Auth security commands

In  cli security

Overview

Extend the existing CLI security command with a set of actions to configure elytron authentication.

Issue Metadata

Issue

Dev Contacts

QE Contacts

Affected Projects or Components

CLI

Other Interested Projects

elytron

Requirements

  • Offer simple actions to enable/disable HTTP and SASL authentication for both Http server and management interfaces.

  • Hide complexity of elytron management model as much as possible without introducing unwanted simplification.

  • Take benefit of existing Out Of The Box elytron configuration.

  • Drive users to select the right set of options thanks to CLI completion that controls visibility of options.

  • Help users discover the underlying elytron model thanks to the echo-dmr command to print out the set of sent model operations.

  • Allow user to visualise the management or application authentication configuration.

Hard Requirements

  • For SASL supported mechanisms are EXTERNAL, DIGEST-MD5. PLAIN, JBOSS-LOCAL-USER, SCRAM-*, DIGEST-SHA-*

  • For HTTP supported mechanisms are CLIENT_CERT, BASIC, DIGEST and FORM

Configure SASL Authentication for management interfaces

enable-sasl-management

Associate an elytron SASL factory to the management interface. In case a SASL factory already exists, the factory is extended (or updated) with the selected mechanism. If no mechanism is provided, the out of the box SASL factory is associated to the management interface. This command creates all the non existing resources required to configure authentication. This command can be called multiple times to configure the referenced SASL factory.

security enable-sasl-management ( [--file-system-realm-name=<realm name>] [--user-role-decoder=<role-decoder name>] | [--user-properties-file=<file path>] [--group-properties-file=<file path>] [--relative-to=<system property>] | [--properties-realm-name=<realm name>] | [--key-store-realm-name=<a string>] | [--key-store-name=<key-store name>] ) [--mechanism=<mechanism name>] [--exposed-realm=<exposed realm>] [--roles=<list of roles>] [--management-interface=<name>] [--new-auth-factory-name=<name>] [--new-realm-name=<name>] [--new-security-domain-name=<name>] [--no-reload] [--super-user]

The mininal command to associate the out of the box elytron SASL factory to the HTTP interface
security enable-sasl-management

The mininal command to enable EXTERNAL:
security enable-sasl-management --mechanism=EXTERNAL --key-store-name=my-trusted-users-key-store-name

By default, if no --management-interface is provided, we default to http-interface. Command would force the server to reload except if --no-reload is set.

Options

Mechanisms:

--mechanism: The mechanism to enable. CLI completer exposes all supported SASL mechanisms.

Key-store realm:

--key-store-name=Must be specified (if --key-store-realm-name is not used) when the mechanisms is EXTERNAL, this is the name of the trust-store. Completion propose the existing key-stores.

--key-store-realm-name=Must be specified (if --key-store-name is not used) when the mechanisms is EXTERNAL, this is the name of the trust-store. Completion propose the existing key-store realm names.

--roles=Optional. Optional, a comma separated list of roles associated to the current identity. If no existing constant role mapper exists for this list of roles, a constant role mapper will be generated.

Filesystem realm (enabled when the mechanism requires this configuration):

--file-system-realm-name=The filesystem-realm name.
--user-role-decoder=Only if --file-system-realm is in use. The name of the role decoder to extract the roles from the users repository.
--exposed-realm=The realm exposed to the user.

Properties file realm (enabled when the mechanism requires this configuration):

--properties-realm-name=Name of an existing properties realm to use.
--users-properties-file=A path to the properties file.
--groups-properties-file=A path to the properties file.
--exposed-realm=The realm-name located in users properties file and exposed to the user. Must be set for this realm.
--relative-to=Server property to make properties file relative.

Local user properties:

--super-user: In order to configure local user with super-user permissions.

Names for generated resources:

--new-auth-factory-name=To name the factory with the specified name, by default a name is computed.
--new-security-domain=To name the security domain with the specified name, by default a name is computed.
--new-realm-name=To name a not existing realm with the specified name, by default computed based on the passed realm name.

