Setting up Authentication/Authorization

Servers and clients that connect to a secured server must have credentials (usernames/passwords) and roles (authorization) defined. This section discusses the authentication/authorization mechanism based on using a .ini file. To use LDAP or Microsoft Active Directory instead, see LDAP and Active Directory setup page.

Authentication and authorization are set up using the usermanagement script, located in the Terracotta kit's tools/security/bin directory. This script also creates the .ini file that contains the required usernames and roles. The associated passwords are stored in the keychain file.

tools/security/bin/usermanagement.sh -c <file> <username> terracotta

where -c is required only if the file does not already exist. For servers, the <username> will be used as the value configured in <security>/<auth>/<user>. For clients, the username must match the one used to start the client.

Note: While the "terracotta" role is appropriate for Terracotta servers and clients, the "admin" role is necessary for performing system functions such as stopping servers. For more information about roles, refer to User Roles.

# Create the .ini file and add a server username and role.
tools/security/bin/usermanagement.sh -c my_auth.ini server1username terracotta

# Add another server.
tools/security/bin/usermanagement.sh my_auth.ini server2username terracotta

# Add a client.
tools/security/bin/usermanagement.sh my_auth.ini client1username terracotta

# Add a user with an "admin" (read/write) role.
tools/security/bin/usermanagement.sh my_auth.ini admin1username admin

# Add a user with a "terracotta" (read) role.
tools/security/bin/usermanagement.sh my_auth.ini console1username operator

The correct Apache Shiro Realm must be specified in the server configuration, along with the path to the .ini file:

...
<auth>
<realm>com.tc.net.core.security.ShiroIniRealm</realm>
<url>file:///%(user.dir)/my_auth.ini</url>
<user>server1username</user>
</auth>
...