At installation time, StreamPipes checks for available environment variables relevant for the securing the system. If they are not set, it will use the default values.
The following variables are checked by the core at installation time:
In addition, all extensions services that perform requests to the core will need to have the following environment variables set:
Note that there are default values for all environment variables that are set at installation time - make sure to change these settings when moving to production!
Most security-related settings can be set in the configuration section of StreamPipes. The General section allows to set self-service registration and password recovery (both are disabled by default and require a valid email configuration). In the Security section, users, service accounts, roles and groups can be configured.
StreamPipes distinguishes between User Accounts (real users that interact with StreamPipes over the UI or an API) and Service Accounts (user-independent accounts which solely use StreamPipes over the API).
User accounts are typically used by extensions service that require API access to the core (e.g., to get a list of running pipelines).
StreamPipes v0.69.0 comes with more advanced mechanisms to manage permissions. For each major resource (pipeline elements, pipelines, StreamPipes Connect adapters, dashboards, data explorer views), permissions can be assigned individually to users and groups.
To ease permission handling, StreamPipes comes with a default number of roles with pre-assigned privileges:
Roles can be either assigned to specific users or groups. Any group can contain several members. The permissions of a user are the union of the permissions of all roles assigned to the user and the groups to which the user belongs.
Any resource has a resource owner, which is the authority that created the resource. Resources can be either public or private. Public resources are available to all users, while the user role determines what the user can do with the resource. E.g., a public pipeline created by a user of role ROLE_ADMIN can be edited by all users with role PIPELINE_ADMIN, while the same pipeline can be read by all users with role PIPELINE_USER.
Permissions can only be changed by admin users currently. In the overview section of each resource (e.g., pipelines and dashboards), a permission dialog is available to users with role ROLE_ADMIN. The dialog allows to assign users and groups to the individual resource.