Fabric Credentials Overview

RBAC in Fabric

Fabric includes an authentication and authorization mechanism that enables managing user access control and restrictions, such as:

  • Creating / dropping users, roles and API Keys.
  • Assigning users to roles.
  • Granting access on different levels, for example:
    • Access to LUIs can be defined on a user level.
    • Access to the methods that access LUIs can be defined on a role level.
  • Assigning security profiles to roles.

The use of roles makes permissions management much easier. It avoids having to manually grant sets of privileges, user by user. For example, several users may be assigned as 'administrators'.

User access control management can be performed by using either one of these two methods:

List of Permissions

Roles are assigned with many or all of the following permissions:

PERMISSION

DESCRIPTION

ACTIVATE_KEY

This permission is needed for generating a new key when using Fabric's key generator capability

ASSIGN_ROLE

This permission is needed for assigning a role to a specific user

EDIT_ROLE

Used for modifying the scope of permissions for a specific role permission

BATCH and BATCH_READ

BATCH permission enables the user to run and view batch processes.

BATCH_READ permission enables the user to view batch processes.

DELETE_INSTANCE

Used for the deletion of one or multiple instances from Fabric

DEPLOY/DEPLOY_ENVIRONMENTS

Ability to run the deploy command on either a project or an entire environment

QUERY_WS / READ / WRITE

The ability to invoke a web service and to read/write data from Fabric instances and/or CommonDB

SET_ENVIRONMENT / SET_GLOBAL_ENVIRONMENT / SET_GLOBAL_GLOBAL

Used for setting the environment or Globals for the current session onto which a role is defined/p>

ALL_WS

Allows all web services-related permissions

WS_* / gr

Allows specific web services and graphit files to be invoked

ALL

Allows the above-mentioned permissions

K2Auth Tables

Fabric database credentials are saved in Cassandra under the k2auth keyspace in the following 4 tables:

Table Name

Table Description

User Credentials

Holds Fabric users and their roles. A user may have several roles.

Roles

List of role definitions.

Credentials

Holds the API Key definitions of each role. The API Key is encrypted.

Permissions

Holds the permissions of each role and method.

Fabric database credentials are validated each time a user attempts to access Fabric via the console, Web Services or other interfaces. Permissions can be set on either an LU or an LUI level.

Note that to avoid authentication of a user on an LUI level, set DISABLE_LUI_AUTH in the config.ini file to true. By default, this parameter is set to false.

It is also possible to skip the sync process between Fabric user and System DB (e.g. Cassandra) user by setting READ_ONLY_AUTHENTICATORS in the config.ini file to true. By default, this parameter is set to false.

Setting Credentials

Define credentials by either Admin UI (Security tab) or Fabric commands, as follows:

  • Create a new role (command).
  • Assign a security profile to a role (command).
  • Create an API Key (command).
  • Assign a role to an API Key (command).
  • Grant permissions to a role (command).

Bootstrap Credentials

Fabric can also be started with predefines API keys, roles and permissions. This is available since Fabric 7.2.1.

  • Turn on this capability by adding a new line contains "rolespermissions" to the modules file, located at $K2_HOME/config directory.
  • Create a file named rolesPrivileges.json at $K2_HOME/config directory.
  • Edit the file with the required values. It is built from 2 main independent objects - "roles" and "apikeys", where each can be set or skipped regardless the other one.
    • Define roles' associated operations, per role, at the "roles" array object.
    • Define API keys association to roles, per API key, at the "apikeys" array object.
  • When Fabric starts, it looks for this file; if it exists, definitions are applied (only for roles / apikeys which do not exist yet).
  • Once applied by Fabric, the file is deleted from the config directory.

Note: You can define only the operations and roles, as resources do not yet exist due to the project not yet being deployed.

Example:

{
  "roles": {
     "deploy": ["DEPLOY", "DEPLOY_ENVIRONMENTS", "SET_GLOBAL_ENVIRONMENT"]
  },
  "apikeys": {
     "t1234": ["deploy"]
  }
}

In the above example, the role named "deploy" has 3 associated operations and API key "t1234". When applied, the roles and API keys will be created, if not exist yet at Fabric, and the defined permissions are associated to them.

Users Credentials

Users may be defined in Fabric system DB and shall accordingly be associated to roles, as follows:

  • Assign a role to the user by either Admin UI (Security tab) or (command).

Note: When Fabric integrates with an external authenticator, Fabric does neither manage nor store users' information, and the users' permissions are applied by roles. For more information about User Identification and Access Management - read here.

Admin User

By default, Fabric creates the admin user as the initial superuser - when initially starting - and it defines its user and password as 'admin'. Fabric can also be initially started with a different initial superuser, which is not defined as admin/admin.

  • Copy the adminInitialCredentials.template file from the $K2_HOME/fabric/config.template directory to the $K2_HOME/config directory.

  • Change the File Name to adminInitialCredentials.

  • Edit the file and update the User/Password to the required values. Note that the username must only contain lowercase letters.

  • When Fabric starts initially, the new user is created and the adminInitialCredentials file is deleted.

  • There is no need to provide a password on adminInitialCredentials file when the users are maintained outside of Fabric (when the READ_ONLY_AUTHENTICATORS parameter in the config.ini is set to true).

