Local User Management
This topic explains how to configure users, user roles, and user access to the TIBCO Streaming Model Management Server (MMS). For external authenticator configuration, see Configuring OAuth 2.0.
User Authentication and Authorization
Permissions in MMS derive from users’ group memberships (roles) and permission bindings applied to objects-spaces, sandboxes, projects, and artifacts. In this release, only the space-level bindings are exposed for configuration, which can be configured in the artifact management server's configuration file. For more information, see the MMS Configuration Guide.
Every new sandbox or project automatically inherits bindings that grant full control to all groups of its creator. Hence, members of the same group can easily view and edit each other’s work.
Apple Text Editor Advisory when Editing Configuration Files
Ensure that all configuration file values requiring quotes use straight quotes (“…”) and not smart quotes (“…”). Smart quotes are treated as data and not as a means to identify MMS usernames or passwords.
MMS configuration files use straight quotes to encapsulate values. Apple's TextEdit application is a rich text editor that uses smart quotes by default. If using TextEdit or any rich text editor, ensure that the editor is set to use straight quotes.
User Management
All user and group-related configuration is present in the artifact management server's configuration file, which is in a Kubernetes ConfigMap named artifact-management or in the path (as shown below) of your local MMS installation:
<mms-env-directory>/configuration/
├── artifact-server.conf
└── passwords.txt
Defining Users & Groups
The passwords.txt file contains user credentials and group memberships. Each non-blank line follows the syntax:
username: "hashed-password",group1[,group2,...]
- Quoting: Password hashes must be quoted.
- Groups: At least one group is required. By default, every user is automatically a member of
mms-all-users. Whenever you add a new group name here, that group is automatically created. If you introduce new groups for spaces or sandboxes, update their permission bindings inartifact-server.confas well. - Admin Users: To grant administrative rights, include the
admingroup (or whatever you have configured asadminGroupinartifact-server.conf).
Generating a Password Hash
Use the built-in launcher command to produce a properly formatted hash. For more information, see Password Management in MMS Launcher.
mms-launcher hash-password
Copy the resulting quoted hash into your passwords.txt entry.
Example Entries
//User with admin and custom group
alice: "qwertyUIOP1234567890==",admin,stooge
//User belonging to different groups, access grants for these groups can be controlled in space permissionBinding
bob: "AsDfGhJkL9876543210==",stooge,violinist
MMS Server Configuration (artifact-server-mms.conf)
A sample MMS server configuration file is as shown below:
# User Data File
security:
auth:
localRealm:
# Ensure the ${PASSWORD_FILE} substitution points to your passwords.txt
userDataFileURI: ${PASSWORD_FILE}
# You may override the default admin password by passing --substitutions ADMIN_PASSWORD=yourSecret on the command line
# or via the ADMIN_PASSWORD environment variable.
adminPassword: ${ADMIN_PASSWORD:-admin}
adminGroup: admin
# Configure space permissions
space:
spaces:
- name: sample space
description: default sample space
permissionBindings:
stooge:
- read
violinist:
- read
- update
repository:
description: local git repo
url: file:///local/mms/default/git-remote-repository/gitrepo/
- name: another sample space
description: another example sample space
permissionBindings:
violinist:
- read
- update
repository:
description: external git repo
url: https://github.com/TIBCOSoftware/tibco-streaming-samples.git
username: gituser
password: ${GIT_PASSWORD:-gitpassword}
repositoryRefreshIntervalSeconds: 300
registry:
repositoryPollIntervalSeconds: 3600
Permissions Model for Spaces
Spaces in MMS behave like Git repositories. You can grant users either:
- read (“clone”/“pull” only)
- update (push commits)