Overview
The security approach is divided into two distinct spheres of responsibility
- Channel security (encryption)
- Application security (AuthN / AuthZ)
The configuration of any given user compute instance will consist of an Apache HttpServer layered on top of Tomcat.
- Apache HttpServer
- All requests will come through Apache on port 443 (https) of the instance
- The requests will internally be unencrypted, where encryption exists, and redirected to tomcat as open text
- Tomcat
- A defined set of resource endpoints will require AuthN and AuthZ
- Spring-security is being leveraged to wire AuthN and AuthZ across relevant resources
Channel Security Implementation
- Apache HttpServer is configured to require all requests to the four DuraCloud web applications (/duradmin, /durastore, /duraservice, and /duraboss) go over https.
- Below are the https enforcement rules configured in Apache
Code Block |
---|
###
# ensure 'duradmin' uses https
###
RewriteCond %{REQUEST_URI} /duradmin
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R=301,L]
###
# try to require https for 'durastore', 'duraservice', & 'duraboss' for
# external requests
###
RewriteCond %{REQUEST_URI} ^(/durastore|/duraservice|/duraboss)
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{SERVER_NAME} !^localhost$
RewriteCond %{SERVER_NAME} !^127.0.0.1$
RewriteCond %{REMOTE_HOST} !^127.0.0.1$
RewriteCond ${local-ip-map:%{REMOTE_HOST}} !^localhost$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R=301,L]
|
Application Security Implementation
The basic AuthN flow is as follows
- User requests secured resource
- If credentials not in request
- Spring AuthenticationProvider performs AuthN
- AuthProvider asks UserDetailsService for GrantedAuthorities for given Principal
- notes
- DuraCloud provides custom UserDetailsService implementation to return UserDetails of requesting Principal
- AbstractSecurityInterceptor permanently caches user AuthN decisions by default
- Authentication object and "configuration attributes" are passed to AccessDecisionManager for AuthZ
Security Servlet Filters
DuraCloud leverages Spring's mechanism for wiring AuthN/Z into an application across servlet url patterns.
The following access rules are placed across the durastore and duraservice REST-APIs:
Panel |
---|
title | Initialization REST Methods - Common across all applications |
---|
|
Action | Role |
---|
Is Initialized | ROLE_ANONYMOUS | Initialize | ROLE_ROOT | Initialize Security Users | ROLE_ROOT |
|
Panel |
---|
title | DuraStore REST Methods |
---|
|
Action | Role |
---|
Get Stores | ROLE_USER | Get Spaces | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Get Space | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Get Space Properties | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Get Space ACLs | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Create Space | ROLE_ADMIN | Set Space Properties | ROLE_USER | Set Space ACLs | ROLE_ADMIN | Delete Space | ROLE_ADMIN | Get Content | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Get Content Properties | ROLE_ANONYMOUS if space ACL allows public read, else ROLE_USER | Store Content | ROLE_USER | Copy Content | ROLE_USER | Set Content Properties | ROLE_USER | Delete Content | ROLE_USER | Get Tasks | ROLE_ADMIN | Perform Task | ROLE_ADMIN |
|
Panel |
---|
title | DuraService REST Methods |
---|
|
Action | Role |
---|
Get Services | ROLE_USER | Get Service | ROLE_USER | Get Deployed Service | ROLE_USER | Get Deployed Service Properties | ROLE_USER | Deploy Service | ROLE_ADMIN | Update Service Configuration | ROLE_ADMIN | UnDeploy Service | ROLE_ADMIN |
|
Panel |
---|
title | DuraBoss REST Methods |
---|
|
Action | Role |
---|
Get Latest Storage Report | ROLE_ADMIN | Get Storage Report List | ROLE_ADMIN | Get Storage Report | ROLE_ADMIN | Get Storage Report Info | ROLE_ADMIN | Start Storage Report | ROLE_ROOT | Cancel Storage Report | ROLE_ROOT | Schedule Storage Report | ROLE_ROOT | Cancel Storage Report Schedule | ROLE_ROOT | Get Deployed Services Report | ROLE_ADMIN | Get Completed Services Report | ROLE_ADMIN | Get Completed Services Report List | ROLE_ADMIN | Get Services Report | ROLE_ADMIN | Get Executor Status | ROLE_ADMIN | Get Supported Executor Actions | ROLE_ADMIN | Perform an Executor Action | ROLE_ROOT | Shutdown Executor | ROLE_ROOT | Create Initial Audit Log | ROLE_ROOT | Get Audit Logs | ROLE_ADMIN | Shutdown Auditor | ROLE_ROOT | Get Content Manifest | ROLE_ADMIN |
|
Roles
The fixed set of users/roles listed below are provided in DuraCloud. Each role in the list below represents a super set of the privileges of those above it.
- ROLE_ANONYMOUS
- ROLE_USER
- user created by DuraCloud-account admin
- ROLE_ADMIN
- administrator of DuraCloud-account
- ROLE_ROOT
User Management and Access Control
- Users are managed via the DuraCloud Management Console. In the Management Console, an account administrator has the ability to:
- Add and remove users to the DuraCloud account
- Create Groups and add users to groups in order to simplify access control
- Access Control is managed at the space level
- Within DuraCloud (via the UI or the REST API), an account administrator has the ability to define which users and groups have access to a space, as well as the type of access (read or write) that is available.