Setting up Authentication/Authorization
Servers and clients that connect to a secured server must have credentials (usernames/passwords) and roles (authorization) defined. This section discusses the authentication/authorization mechanism based on using a
.ini file. To use LDAP or Microsoft Active Directory instead, see
LDAP and Active Directory setup page.
Authentication and authorization are set up using the usermanagement script, located in the Terracotta kit's tools/security/bin directory. This script also creates the .ini file that contains the required usernames and roles. The associated passwords are stored in the keychain file.
All nodes in a secured Terracotta cluster must have an entry in the server's .ini file:
The local server itself
All other servers
All clients
Use the usermanagement script with the following format:
tools/security/bin/usermanagement.sh -c <file> <username> terracotta
where -c is required only if the file does not already exist. For servers, the <username> will be used as the value configured in <security>/<auth>/<user>. For clients, the username must match the one used to start the client.
Note:
While the "terracotta" role is appropriate for Terracotta servers and clients, the "admin" role is necessary for performing system functions such as stopping servers. For more information about roles, refer to
User Roles.
For example:
# Create the .ini file and add a server username and role.
tools/security/bin/usermanagement.sh -c my_auth.ini server1username terracotta
# Add another server.
tools/security/bin/usermanagement.sh my_auth.ini server2username terracotta
# Add a client.
tools/security/bin/usermanagement.sh my_auth.ini client1username terracotta
# Add a user with an "admin" (read/write) role.
tools/security/bin/usermanagement.sh my_auth.ini admin1username admin
# Add a user with a "terracotta" (read) role.
tools/security/bin/usermanagement.sh my_auth.ini console1username operator
The correct Apache Shiro Realm must be specified in the
server configuration, along with the path to the .ini file:
...
<auth>
<realm>com.tc.net.core.security.ShiroIniRealm</realm>
<url>file:///%(user.dir)/my_auth.ini</url>
<user>server1username</user>
</auth>
...