Table of Contents
authentication and authorisation
Since version 0.8, yourCMDB has an integrated user authentication and authorisation.
concept
The security concept is devided into authentication and authorisation. A specific authentication method is used to authenticate the user. During authentication, each user is mapped to an access group. For example, user root is mapped to access group admin, while user michael is mapped to access group user.
In each access group, access rights are configured. For example access group admin, has the right to view the admin section in the web-ui, while user of access group user are not allowed to access this page.
The authentication and authorisation can be configured per application part. At the moment the following application parts are implemented:
| application part | description |
|---|---|
| web | web ui of yourCMDB |
| rest | rest api of yourCMDB |
Please see more details in the sections below.
Authentication
The user authentication is done by a so called AuthenticationProvider, which implements a specific authentication method. The following AuthenticationProvider are implemented at the moment:
| AuthenticationProvider | authentication method | available since version |
|---|---|---|
| AuthenticationProviderLocal | authentication is done against a local user database | 0.8 |
| AuthenticationProviderLdap | authentication is done against a LDAP directory service | 0.8 |
| AuthenticationProviderHttp | authentication is done against an HTTP server | 0.14 |
Please see details on the specific AuthenticationProvider below.
AuthenticationProviderLocal
The authentication is done against the local yourCMDB database. Each user is stored with username, password hash and access group. All users can be managed in the admin section of the web ui tab “Authentication”.
The salted password hash is built like that:
SHA256(yourcmdb<username><password>)
There are no parameters that can be configured.
AuthenticationProviderLdap
The authentication is done against a LDAP directory service. The AuthenticationProvider uses a bindDN for searching the LDAP directory for the given username using the configured searchFilter. If an object with the username is found, a bind with the given username and password will be tried. If this bind was successful, the user is authenticated.
For mapping a user to an yourCMDB access group, the LDAP directory will be search for groups, where the given user is a member of, using the configured searchFilterGroup. A mapping between an LDAP group and a yourCMDB access group can be configured. If a user is a member of multiple groups, the first match will be used.
The following parameters can be configured:
| parameter | default value | description |
|---|---|---|
| url | ldap://localhost:389 | URL to LDAP Server |
| useLdapV3 | true | use LDAP in version 3 |
| bindDn | cn=admin,dc=yourcmdb,dc=org | DN for binding and searching the directory |
| bindPw | cmdb | password for the bind DN |
| searchFilter | (uid=%username%) | LDAP filter for searching user objects. %username% will be replaced with the given username during authentication |
| searchFilterGroup | (memberUid=%username%) | LDAP filter for searching groups of the user. username% will be replaced with the given username during authentication |
| defaultAccessgroup | default | default accessgroup for the user |
| groupmap_<ldapgroup> | - | mapping ldap groups to an yourCMDB access group |
AuthenticationProviderHttp
The authentication is done against a HTTP server with HTTP basic authentication. During authentication, a configured URL will be accessed with HTTP basic auth and the given username and password. If the result is HTTP/200, the user is authenticated.
With the config options accessgroup_<username>, a specific user can be mapped to a yourCMDB accessgroup.
The config option allowedUsers will restrict the access to the users given in the comma separated list.
:!:For this authentication provider php-curl must be installed. On RHEL based systems with apache2, please allow network connections to httpd with the following command:
setsebool -P httpd_can_network_connect 1
The following parameters can be configured:
| parameter | default value | description |
|---|---|---|
| url | http://localhost | URL of the HTTP server |
| defaultAccessgroup | default | default accessgroup for the user |
| accessgroup_<username> | - | mapping usernames to an yourCMDB access group |
| allowedUsers | - | if set, the only the listed users (comma separated) are allowed to login |
Authorisation
The authorisation is done with access groups. Each user is a member of one access group. In each access group, multiple access rights can be configured. The configuration of access groups and their access rights can be done in the admin section of the yourCMDB web ui in tab “Authorisation”.
The following access rights can be configured at the moment:
| access right | description | implemented rights | available since version |
|---|---|---|---|
| default | default value, is used when no other access right is configured | - | 0.8 |
| admin | access to admin section in web ui | no access / write access | 0.8 |
| rest | access to REST API | no access / read-only / write access | 0.8 |
configuration
The configuration is done in the configuration file security-configuration.xml. Please have a look at the following example:
security-configuration>
<authentication>
<authproviders>
<authprovider name="local-auth" class="AuthenticationProviderLocal" />
<authprovider name="ldap-auth" class="AuthenticationProviderLdap">
<parameter key="url" value="ldap://localhost:389" />
<parameter key="useLdapV3" value="true" />
<parameter key="bindDn" value="cn=admin,dc=yourcmdb,dc=org" />
<parameter key="bindPw" value="cmdb" />
<parameter key="baseDn" value="dc=yourcmdb,dc=org" />
<parameter key="searchFilter" value="(uid=%username%)" />
<parameter key="searchFilterGroup" value="(memberUid=%username%)" />
<parameter key="defaultAccessgroup" value="default" />
<parameter key="groupmap_admin" value="admin" />
<parameter key="groupmap_rest" value="rest" />
<parameter key="groupmap_user" value="user" />
</authprovider>
</authproviders>
<authmethods>
<authmethod part="web" authprovider="local-auth" />
<authmethod part="rest" authprovider="local-auth" />
</authmethods>
</authentication>
</security-configuration>
Several AuthenticationProviders with parameters and class and a name are given. In the <authmethods>-section, a mapping between an application part and an authprovider is done.
