Google Git
Sign in
apache / incubator-retired-gearpump-site / b1f8f45c651eb06f35685187224db1fb2c81a8de / . / releases / latest / deployment-ui-authentication.html
blob: d70b0875d89ba6e617e1c3db0cbb3394799ef096 [file] [log] [blame]
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js"> <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1"/>
<title>UI Dashboard Authentication and Authorization - Gearpump 0.7.6 Documentation</title>
<link rel="stylesheet" href="css/bootstrap-3.3.5.min.css">
<style>
body {
padding-top: 60px;
padding-bottom: 40px;
}
</style>
<link rel="stylesheet" href="css/main.css">
<link rel="stylesheet" href="css/pygments-default.css">
<script src="js/vendor/modernizr-2.6.1-respond-1.1.0.min.js"></script>
</head>
<body>
<!--[if lt IE 7]>
<p class="chromeframe">You are using an outdated browser. <a href="http://browsehappy.com/">Upgrade your browser today</a> or <a href="http://www.google.com/chromeframe/?redirect=true">install Google Chrome Frame</a> to better experience this site.</p>
<![endif]-->
<div class="navbar navbar-inverse navbar-fixed-top" id="topbar">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="http://gearpump.io">Gearpump
<span class="label label-primary" style="font-size: .6em">0.7.6</span>
</a>
</div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li><a href="index.html">Overview</a></li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Introduction<b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="submit-your-1st-application.html">Submit Your 1st Application</a></li>
<li><a href="commandline.html">Client Command Line</a></li>
<li class="divider"></li>
<li><a href="basic-concepts.html">Basic Concepts</a></li>
<li><a href="features.html">Technical Highlights</a></li>
<li><a href="message-delivery.html">Reliable Message Delivery</a></li>
<li><a href="performance-report.html">Performance</a></li>
<li><a href="gearpump-internals.html">Gearpump Internals</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Deploying<b class="caret"></b></a>
<ul class="dropdown-menu">
<li class="dropdown-header">Deployment</li>
<li><a href="deployment-local.html">Local Mode</a><li>
<li><a href="deployment-standalone.html">Standalone Mode</a></li>
<li><a href="deployment-yarn.html">YARN Mode</a></li>
<li><a href="deployment-docker.html">Docker Mode</a><li>
<li class="divider"></li>
<li><a href="deployment-ui-authentication.html">UI Authentication</a></li>
<li><a href="deployment-ha.html">High Availability</a></li>
<li><a href="deployment-msg-delivery.html">Reliable Message Delivery</a></li>
<li><a href="deployment-configuration.html">Configuration</a></li>
<li><a href="deployment-resource-isolation.html">Resource Isolation</a></li>
<li class="divider"></li>
<li><a href="deployment-security.html">YARN Security Guide</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Programming Guide<b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="dev-write-1st-app.html">Write Your 1st App</a></li>
<li><a href="dev-custom-serializer.html">Customized Message Passing</a></li>
<li class="divider"></li>
<li><a href="api/scala/index.html">Scala API</a></li>
<li><a href="api/java/index.html">Java API</a></li>
<li><a href="dev-rest-api.html">RESTful API</a></li>
<li class="divider"></li>
<li><a href="dev-connectors.html">Gearpump Connectors</a></li>
<li class="divider"></li>
<li><a href="dev-storm.html">Storm Compatibility</a></li>
<!--
<li><a href="dev-samoa.html">Samoa Compatibility</a></li>
<li class="divider"></li>
<li><a href="dev-iot.html">Gearpump with IoT</a></li>
-->
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">More<b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="how-to-contribute.html">How to Contribute</a></li>
<li><a href="coding-style.html">Coding Style</a></li>
<li class="divider"></li>
<li><a href="faq.html">FAQ</a><li>
<li><a href="about.html">About</a></li>
</ul>
</li>
</ul>
</div>
</div>
</div>
<div class="container" id="content">
<h1 class="title">UI Dashboard Authentication and Authorization</h1>
<h2 id="how-to-enable-ui-authentication">How to enable UI authentication?</h2>
<ol>
<li>
<p>Change config file gear.conf, find entry <code>gearpump-ui.gearpump.ui-security.authentication-enabled</code>, change the value to true</p>
<div class="highlight"><pre><code>gearpump-ui.gearpump.ui-security.authentication-enabled = true
</code></pre></div>
<p>Restart the UI dashboard, and then the UI authentication is enabled. It will prompt for user name and password.</p>
</li>
</ol>
<h2 id="how-to-add-or-remove-user">How to add or remove user?</h2>
<p>For the default authentication plugin, it has three categories of users: admins, users, and guests.</p>
<ul>
<li>admins: have unlimited permission, like shutdown a cluster, add/remove machines.</li>
<li>users: have limited permission to submit an application and etc..</li>
<li>guests: can not submit/kill applications, but can view the application status.</li>
</ul>
<p>System administrator can add or remove user by updating config file <code>conf/gear.conf</code>.</p>
<p>Suppose we want to add user jerry as an administrator, here are the steps:</p>
<ol>
<li>
<p>Pick a password, and generate the digest for this password. Suppose we use password <code>ilovegearpump</code>,
to generate the digest:</p>
<div class="highlight"><pre><code>bin/gear io.gearpump.security.PasswordUtil -password ilovegearpump
</code></pre></div>
<p>It will generate a digest value like this:</p>
<div class="highlight"><pre><code>CgGxGOxlU8ggNdOXejCeLxy+isrCv0TrS37HwA==
</code></pre></div>
</li>
<li>
<p>Change config file conf/gear.conf at path <code>gearpump-ui.gearpump.ui-security.config-file-based-authenticator.admins</code>,
