< Previous		Next >

Administration

Contents

Overview

Overview

The Spotfire Streaming Administration is a web-based application that offers secure cluster management and configuration convenience from one location, including:

Dynamic service discovery.
Hierarchical views of clusters, with the option to drill down to the specified managed entity.
Node lifecycle management, including node install/stop/start/removal.
Application lifecycle management.
Logging management.
Security management.

You log into the Streaming Administration Interface from a running node via Studio or the epadmin command line.

Security monitoring and administration is done from the node Security tab. The following commands are accessed from the Security tab.

Add — add a new principal in the node's Local authentication source. See epadmin add user.
Export — export the node's local authentication realm's user configuration. See epadmin export configuration.
Remove — remove a user definition from the node's local authentication realm. See epadmin remove user.
Reset — change a password in the node's local authentication realm. See epadmin-password(1).
Update — update a user definition, other than password, in the node's local authentication realm. See epadmin update user.

Figure old-and-gone shows the security information displayed from the Security tab.

This screen consists of these sections:

Principals — all principals defined in the local authentication realm for this node.
Authentication Sources — all realms being used by this node.
Trusted Hosts — the trusted hosts used by this node.

The Principals section shows this information for each principal defined in the node's local authentication source:

Realm Name — realm in which user is defined.
User Name — principal name.
Password Expiration (Days) — the password expiration time in days. A value of zero indicates that the password does not expire.
Account Locked — true if the user account is locked, false if the account can still be accessed.
Lock Reason — reason account is locked.
Time Remaining Before Auto-Unlock (minutes) — time remaining before a locked user is automatically unlocked, or disabled, if auto-unlock is disabled.
Failed Login Lockout Threshold — enabled if failed login lockout is enabled, disabled if lockout is disabled.
Failed Login Lockout Duration (minutes) — failed login attempt lockout duration in minutes.
Roles — roles granted to this principal.
Authentication via Secure Communication Allowed — is a password required when connecting over a secure communication channel?
Password Always Required — is a password required even when connecting from a trusted host?
Trusted Host Membership Required of Client — is user only allowed to connect from a trusted host?

Principals

This information can also be displayed using:

epadmin --servicename=<node-service-name> display user

The Authentication Sources section shows this information for each configured authentication realm:

Realm Name — Authentication realm name.
Realm Type — Authentication realm type description.
Referenced By — List of entities using this realm.

Authentication Sources

This information can also be displayed using:

epadmin --servicename=<node-service-name> display realm

The Trusted Hosts section shows this information for each trusted host:

Network Address — IP address for a trusted host.
Host Name — the host name for a trusted host. This field may be empty if a trusted network address cannot be resolved to a host name using a reverse Domain Name Service (DNS) lookup.
Source — the source of the trusted host. This field may contain one of:
- default — this host was discovered using the local machine's network interfaces (see Trusted Hosts), for example ::1.
- configured — this trusted host was an explicitly configured IPv4, IPv6, or FQDN network address (see Trusted Hosts), for example myhost.acme.com.
- a PQDN — this host is trusted because of a configured PQDN. The network address was resolved to a FQDN using a reverse DNS lookup and then matched to a PQDN, for example *.acme.com.
- a CIDR block — this host is trusted because of a configured CIDR block. The network address is within the configured CIDR block, for example 192.168.2.0/24.

Trusted Hosts

This information can also be displayed using:

epadmin --servicename=<node-service-name> display trusted

Add User

Users are added to a node's local authentication realm using the Add Principal dialog accessed from the Add button.

The fields in the Add Principal dialog are:

User Name — A unique name for this user.
Password — Initial password for this user.
Confirm Password — Password confirmation.
Roles — A space separated list of roles to assign to this user.
Password Expiration (Days) — Password expiration in days. A value of zero indicates that the password does not expire.
Locked — Locked account setting.

Clicking on the Submit button will add the new user to the node after validating that the password values match.

Add User

Added users are never removed unless explicitly removed as described in epadmin remove user.

Users can also be added using:

epadmin --servicename=<node-service-name> add user \
   --username=admin --password=supersecret --roles=administrator

Backing Up a Local Authentication Realm

All principals defined in a local authentication realm on a node can be backed up using the Export Users dialog. This dialog is accessed from the Export button. The realm backup can be reloaded on a node using the restore realm administration command (see epadmin remove user).

The fields in the Export Users dialog are:

Name — Local authentication realm to backup.
File — Backup to this file.

When the Submit button is clicked, the realm is backed up to the specified file. No sensitive information, such as passwords is visible in the exported file.

Local authentication realms can also be backed up using this command:

epadmin --servicename=<node-service-name> backup realm --name=default-realm > default-realm.backup

Local authentication realms can be restored using this command:

epadmin --servicename=<node-service-name> restore realm --name=default-realm \
    --file=/opt/backups/default-realm.backup

Change a Password

Passwords are changed in a local authentication realm using the Reset Password dialog accessed from the Reset button.

The fields in the Reset Password dialog are:

User Name — User name of password being changed. This field is read-only. It is set to the user selected in the Principals table.
Password — New password.
Confirm Password — Confirm password.

When the Submit button is clicked the password has been changed.

Passwords can also be changed using this command:

epadmin --servicename=<node-service-name> change password --realm=default-realm --username=admin

Remove a User

Users defined in a local authentication realm are removed from a node by selecting a principal in the Principals table and clicking on the Remove button.

When the Submit button is clicked the user has been removed.

Principals can also be removed using this command:

epadmin --servicename=<node-service-name> remove user --realm=default-realm --username=admin

Update a User

User defined in a local authentication realm are updated using the Update Principal dialog accessed from the Update button.

