| <!DOCTYPE html> |
| <!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]--> |
| <!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]--> |
| <!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]--> |
| <!--[if gt IE 8]><!--> <html class="no-js"> <!--<![endif]--> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1"/> |
| <title>UI Dashboard Authentication and Authorization - Gearpump 0.7.4 Documentation</title> |
| |
| |
| |
| |
| <link rel="stylesheet" href="css/bootstrap-3.3.5.min.css"> |
| <style> |
| body { |
| padding-top: 60px; |
| padding-bottom: 40px; |
| } |
| </style> |
| <link rel="stylesheet" href="css/main.css"> |
| <link rel="stylesheet" href="css/pygments-default.css"> |
| <script src="js/vendor/modernizr-2.6.1-respond-1.1.0.min.js"></script> |
| </head> |
| <body> |
| <!--[if lt IE 7]> |
| <p class="chromeframe">You are using an outdated browser. <a href="http://browsehappy.com/">Upgrade your browser today</a> or <a href="http://www.google.com/chromeframe/?redirect=true">install Google Chrome Frame</a> to better experience this site.</p> |
| <![endif]--> |
| |
| <div class="navbar navbar-inverse navbar-fixed-top" id="topbar"> |
| <div class="container"> |
| <div class="navbar-header"> |
| <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a class="navbar-brand" href="http://gearpump.io">Gearpump |
| <span class="label label-primary" style="font-size: .6em">0.7.4</span> |
| </a> |
| </div> |
| <div id="navbar" class="collapse navbar-collapse"> |
| <ul class="nav navbar-nav"> |
| <li><a href="index.html">Overview</a></li> |
| |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Introduction<b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="submit-your-1st-application.html">Submit Your 1st Application</a></li> |
| <li><a href="commandline.html">Client Command Line</a></li> |
| <li class="divider"></li> |
| <li><a href="basic-concepts.html">Basic Concepts</a></li> |
| <li><a href="features.html">Technical Highlights</a></li> |
| <li><a href="message-delivery.html">Reliable Message Delivery</a></li> |
| <li><a href="performance-report.html">Performance</a></li> |
| <li><a href="gearpump-internals.html">Gearpump Internals</a></li> |
| </ul> |
| </li> |
| |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Deploying<b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li class="dropdown-header">Deployment</li> |
| <li><a href="deployment-local.html">Local Mode</a><li> |
| <li><a href="deployment-standalone.html">Standalone Mode</a></li> |
| <li><a href="deployment-yarn.html">YARN Mode</a></li> |
| <li><a href="deployment-docker.html">Docker Mode</a><li> |
| <li class="divider"></li> |
| <li><a href="deployment-ui-authentication.html">UI Authentication</a></li> |
| <li><a href="deployment-ha.html">High Availability</a></li> |
| <li><a href="deployment-msg-delivery.html">Reliable Message Delivery</a></li> |
| <li><a href="deployment-configuration.html">Configuration</a></li> |
| <li class="divider"></li> |
| <li><a href="deployment-security.html">YARN Security Guide</a></li> |
| </ul> |
| </li> |
| |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Programming Guide<b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="dev-write-1st-app.html">Write Your 1st App</a></li> |
| <li><a href="dev-custom-serializer.html">Customized Message Passing</a></li> |
| <li class="divider"></li> |
| <li><a href="api/scala/index.html">Scala API</a></li> |
| <li><a href="api/java/index.html">Java API</a></li> |
| <li><a href="dev-rest-api.html">RESTful API</a></li> |
| <li class="divider"></li> |
| <li><a href="dev-connectors.html">Gearpump Connectors</a></li> |
| <li class="divider"></li> |
| <li><a href="dev-storm.html">Storm Compatibility</a></li> |
| <!-- |
| <li><a href="dev-samoa.html">Samoa Compatibility</a></li> |
| <li class="divider"></li> |
| <li><a href="dev-iot.html">Gearpump with IoT</a></li> |
| --> |
| </ul> |
| </li> |
| |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">More<b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="how-to-contribute.html">How to Contribute</a></li> |
| <li><a href="coding-style.html">Coding Style</a></li> |
| <li class="divider"></li> |
| <li><a href="faq.html">FAQ</a><li> |
| <li><a href="about.html">About</a></li> |
| </ul> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| |
| <div class="container" id="content"> |
| |
| <h1 class="title">UI Dashboard Authentication and Authorization</h1> |
| |
| |
| <h2 id="how-to-enable-ui-authentication">How to enable UI authentication?</h2> |
| |
| <ol> |
| <li> |
| <p>Change config file <code>gear.conf</code>, find entry <code>gearpump.security.ui-authentication-enabled</code>, and set it to true</p> |
| |
| <div class="highlight"><pre><code>gearpump.security.ui-authentication-enabled = true |
| </code></pre></div> |
| |
| <p>Restart the UI dashboard, and then the UI authentication is enabled. It will prompt for user name and password.</p> |
| </li> |