add user <code>jerry</code> in this list:</p>
<div class="highlight"><pre><code>admins = {
## Default Admin. Username: admin, password: admin
## !!! Please replace this builtin account for production cluster for security reason. !!!
"admin" = "AeGxGOxlU8QENdOXejCeLxy+isrCv0TrS37HwA=="
"jerry" = "CgGxGOxlU8ggNdOXejCeLxy+isrCv0TrS37HwA=="
}
</code></pre></div>
</li>
<li>
<p>Restart the UI dashboard by <code>bin/services</code> to make the change effective.</p>
</li>
<li>
<p>Group &#8220;admins&#8221; have very unlimited permission, you may want to restrict the permission. In that case
you can modify <code>gearpump-ui.gearpump.ui-security.config-file-based-authenticator.users</code> or
<code>gearpump-ui.gearpump.ui-security.config-file-based-authenticator.guests</code>.</p>
</li>
<li>
<p>See description at <code>conf/gear.conf</code> to find more information.</p>
</li>
</ol>
<h2 id="what-is-the-default-user-and-password">What is the default user and password?</h2>
<p>Gearpump distribution is shipped with two default users:</p>
<ol>
<li>username: admin, password: admin</li>
<li>username: guest, password: guest</li>
</ol>
<p>User <code>admin:admin</code> has unlimited permissions, while guest can only view the application status. Guest account cannot
submit or kill the application by UI console.</p>
<p>For security reason, you need to remove the default user &#8220;admin&#8221; and &#8220;guest&#8221; for production cluster.</p>
<h2 id="is-this-secure">Is this secure?</h2>
<p>Firstly, we will NOT store any user password in any way so only the user himself knows the password.
We will use one-way sha1 digest to verify the user input password. As it is a one-way hashing,
so generally it is safe.</p>
<ol>
<li>
<p>Digest flow(from original password to digest):</p>
<div class="highlight"><pre><code>random salt byte array of length 8 -&gt; byte array of (salt + sha1(salt, password)) -&gt; base64Encode
</code></pre></div>
</li>
<li>
<p>Verification user input password with stored digest:</p>
<div class="highlight"><pre><code>base64Decode -&gt; extract salt -&gt; do sha1(salt, password) -&gt; generate digest: salt + sha1 -&gt;
compare the generated digest with the stored digest.
</code></pre></div>
</li>
</ol>
</div> <!-- /container -->
<script src="js/vendor/jquery-2.1.4.min.js"></script>
<script src="js/vendor/bootstrap-3.3.5.min.js"></script>
<script src="js/vendor/anchor-1.1.1.min.js"></script>
<script src="js/main.js"></script>
<!-- MathJax Section -->
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
TeX: { equationNumbers: { autoNumber: "AMS" } }
});
</script>
<script>
// Note that we load MathJax this way to work with local file (file://), HTTP and HTTPS.
// We could use "//cdn.mathjax...", but that won't support "file://".
(function(d, script) {
script = d.createElement('script');
script.type = 'text/javascript';
script.async = true;
script.onload = function(){
MathJax.Hub.Config({
tex2jax: {
inlineMath: [ ["$", "$"], ["\\\\(","\\\\)"] ],
displayMath: [ ["$$","$$"], ["\\[", "\\]"] ],
processEscapes: true,
skipTags: ['script', 'noscript', 'style', 'textarea', 'pre']
}
});
};
script.src = ('https:' == document.location.protocol ? 'https://' : 'http://') +
'cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML';
d.getElementsByTagName('head')[0].appendChild(script);
}(document));
</script>
</body>
</html>