Fabric Credentials Overview

RBAC in Fabric

Fabric includes an authentication and authorization mechanism that enables managing user access control and restrictions, such as:

  • Creating / dropping users, roles and API Keys.
  • Assigning users to roles.
  • Granting access on different levels, for example:
    • Access to LUIs can be defined on a user level.
    • Access to the methods that access LUIs can be defined on a role level.
  • Assigning security profiles to roles.

The use of roles makes permissions management much easier. It avoids having to manually grant sets of privileges, user by user. For example, several users may be assigned as 'administrators'.

User access control management can be performed by using either one of these two methods:

List of Permissions

Roles are assigned with many or all of the following permissions:

PERMISSION

DESCRIPTION

ACTIVATE_KEY

This permission is needed for generating a new key when using Fabric's key generator capability

ASSIGN_ROLE

This permission is needed for assigning a role to a specific user

EDIT_ROLE

Used for modifying the scope of permissions for a specific role permission

BATCH and BATCH_READ

BATCH permission enables the user to run and view batch processes.

BATCH_READ permission enables the user to view batch processes.

DELETE_INSTANCE

Used for the deletion of one or multiple instances from Fabric

DEPLOY/DEPLOY_ENVIRONMENTS

Ability to run the deploy command on either a project or an entire environment

QUERY_WS / READ / WRITE

The ability to invoke a web service and to read/write data from Fabric instances and/or CommonDB

SET_ENVIRONMENT / SET_GLOBAL_ENVIRONMENT / SET_GLOBAL_GLOBAL

Used for setting the environment or Globals for the current session onto which a role is defined/p>

ALL_WS

Allows all web services-related permissions

WS_* / gr

Allows specific web services and graphit files to be invoked

ALL

Allows the above-mentioned permissions

K2Auth Tables

Fabric database credentials are saved in Cassandra under the k2auth keyspace in the following 4 tables:

Table Name

Table Description

User Credentials

Holds Fabric users and their roles. A user may have several roles.

Roles

List of role definitions.

Credentials

Holds the API Key definitions of each role. The API Key is encrypted.

Permissions

Holds the permissions of each role and method.

Fabric database credentials are validated each time a user attempts to access Fabric via the console, Web Services or other interfaces. Permissions can be set on either an LU or an LUI level.

Note that to avoid authentication of a user on an LUI level, set DISABLE_LUI_AUTH in the config.ini file to true. By default, this parameter is set to false.

It is also possible to skip the sync process between Fabric user and System DB (e.g. Cassandra) user by setting READ_ONLY_AUTHENTICATORS in the config.ini file to true. By default, this parameter is set to false.

Setting Credentials

Define credentials by either Admin UI (Security tab) or Fabric commands, as follows:

  • Create a new role (command).
  • Assign a security profile to a role (command).
  • Create an API Key (command).
  • Assign a role to an API Key (command).
  • Grant permissions to a role (command).

Bootstrap Credentials

Fabric can also be started with predefines API keys, roles and permissions. This is available since Fabric 7.2.1.

  • Turn on this capability by adding a new line contains "rolespermissions" to the modules file, located at $K2_HOME/config directory.
  • Create a file named rolesPrivileges.json at $K2_HOME/config directory.
  • Edit the file with the required values. It is built from 2 main independent objects - "roles" and "apikeys", where each can be set or skipped regardless the other one.
    • Define roles' associated operations, per role, at the "roles" array object.
    • Define API keys association to roles, per API key, at the "apikeys" array object.
  • When Fabric starts, it looks for this file; if it exists, definitions are applied (only for roles / apikeys which do not exist yet).
  • Once applied by Fabric, the file is deleted from the config directory.

Note: You can define only the operations and roles, as resources do not yet exist due to the project not yet being deployed.

Example:

{
  "roles": {
     "deploy": ["DEPLOY", "DEPLOY_ENVIRONMENTS", "SET_GLOBAL_ENVIRONMENT"]
  },
  "apikeys": {
     "t1234": ["deploy"]
  }
}

In the above example, the role named "deploy" has 3 associated operations and API key "t1234". When applied, the roles and API keys will be created, if not exist yet at Fabric, and the defined permissions are associated to them.

Users Credentials

Users may be defined in Fabric system DB and shall accordingly be associated to roles, as follows:

  • Assign a role to the user by either Admin UI (Security tab) or (command).

Note: When Fabric integrates with an external authenticator, Fabric does neither manage nor store users' information, and the users' permissions are applied by roles. For more information about User Identification and Access Management - read here.

Admin User

By default, Fabric creates the admin user as the initial superuser - when initially starting - and it defines its user and password as 'admin'. Fabric can also be initially started with a different initial superuser, which is not defined as admin/admin.

  • Copy the adminInitialCredentials.template file from the $K2_HOME/fabric/config.template directory to the $K2_HOME/config directory.

  • Change the File Name to adminInitialCredentials.

  • Edit the file and update the User/Password to the required values. Note that the username must only contain lowercase letters.

  • When Fabric starts initially, the new user is created and the adminInitialCredentials file is deleted.

  • There is no need to provide a password on adminInitialCredentials file when the users are maintained outside of Fabric (when the READ_ONLY_AUTHENTICATORS parameter in the config.ini is set to true).