The fields in the Update Principal dialog are:

User Name — User name being updated. This field is read-only. It is set to the user selected in the Principals table.
Roles — A space separated list of roles for this principal.
Password Expiration (Days) — Password expiration in days. A value of zero indicates that the password does not expire.
Locked — Optionally lock the user account.

The fields contain the current values for the user when the dialog is initially displayed. When the Submit button is clicked any changed values are updated for the user.

Users can also be updated using this command:

epadmin --servicename=<node-service-name> update user \
    --username=admin --roles=administrator

Changing Node Administration Authentication Realm

The authentication realm associated with node administration is set by default to a local authentication realm when a node is installed (see Default Security). The default node administration authentication realm cannot be changed using configuration. For example the following fails:

//
//    New configuration using an
//    authentication realm name of default-realm
//    (the default authentication realm name)
//
name = "my-local-authentication-realm"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration =
{
    LocalAuthenticationRealm =
    {
        name = "default-realm"
        requirePassword = false
        initialPrincipals =
        [
            {
                userName = "guest"
                password = ""
                roles =
                [
                      "administrator"
                ]
            }
        ]
    }
}

//
//    Load configuration 
//
epadmin --servicename=A.X load configuration --source=realm.conf 
[A.X] type = com.tibco.ep.dtm.configuration.security
[A.X] name = my-local-authentication-realm
[A.X] version = 1.0.0

//
//   Activation fails because default local authentication realm
//   cannot be changed
//
epadmin --servicename=A.X activate configuration \
    --type=com.tibco.ep.dtm.configuration.security \
    --name=my-local-authentication-realm --version=1.0.0

[A.X] Audit failed: TIBCO-EP-DTM-00277: configuration (my-local-authentication-realm, 
com.tibco.ep.dtm.configuration.security, 1.0.0) contains an authentication realm with 
name "default-realm", which already exists in 
(default-realm-config, com.tibco.ep.dtm.configuration.security, 1.0.0)

However, it is possible to change the authentication realm associated with node administration to either a different local authentication realm or an LDAP authentication realm. Here are the required steps to change the node administration realm:

Load and activate a local (see Configuration of Local Authentication Realm) or LDAP (see Configuration of LDAP Authentication Realm) realm configuration using the configuration administration target (see epadmin-configuration(1)), or as default configuration deployed with an application (see Overriding Default Configuration).
Use the setadmin realm administration command to change to the new realm (see epadmin setadmin realm).

This example defines a single administration user named admin in a new local authentication realm and then updates node administration to use this new realm.

name = "my-local-authentication-realm"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration =
{
    LocalAuthenticationRealm =
    {
        name = "my-local-authentication-realm"
        requirePassword = false
        initialPrincipals =
        [
            {
                userName = "admin"
                password = "admin"
                roles =
                [
                      "administrator"
                ]
            }
        ]
    }
}

//
//    Display the current node administration realm
//    This command is using the operating system
//    user that installed the node so no
//    user name or password is required from a trusted host
//
epadmin --servicename=A.X getadmin realm
[A.X] Realm Name = default-realm

//
//    Load the realm configuration
//
epadmin --servicename=A.X load configuration --source=realm.conf 
[A.X] type = com.tibco.ep.dtm.configuration.security
[A.X] name = my-local-authentication-realm
[A.X] version = 1.0.0

//
//    Activate the new realm configuration
//
epadmin --servicename=A.X activate configuration --type=com.tibco.ep.dtm.configuration.security \
    --name=my-local-authentication-realm --version=1.0.0

//
//   Set node administration to use this realm
//
epadmin --servicename=A.X setadmin realm --name=my-local-authentication-realm \
    --newrealmuser=admin --newrealmpassword=admin

//
//    Display the updated node administration realm
//    The new administrator user name and password must be 
//    specified since admin is not the operating system user
//    that installed the node.
//
epadmin --servicename=A.X --username=admin --password=admin getadmin realm
[A.X] Realm Name = my-local-authentication-realm

When changing the node administration realm the new realm must have at least one user defined with the administrator role to ensure that the node can be managed in the new realm. This is verified by the setadmin realm command by requiring the username and password of an administration user in the new realm.

Attempting to remove the last administration user in a local authentication realm is also prevented to ensure that a node can always by administered.

epadmin --servicename=A.X --username=admin --password=admin remove user \
    --realm=my-local-authentication-realm --username=admin
[A.X] Error: TIBCO-EP-DTM-00481: "admin" is the last remaining user in the realm and cannot be removed.

Warning

There is no audit preventing the last administration user from being removed when using an LDAP authentication realm. If the last administration user is removed from the LDAP server, the node can no longer be accessed for management and must be forcefully removed using operating system facilities.

Reset Node Authentication

There are cases where administrators can unintentionally lock out all node administration users. Examples are:

Remove the last user with administration privileges.
Password expires for administration user.
Explicitly lock the administration user's account.
Switch to a realm that has no administration users defined.
etc.

There are two choices at this point:

Remove the node directory and processes using operating system specific mechanisms. This causes an application outage and loss of any data stored on the node.
Use the reset authentication command to restore the default authentication set up when a node was installed (see Default Security Configuration).

To reset node authentication, the reset authentication command is executed on the same machine on which the node is installed. Operating system write access privileges to the node installation directory must be available to the user running the command.

epadmin reset authentication --installpath=A.X

See epadmin-authentication(1) for more details.

Audit Log

Every administrative command is recorded in an audit log (see Logging). For each command executed the audit log reports on:

the command and target executed.
the principal that executed the command.
whether the command succeeded or failed.
the failure cause, if the command failed.