Client Authentication and Authorization
Administrators can secure the messaging infrastructure by setting permissions at the eFTL channel level.
Authentication
To enable authentication for an eFTL cluster, enable the Authentication checkbox in the eFTL Clusters Grid. See the eFTL Clusters Grid .
TIBCO eFTL services support JAAS login modules through the TIBCO FTL server. See JAAS Login Modules in the TIBCO FTL® Administration.
The eFTL service may share the same authentication service as FTL server. In this case, no additional configuration is required.
The eFTL service may also use a different authentication service than the FTL server. Configure the parameters eftl.auth.* as needed in the FTL server configuration file. See the TIBCO FTL® Administration guide, eFTL Service Configuration Parameters. Also see the Third-Party Authentication section which follows.
For secure eFTL client connection, you can use an external third-party web authentication service. Channel name is used for authentication. With this form of authentication, the client supplies the username and password to the eFTL server, and eFTL sends HTTP authentication requests to the external service. eFTL trusts the authentication results and verifies the username existence before allowing the connection.
To configure the eFTL server for third-party authentication, configure settings in the FTL YAML configuration file to enable authentication for each eFTL channel that requires it through the FTL Server GUI. For example:
{
globals
core.servers:
ftlserver: localhost:8585
services:
eftl:
eftl.auth.url:
eftl.auth.trust.file:
eftl.auth.user:
eftl.auth.password:
servers:
ftlserver:
realm:
eftl:
where:
| • | eftl.auth.url: the URL of the user-implemented authentication service |
| • | eftl.auth.trust.file: an optional trust file required by the eFTL server to authenticate the authentication service |
| • | eftl.auth.user: an optional username required by the authentication service to verify the eFTL server |
| • | eftl.auth.password: an optional password required by the authentication service to verify the eFTL server |
When an eFTL client connects the eFTL server sends a POST call to the following HTTP request to the configured authentication service:
{
{
"meta":
{ "realm": "tibeftlserver", "host": "localhost:8585", "channel": "channel", "address": "127.0.0.1", "client_id": "sample-client-id" }
,
"username": "user",
"password": "cGFzc3dvcmQ="
}
where:
| • | realm: must be tibeftlserver |
| • | host: the host to which the eFTL client is connecting |
| • | channel: the eFTL channel to which the eFTL client is connecting |
| • | address: the remote address of the eFTL client |
| • | client_id: the eFTL client's client identifier |
| • | username: the eFTL client's username |
| • | password: the eFTL client's password, base64 encoded |
The user-implemented authentication service is then expected to respond to the HTTP request with the following:
{ "authenticated": true, "roles": ["pub", "sub"] }
where:
| • | authenticated: the boolean true or false |
| • | roles: an optional array of strings that can be used to authorize the eFTL client for publishing, subscribing, etc. based upon the eFTL channel's group settings. |
Authorization
There are two methods to configure authorization for an eFTL channel:
-
Preferred method:
-
Enable Permissions for the FTL realm on the Realm Properties Details Panel. See the TIBCO FTL® Administration Guide, Realm Properties Details Panel.
-
Assign permissions on the Users Grid and Roles Grids. See the TIBCO FTL® Administration Guide, Configuring Permissions. Select eFTL Channel as the resource type when assigning permissions.
-
-
Legacy method (compatibility with releases prior to 6.8.0): Set the Publish Group and Subscribe Group on the eFTL Channel Details Panel. Once authentication is enabled, set up these authorization groups:
-
Publish Group: Only eFTL clients with a role in this group can publish.
-
Subscribe Group: Only eFTL clients with a role in this group can subscribe.
-
Authorization via Channel Authorization Groups (Legacy Method)
When permissions are disabled in the FTL realm, by default all users have all permissions for all channels. To restrict permissions, set the Publish Group and Subscribe Group fields in the eFTL channel configuration.
To assign authorization groups to a channel, see the Authorization section in Channel Details Panel.
See the Enforcing Permissions.
Authorization via FTL Realm Permissions (Preferred Method)
When permissions are enabled in the FTL realm, by default users have no permissions on any channel. Permissions must be explicitly granted to users or roles via the users and roles grids. The Publish Group and Subscribe Group fields in the eFTL channel configuration are ignored.
Permissions associated with a username or role at any channel may be removed at any time. Removing permissions does not require a restart of any eFTL components.
Permission revocation is not enforced synchronously. At some later time eFTL will enforce the new restrictions.
Even when the new restrictions are applied, a subscriber whose subscribe permission was revoked may receive up to max_pending_acks number of messages.
Adding permissions to a username or role does not require a restart of any eFTL components.