| </ol> |
| |
| <h2 id="how-to-add-or-remove-user">How to add or remove user?</h2> |
| |
| <p>For the default authentication plugin, it has three categories of users: admins, users, and guests.</p> |
| |
| <ul> |
| <li>admins: have unlimited permission, like shutdown a cluster, add/remove machines.</li> |
| <li>users: have limited permission to submit an application and etc..</li> |
| <li>guests: can not submit/kill applications, but can view the application status.</li> |
| </ul> |
| |
| <p>System administrator can add or remove user by updating config file <code>conf/gear.conf</code>.</p> |
| |
| <p>Suppose we want to add user jerry as an administrator, here are the steps:</p> |
| |
| <ol> |
| <li> |
| <p>Pick a password, and generate the digest for this password. Suppose we use password <code>ilovegearpump</code>, |
| to generate the digest:</p> |
| |
| <div class="highlight"><pre><code>bin/gear io.gearpump.security.PasswordUtil -password ilovegearpump |
| </code></pre></div> |
| |
| <p>It will generate a digest value like this:</p> |
| |
| <div class="highlight"><pre><code>CgGxGOxlU8ggNdOXejCeLxy+isrCv0TrS37HwA== |
| </code></pre></div> |
| </li> |
| <li> |
| <p>Change config file <code>conf/gear.conf</code> at path <code>gearpump.security.config-file-based-authenticator.admins</code>, |
| add user <code>jerry</code> in this list:</p> |
| |
| <div class="highlight"><pre><code>admins = { |
| ## Default Admin. Username: admin, password: admin |
| ## !!! Please replace this builtin account for production cluster for security reason. !!! |
| "admin" = "AeGxGOxlU8QENdOXejCeLxy+isrCv0TrS37HwA==" |
| "jerry" = "CgGxGOxlU8ggNdOXejCeLxy+isrCv0TrS37HwA==" |
| } |
| </code></pre></div> |
| </li> |
| <li> |
| <p>Restart the UI dashboard by <code>bin/services</code> to make the change effective.</p> |
| </li> |
| <li> |
| <p>Group “admins” have unlimited permission, so you may want to restrict the permission. In that case |
| you can modify <code>gearpump.security.config-file-based-authenticator.users</code> or |
| <code>gearpump.security.config-file-based-authenticator.guests</code>.</p> |
| </li> |
| <li> |
| <p>See description at <code>conf/gear.conf</code> to find more information.</p> |
| </li> |
| </ol> |
| |
| <h2 id="what-is-the-default-user-and-password">What is the default user and password?</h2> |
| |
| <p>Gearpump distribution is shipped with two default users:</p> |
| |
| <ol> |
| <li>username: admin, password: admin</li> |
| <li>username: guest, password: guest</li> |
| </ol> |
| |
| <p>User <code>admin:admin</code> has unlimited permissions, while guest can only view the application status. Guest account cannot |
| submit or kill the application by UI console.</p> |
| |
| <p>For security reason, you need to remove the default user “admin” and “guest” for production cluster.</p> |
| |
| <h2 id="is-this-secure">Is this secure?</h2> |
| |
| <p>Firstly, we will NOT store any user password in any way so only the user himself knows the password. |
| We will use one-way sha1 digest to verify the user input password. As it is a one-way hashing, |
| so generally it is safe.</p> |
| |
| <ol> |
| <li> |
| <p>Digest flow(from original password to digest):</p> |
| |
| <div class="highlight"><pre><code>random salt byte array of length 8 -> byte array of (salt + sha1(salt, password)) -> base64Encode |
| </code></pre></div> |
| </li> |
| <li> |
| <p>Verification user input password with stored digest:</p> |
| |
| <div class="highlight"><pre><code>base64Decode -> extract salt -> do sha1(salt, password) -> generate digest: salt + sha1 -> |
| compare the generated digest with the stored digest. |
| </code></pre></div> |
| </li> |
| </ol> |
| |
| |
| </div> <!-- /container --> |
| |
| <script src="js/vendor/jquery-2.1.4.min.js"></script> |
| <script src="js/vendor/bootstrap-3.3.5.min.js"></script> |
| <script src="js/vendor/anchor-1.1.1.min.js"></script> |
| <script src="js/main.js"></script> |
| |
| <!-- MathJax Section --> |
| <script type="text/x-mathjax-config"> |
| MathJax.Hub.Config({ |
| TeX: { equationNumbers: { autoNumber: "AMS" } } |
| }); |
| </script> |
| <script> |
| // Note that we load MathJax this way to work with local file (file://), HTTP and HTTPS. |
| // We could use "//cdn.mathjax...", but that won't support "file://". |
| (function(d, script) { |
| script = d.createElement('script'); |
| script.type = 'text/javascript'; |
| script.async = true; |
| script.onload = function(){ |
| MathJax.Hub.Config({ |
| tex2jax: { |
| inlineMath: [ ["$", "$"], ["\\\\(","\\\\)"] ], |
| displayMath: [ ["$$","$$"], ["\\[", "\\]"] ], |
| processEscapes: true, |
| skipTags: ['script', 'noscript', 'style', 'textarea', 'pre'] |
| } |
| }); |
| }; |
| script.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + |
| 'cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML'; |
| d.getElementsByTagName('head')[0].appendChild(script); |
| }(document)); |
| </script> |
| </body> |
| </html> |