Fabric Credentials Overview

RBAC in Fabric

Fabric includes an authentication and authorization mechanism that enables managing user access control and restrictions, such as:

  • Creating / dropping users, roles and API Keys.
  • Assigning users to roles.
  • Granting access on different levels, for example:
    • Access to LUIs can be defined on a user level.
    • Access to the methods that access LUIs can be defined on a role level.
  • Assigning security profiles to roles.

Using roles makes managing permissions much easier. It avoids having to manually grant sets of privileges user by user. For example, several users might be assigned as “administrators”.

User access control management can be performed using either:

List of Permissions

Roles are also used to maintain consistency across Fabric and be assigned with many or all of the following permission and actions types:

PERMISSION

DESCRIPTION

ACTIVATE_KEY

This permission is needed to generate a new key when using Fabric's key generator capability

ASSIGN_ROLE

This permission is needed to assign a role to a specific user

EDIT_ROLE

Used to modify the scope of permissions for a specific role permission

BATCH

Used to enable user to run batch processes

DELETE_INSTANCE

Used to delete one or multiple instances from Fabric

DEPLOY/DEPLOY_ENVIRONMENTS

Ability to run the deploy command on a project or entire environment

QUERY_WS / READ / WRITE

The ability to invoke a web service and to read or write data from Fabric instances and/or CommonDB

SET_ENVIRONMENT / SET_GLOBAL_ENVIRONMENT / SET_GLOBAL_GLOBAL

To set the environment or Globals for the current session onto which role is defined/p>

ALL_WS

Allows all web-services related permissions

WS_* / gr

Allows specific web services and graphit files to be invoked

ALL

Allows above-mentioned permissions

K2Auth Tables

Fabric database credentials are saved in Cassandra under the k2auth keyspace in the following four tables:

Table Name

Table Description

User Credentials

Holds Fabric users and their roles. A user may have several roles.

Roles

List of role definitions.

Credentials

Holds the API Key definitions of each role. The API Key is encrypted.

Permissions

Holds the permissions of each role and method.

Fabric database credentials are validated each time a user attempts to access Fabric via the console, Web Services or other interfaces. Permissions can be set on an LU level or an LUI level.

Note that to avoid authentication of a user on an LUI level, set DISABLE_LUI_AUTH in the config.ini file to true. By default, this parameter is false.

It is also possible to skip the sync process between Fabric user and Cassandra user by setting SYNC_CASSANDRA_SYSTEM_AUTH in the config.ini file to false. By default, this parameter is true.

Setting Credentials

Create the users and define their credentials, as follows:

Admin User

By default, Fabric creates the admin user as the initial superuser when starting for the first time and defines their user and password as "admin". Fabric can also be started for the first time with another initial superuser that is not defined as admin/admin.

  • Copy the adminInitialCredentials.template file from the $K2_HOME/fabric/config.template directory to the $K2_HOME/config directory.
  • Change the File Name to adminInitialCredentials.
  • Edit the file and update the User/Password to the required values. Note that the username must only contain lowercase letters.
  • When Fabric starts for the first time the new user is created and the adminInitialCredentials file is deleted.
  • Since Fabric 7.0.1 HF2, there is no need to provide a password on adminInitialCredentials file when the users are maintained outside of Fabric (when the sync_cassandra_system_auth setting key is set to False).

Fabric Credentials Overview

RBAC in Fabric

Fabric includes an authentication and authorization mechanism that enables managing user access control and restrictions, such as:

  • Creating / dropping users, roles and API Keys.
  • Assigning users to roles.
  • Granting access on different levels, for example:
    • Access to LUIs can be defined on a user level.
    • Access to the methods that access LUIs can be defined on a role level.
  • Assigning security profiles to roles.

Using roles makes managing permissions much easier. It avoids having to manually grant sets of privileges user by user. For example, several users might be assigned as “administrators”.

User access control management can be performed using either:

List of Permissions

Roles are also used to maintain consistency across Fabric and be assigned with many or all of the following permission and actions types:

PERMISSION

DESCRIPTION

ACTIVATE_KEY

This permission is needed to generate a new key when using Fabric's key generator capability

ASSIGN_ROLE

This permission is needed to assign a role to a specific user

EDIT_ROLE

Used to modify the scope of permissions for a specific role permission

BATCH

Used to enable user to run batch processes

DELETE_INSTANCE

Used to delete one or multiple instances from Fabric

DEPLOY/DEPLOY_ENVIRONMENTS

Ability to run the deploy command on a project or entire environment

QUERY_WS / READ / WRITE

The ability to invoke a web service and to read or write data from Fabric instances and/or CommonDB

SET_ENVIRONMENT / SET_GLOBAL_ENVIRONMENT / SET_GLOBAL_GLOBAL

To set the environment or Globals for the current session onto which role is defined/p>

ALL_WS

Allows all web-services related permissions

WS_* / gr

Allows specific web services and graphit files to be invoked

ALL

Allows above-mentioned permissions

K2Auth Tables

Fabric database credentials are saved in Cassandra under the k2auth keyspace in the following four tables:

Table Name

Table Description

User Credentials

Holds Fabric users and their roles. A user may have several roles.

Roles

List of role definitions.

Credentials

Holds the API Key definitions of each role. The API Key is encrypted.

Permissions

Holds the permissions of each role and method.

Fabric database credentials are validated each time a user attempts to access Fabric via the console, Web Services or other interfaces. Permissions can be set on an LU level or an LUI level.

Note that to avoid authentication of a user on an LUI level, set DISABLE_LUI_AUTH in the config.ini file to true. By default, this parameter is false.

It is also possible to skip the sync process between Fabric user and Cassandra user by setting SYNC_CASSANDRA_SYSTEM_AUTH in the config.ini file to false. By default, this parameter is true.

Setting Credentials

Create the users and define their credentials, as follows:

Admin User

By default, Fabric creates the admin user as the initial superuser when starting for the first time and defines their user and password as "admin". Fabric can also be started for the first time with another initial superuser that is not defined as admin/admin.

  • Copy the adminInitialCredentials.template file from the $K2_HOME/fabric/config.template directory to the $K2_HOME/config directory.
  • Change the File Name to adminInitialCredentials.
  • Edit the file and update the User/Password to the required values. Note that the username must only contain lowercase letters.
  • When Fabric starts for the first time the new user is created and the adminInitialCredentials file is deleted.
  • Since Fabric 7.0.1 HF2, there is no need to provide a password on adminInitialCredentials file when the users are maintained outside of Fabric (when the sync_cassandra_system_auth setting key is set to False).