Management interface

--management-interface=The management interface to configure, by default is http-interface+http-upgrade

Server directives

--no-reload=By default server is reloaded, use this option to not reload the server.

disable-sasl-management

This command removes the active SASL factory or a mechanism from the active SASL factory. Without any mechanism provided, this command erases the factory from the http-upgrade or native interface. NB: Existing resources are not removed from management model.

security disable-sasl-management [--management-interface=<a string>] [--mechanism=<a string>] [--no-reload]

reorder-sasl-management

Re-order the SASL mechanisms. The --mechanisms-order option is a comma separated list of mechanisms names. CLI completion proposes the mechanisms present in the targeted factory. By default http-interface is used.

security reorder-sasl-management --mechanisms-order=<a string> [--management-interface=<a string>] [--no-reload]

Enabling/Disabling HTTP Authentication for http management interface

enable-http-auth-management

This command targets only the management http-interface. Similar behaviour than enable-sasl-management command.

security enable-http-auth-management ( [--file-system-realm-name=<realm name>] [--user-role-decoder=<role-decoder name>] | [--user-properties-file=<file path>] [--group-properties-file=<file path>] [--relative-to=<system property>] | [--properties-realm-name=<realm name>] | [--key-store-realm-name=<a string>] | [--key-store-name=<key-store name>] ) [--mechanism=<mechanism name>] [--exposed-realm=<exposed realm>] [--roles=<list of roles>] [--new-auth-factory-name=<name>] [--new-realm-name=<name>] [--new-security-domain-name=<name>] [--no-reload] [--super-user]

The mininal command to associate the out of the box elytron HTTP factory to the HTTP interface:
security enable-http-auth-management

Options

Same options than enable-sasl-management. The completer for --mechanism exposes HTTP mechanisms.

disable-http-auth-management

This command removes the active HTTP factory or a mechanism from the active HTTP factory. Without any mechanism provided, this command erases the factory from the interface. NB: Existing resources are not removed from management model.

security disable-http-auth-management [--mechanism=<a string>] [--no-reload]

Enabling/Disabling HTTP Authentication for undertow security domain

enable-http-auth-http-server

Associate an elytron HTTP factory to the security domain. In case an HTTP factory already exists, the factory is extended(or updated) with the selected mechanism. If no mechanism is provided, the Out of The Box Application HTTP factory is associated to the security domain. This command creates all the non existing resources required to configure authentication. This command can be called multiple times to configure the referenced HTTP factory. Similar behaviour than enable-http-auth-management command.

security enable-http-auth-http-server --security-domain=<name> ( [--file-system-realm-name=<realm name>] [--user-role-decoder=<role-decoder name>] | [--user-properties-file=<file path>] [--group-properties-file=<file path>] [--relative-to=<system property>] | [--properties-realm-name=<realm name>] | [--key-store-realm-name=<a string>] | [--key-store-name=<key-store name>] ) [--mechanism=<mechanism name>] [--exposed-realm=<exposed realm>] [--roles=<list of roles>] [--new-auth-factory-name=<name>] [--new-realm-name=<name>] [--new-security-domain-name=<name>] [--no-reload] [--super-user]

The mininal command to associate the out of the box elytron HTTP factory to the Foo security-domain:
security enable-http-auth-http-server --security-domain=Foo

Options

--security-domain=Mandatory, the undertow security domain.
Other options are the same than enable-sasl-management. The completer for --mechanism exposes HTTP mechanisms.

disable-http-auth-http-server

This command removes the security domain or a mechanism from the active HTTP factory. Without a mechanism, the security domain is removed. NB: Elytron existing resources are not removed from management model.

security disable-http-auth-http-server --security-domain=<a string> [--mechanism=<a string>] [--no-reload] === Nice-to-Have Requirements

Non-Requirements

No support for mechanisms not listed in Hard Requirements.
Domain mode is out of scope for this version of this feature but may be considered in the future.

Test Plan