Contents
To protect your StreamBase environment from unintended use, you can enable simple authentication directly in StreamBase by defining parameters in the deployed server configuration file, and by associating users with three types of StreamBase roles. When this type of authentication is enabled, each user must provide valid username and password credentials when they enter StreamBase commands or connect with custom-written StreamBase clients.
By default, StreamBase authentication is disabled. This topic explains how to change the authentication settings.
Notes
-
The authentication credentials that you define for use with StreamBase have no connection with system-level accounts: they are independent of each other. While you could use the same
user-name
andpassword
combinations for StreamBase and a system-level account, it is not necessary. The important point is that the sbuseradmin command described in this topic does not interact with your operating system's accounts. -
StreamBase authentication is not encrypted. To configure encrypted authentication using external X.509 certificates and LDAP, see Using the Proxy Server.
Enabling StreamBase Server authentication involves the following steps:
StreamBase authentication involves assigning users to any of three roles. For each role, users are authorized to run specific commands:
StreamBase Authorization: Roles and Commands
Role | Commands Authorized |
---|---|
SBUser | sbc |
SBDeveloper | sbc |
SBAdmin | sbc, sbadmin |
Note
In previous releases, the SBUser
role was authorized
to run sbc, while the SBDeveloper
role was authorized to run both sbc and sbdb. However, the sbdb command was removed in release 6.3. The
SBDeveloper
role still exists, but no longer provides
a privilege level different from the SBUser
role.
A user can be assigned more than one StreamBase user role.
If authentication is disabled (the default), these roles need not be defined.
You can change authentication parameters for the StreamBase Server instance that will
host your application by editing the server configuration file for that instance.
Generate a default configuration file in Studio or on the command line as described
in Creating New Server Configuration
Files, and then edit the file as described in this section. The standard name for
a server configuration file is sbd.sbconf
. For details
on the XML grammar of server configuration files, see StreamBase Server Configuration File XML
Reference.
In the configuration file, look for the <authentication>
section, much like the following example:
<authentication>
<!-- Should the sbd require clients to authenticate themselves?
Disabled by default -->
<param name="enabled" value="false"/>
<!-- Authentication parameters. Currently the only authentication
type is sb-password-file. -->
<param name="type" value="sb-password-file"/>
<param name="filepath" value="${STREAMBASE_HOME}/etc/sbpasswd"/>
</authentication>
Authentication is disabled by default. To enable it, change the value of the
enabled
parameter to true
.
The StreamBase authentication user name and password are uniquely used for StreamBase client-to-server authentication, and are not shared with any other authentication system. For example, the StreamBase user name and password does not reuse your Windows domain user name, or your LDAP or NIS user name. You define separate and independent user names and passwords for use only with StreamBase authentication.
StreamBase user names and passwords are stored in a file named sbpasswd
, which is installed by default in:
STREAMBASE_HOME
/etc/sbpasswd
For example, on UNIX, the default location is:
/opt/tibco/sb-cep/
n.m
/etc/sbpasswd
To add, update, or delete users, run the sbuseradmin command.
The syntax for adding a user is:
sbuseradmin -a -nuser-name
-ppassword
-ruser-role
If you omit the –p
option, the command prompts for a
password:
sbuseradmin -a -nuser-name
-ruser-role
Password:
The password prompt is not repeated, so be sure to type the password carefully. To correct a mistyped password (evidenced by failures to connect to the server with the password you expect to work), remove and re-add the StreamBase user name.
On Windows, the sbpasswd
file in STREAMBASE_HOME
\etc
can be accessed only
by members of the Administrators group.
On UNIX, the sbpasswd
file is installed with
root
as owner. If the sbpasswd
file protection remains unchanged, you must have
root
access to run the sbuseradmin command. If you do not have
root
access, an error is returned when you attempt to
run sbuseradmin. The following shows a
successful sbuseradmin command:
sbuseradmin -a -n sbmichael -p secr3t1ve -r SBDeveloper
Added user sbmichael
For the user-role
parameter, provide one
user role, or a comma-separated list of roles, from the user role keywords shown in
Defining Roles.
Specify StreamBase user names and passwords as part of the StreamBase URI you pass
with the –u
option when using the sbc and sbadmin commands, or when connecting with
custom-written client code. (You can also specify the user name and password as part
of the default StreamBase URI in the environment variable STREAMBASE_SERVER
, but this places the password in clear text in the
environment.)
To specify a StreamBase user name and password, append
to the StreamBase URI
you pass to the server. An example URI is:
;user=
username
;password=password
sb://localhost:10000/;user=sbmichael;password=secr3t1ve
See sburi for details on the format of the StreamBase URI.
Use a command like the following example to list entities at the StreamBase Command Prompt on Windows:
sbc -u
sb://localhost:10000/;user=sbmichael;password=secr3t1ve list
When specifying authentication parameters at the UNIX shell prompt, enclose the StreamBase URI in quotes to escape the shell's interpretation of the semicolon:
sbc -u
"sb://localhost:10000/;user=sbmichael;password=secr3t1ve" list