Setting up Authorization for TMC Queries
The Terracotta Management Console allows you to execute SQL-like queries in the query field of the Application Data > Contents panel. Initially, all users who can access the TMC can also use this query feature.
You may want to restrict the usage of the query feature by disabling it for certain user roles/identities. You can do this as follows:
Using Simple Account-Based Authentication (Ini-File) security
If you are using simple account-based authentication security, the authorization setup for disabling the query feature is defined in the security.ini file, which is located in the mgmt folder under your user account path at the operating system level. The file is created when you use the TMC to specify that you want to use Ini-File authentication. If you have not yet done so, you can use the Settings menu of TMC to specify the required authentication method. On Windows systems, the location of the mgmt folder could be, for example, C:\Users\MyUserName\.tc (where MyUserName is your Windows user name), and on Linux it could be ~/.tc.
Use the following steps to disable the query feature:
1. Open the file security.ini in a text editor and go to the line where the user that you want to modify is defined.
2. Append the nobmsql role at the end of the line in order to disable the query panel for that user.
3. Restart TMS, then log in using the user's credentials, and ensure that the query field is no longer visible in the Application Data > Contents panel.
Here is an example of security.ini, with nobmsql applied to the operator user:
[users]
admin=$shiro1$SHA-1$1000000$pibMTfX7zzyKTy57DLcSvw==$ENBPZPwB//L5fbVZ+/jeKJ4Fm/4=,operator,admin
operator=$shiro1$SHA-1$1000000$3mYdIqq2gjldlii7qaadsg==$tIMdM92xA6UXwXZn/MeH2AH7N8A=,operator,nobmsql
There are 2 users in this configuration: admin and operator. The long string behind '=' is the encrypted password, which is automatically generated the first time you configure the password through TMC. Currently there are 3 roles available: admin, operator and nobmsql. An administrator user needs to be assigned both admin and operator roles. An operator user needs to be assigned the operator role. If you want to hide the query panel from the administrator user or operator user or both, you can simply add the nobmsql role to that user.
Using LDAP-based security
If you are using LDAP based security, use the following steps to disable the query feature for a particular user:
1. Using a text editor, open the file shiro.ini in the mgmt folder (location as described above for Ini-File security).
2. Find the entry ldapRealm.groupRolesMapAsString =.
This is the mapping string between TMC roles and LDAP groups. It is formatted as:
"LDAP group":"TMC role[s]..."
for example:
"tmcopstgroup2":"admin,operator";
3. If you want to disable the query ability for an LDAP group, add ,nobmsql behind the mapping.
4. Restart TMS, then log in using the credentials of a user who belongs to the LDAP group. Ensure that the query field is no longer visible in the Application Data > Contents panel.