Fabric includes an authentication and authorization mechanism that enables managing user access control and restrictions, such as:
The use of roles makes permissions management much easier. It avoids having to manually grant sets of privileges, user by user. For example, several users may be assigned as 'administrators'.
User access control management can be performed by using either one of these two methods:
Roles are assigned with many or all of the following permissions:
Fabric database credentials are saved in Cassandra under the k2auth keyspace in the following 4 tables:
Fabric database credentials are validated each time a user attempts to access Fabric via the console, Web Services or other interfaces. Permissions can be set on either an LU or an LUI level.
Note that to avoid authentication of a user on an LUI level, set DISABLE_LUI_AUTH in the config.ini file to true. By default, this parameter is set to false.
It is also possible to skip the sync process between Fabric user and System DB (e.g. Cassandra) user by setting READ_ONLY_AUTHENTICATORS in the config.ini file to true. By default, this parameter is set to false.
Define credentials by either Admin UI (Security tab) or Fabric commands, as follows:
Fabric can also be started with predefines API keys, roles and permissions. This is available since Fabric 7.2.1.
"apikeys"
array object.Note: You can define only the operations and roles, as resources do not yet exist due to the project not yet being deployed.
Example:
{
"roles": {
"deploy": ["DEPLOY", "DEPLOY_ENVIRONMENTS", "SET_GLOBAL_ENVIRONMENT"]
},
"apikeys": {
"t1234": ["deploy"]
}
}
In the above example, the role named "deploy" has 3 associated operations and API key "t1234". When applied, the roles and API keys will be created, if not exist yet at Fabric, and the defined permissions are associated to them.
Users may be defined in Fabric system DB and shall accordingly be associated to roles, as follows:
Note: When Fabric integrates with an external authenticator, Fabric does neither manage nor store users' information, and the users' permissions are applied by roles. For more information about User Identification and Access Management - read here.
By default, Fabric creates the admin user as the initial superuser - when initially starting - and it defines its user and password as 'admin'. Fabric can also be initially started with a different initial superuser, which is not defined as admin/admin.
Copy the adminInitialCredentials.template file from the $K2_HOME/fabric/config.template directory to the $K2_HOME/config directory.
Change the File Name to adminInitialCredentials.
Edit the file and update the User/Password to the required values. Note that the username must only contain lowercase letters.
When Fabric starts initially, the new user is created and the adminInitialCredentials file is deleted.
There is no need to provide a password on adminInitialCredentials file when the users are maintained outside of Fabric (when the READ_ONLY_AUTHENTICATORS parameter in the config.ini is set to true).
Fabric includes an authentication and authorization mechanism that enables managing user access control and restrictions, such as:
The use of roles makes permissions management much easier. It avoids having to manually grant sets of privileges, user by user. For example, several users may be assigned as 'administrators'.
User access control management can be performed by using either one of these two methods:
Roles are assigned with many or all of the following permissions:
Fabric database credentials are saved in Cassandra under the k2auth keyspace in the following 4 tables:
Fabric database credentials are validated each time a user attempts to access Fabric via the console, Web Services or other interfaces. Permissions can be set on either an LU or an LUI level.
Note that to avoid authentication of a user on an LUI level, set DISABLE_LUI_AUTH in the config.ini file to true. By default, this parameter is set to false.
It is also possible to skip the sync process between Fabric user and System DB (e.g. Cassandra) user by setting READ_ONLY_AUTHENTICATORS in the config.ini file to true. By default, this parameter is set to false.
Define credentials by either Admin UI (Security tab) or Fabric commands, as follows:
Fabric can also be started with predefines API keys, roles and permissions. This is available since Fabric 7.2.1.
"apikeys"
array object.Note: You can define only the operations and roles, as resources do not yet exist due to the project not yet being deployed.
Example:
{
"roles": {
"deploy": ["DEPLOY", "DEPLOY_ENVIRONMENTS", "SET_GLOBAL_ENVIRONMENT"]
},
"apikeys": {
"t1234": ["deploy"]
}
}
In the above example, the role named "deploy" has 3 associated operations and API key "t1234". When applied, the roles and API keys will be created, if not exist yet at Fabric, and the defined permissions are associated to them.
Users may be defined in Fabric system DB and shall accordingly be associated to roles, as follows:
Note: When Fabric integrates with an external authenticator, Fabric does neither manage nor store users' information, and the users' permissions are applied by roles. For more information about User Identification and Access Management - read here.
By default, Fabric creates the admin user as the initial superuser - when initially starting - and it defines its user and password as 'admin'. Fabric can also be initially started with a different initial superuser, which is not defined as admin/admin.
Copy the adminInitialCredentials.template file from the $K2_HOME/fabric/config.template directory to the $K2_HOME/config directory.
Change the File Name to adminInitialCredentials.
Edit the file and update the User/Password to the required values. Note that the username must only contain lowercase letters.
When Fabric starts initially, the new user is created and the adminInitialCredentials file is deleted.
There is no need to provide a password on adminInitialCredentials file when the users are maintained outside of Fabric (when the READ_ONLY_AUTHENTICATORS parameter in the config.ini is set to true).