRealm configuration.

The LocalAuthenticationRealm root object in the security configuration type deprecates the principals property in favor of initialPrincipals.