Project

General

Profile

Revision 8569

Added by Jing Tao almost 6 years ago

Add the documentation for the password file authentication.

View differences:

authinterface.rst
1
Creating a Java Class that Implements AuthInterface
2
===================================================
3
By default, Metacat supports the use of LDAP as an external authentication
4
mechanism.  It does this by supplying a class (``AuthLDAP``) that implements
5
authentication via an external LDAP server.  However, administrators have the 
6
choice of replacing LDAP with a different system for authentication because 
1
Metacat Authentication Mechanism
2
================================
3
Metacat supports either an internal password file authentication or the use of LDAP 
4
as an external authentication mechanism.  It does this by supplying two classes 
5
(``AuthFile`` or ``AuthLDAP``) that implement authentication via a password file or 
6
an external LDAP server. You may choose the authentication mechanism during the configuration.
7

  
8
However, administrators have the choice of replacing the default classes with a different system for authentication because 
7 9
Metacat is written such that this Authentication provider is replaceable with 
8
another class that implements the same interface (``AuthInterface``). As
9
an Administrator, you have the choice to provide an alternative implementation
10
of ``AuthInterface`` and then configuring ``metacat.properties`` to use that
11
class for authentication instead of LDAP.
10
another class that implements the same interface (``AuthInterface``). As 
11
an Administrator, you have the choice to provide an alternative implementation 
12
of ``AuthInterface`` and then configuring ``metacat.properties`` to use that 
13
class for authentication instead of LDAP or the internal password file.
12 14

  
15
Password File Based Authentication
16
----------------------------------
17
This is the default authentication mechanism in Metacat release.  The password file
18
path can be specified during the configuration.  The Tomcat user should have the
19
write/read permission to access the file.  The password file looks like:
20

  
21
::
22

  
23
<?xml version="1.0" encoding="UTF-8"?>
24
<subjects>
25
<users>
26
<user dn="uid=john,o=NCEAS,dc=ecoinformatics,dc=org">
27
<password>csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92</password>
28
<email>foo@foo.com</email>
29
<surName>Smith</surName>
30
<givenName>John</givenName>
31
<organization>NCEAS</organization>
32
<memberof>cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org</memberof>
33
</user>
34
<user dn="uid=brand,o=NCEAS,dc=ecoinformatics,dc=org">
35
<password>$2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC</password>
36
</user>
37
</users>
38
<groups>
39
<group name="cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org">
40
<description>Developers at NCEAS</description>
41
</group>
42
</groups>
43
</subjects> 
44

  
45
The format of the DN must look like uid=john,o=NCEAS,dc=ecoinformatics,dc=org.
46

  
47
The format of the group name must look like cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org.
48

  
49
The password stored in the file was hased by Bcrypt algorithm.  If you have the "-i" in the 
50
"useradd" or "usermod" commands when you run the command line utility (see the following section), 
51
you will be prompted to input the password and the utility will hash the password and store it in
52
the file. You may also get the hash of a password from any online tool, such as https://www.dailycred.com/blog/12/bcrypt-calculator (we
53
don't have any guaranty on the security of those tools), then use the "-h" to pass the hashed password to the file by the utility.
54

  
55

  
56
Utility for Password File Based Authentication
57
----------------------------------------------
58
You can edit the password file manually.  We also developed a command line utility 
59
to help the administrator to manage users and groups. The file locates at $METACAT/WEB-INF/scripts/bash/authFileManager.sh.
60

  
61
You must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file::
62

  
63
  cd $METACAT/WEB-INF/scripts/bash/ 
64
  
65
In order to run the file, you must make the file executable::
66

  
67
  chmod u+x authFileManager.sh 
68

  
69
You run the command as the owner of the file::
70

  
71
  ./authFileManager.sh  [options]
72

  
73
Usage of the utility:
74

  
75
./authFileManager.sh useradd -i -dn user-distinguish-name -g group-name -e email-address -s surname -f given-name -o organizationName 
76

  
77
./authFileManager.sh useradd -h hashed-password -dn user-distinguish-name -g group-name -e email-address -s surname -f given-name -o organizationName 
78

  
79
./authFileManager.sh groupadd -g group-name -d description 
80

  
81
./authFileManager.sh usermod -password -dn user-distinguish-name -i 
82

  
83
./authFileManager.sh usermod -password -dn user-distinguish-name -h new-hashed-password 
84

  
85
./authFileManager.sh usermod -group -a -dn user-distinguish-name -g added-group-name 
86

  
87
./authFileManager.sh usermod -group -r -dn user-distinguish-name -g removed-group-name 
88

  
89

  
90
Note:
91

  
92
1. Metacat currently uses Bcrypt algorithm to hash the password. The hashed password following the "-h" should be generated by a Bcrypt algorithm.
93
  The hash string usually has $ signs which messes the command line arguments. You should use two SINGLE quotes to wrap the entire hashed string.
94
2. The user-distinguish-name must look like "uid=john,o=something,dc=something,dc=something" and the group-name must look like "cn=dev,o=something,dc=something,dc=something".
95
3. if a value of an option has spaces, the value should be enclosed by the double quotes.
96
  For example: ./authFileManager.sh groupadd -g cn=dev,o=something,dc=something,dc=something -d "Developers at NCEAS"
97
4. "-d description" in the "groupadd" command is optional; "-g groupname -e email-address -s surname -f given-name -o organizationName" in the "useradd" command are optional as well.
98

  
99
LDAP Based Authentication
100
----------------------------------
101
Before the Metacat 2.4.0 release, the LDAP was the default authentication mechanism. It 
102
used the NCEAS LDAP server by default.  However, the server will be only accessible by the
103
trusted partners. If you are not on the list, you may use either the password file authentication
104
(for a small group of users) or set up a LDAP server by yourself (for a big group of users).

Also available in: Unified diff