Security
Secure Mode
It is possible to run RSB in secure mode where only authorized users can use certain applications. This is done by doing the following:
- Activate security by uncommenting the blocks titled "Uncomment to enable security" in web.xml and security-beans.xml.
- Configure a Spring Security authentication provider in security-beans.xml to retrieve users from LDAP, Database...
- Configure RSB to associate applications with users and/or roles authorized to act as application users and admins, as shown in the next section.
- Optionally configure users and/or roles authorized to act as RSB admins, as shown in the following section.
Application Level Security
The following demonstrate how to configure RSB application level security:
"applicationSecurityConfiguration": {
"secure_app_1": {
"userPrincipals":["bob","dan"]
},
"secure_app_2": {
"userRoles":["ROLE_SCIENTIST","ROLE_ANALYST"]
},
"secure_app_3": {
"userPrincipals":["bob","dan"],
"userRoles":["ROLE_SCIENTIST","ROLE_ANALYST"]
},
"secure_app_4": {
"userPrincipals":["bob","dan"],
"userRoles":["ROLE_SCIENTIST","ROLE_ANALYST"],
"functionCallAllowed": true,
"scriptSubmissionAllowed": true
},
"secure_app_5": {
"userPrincipals":["bob","dan"],
"userRoles":["ROLE_SCIENTIST","ROLE_ANALYST"],
"adminPrincipals":["jack"],
"adminRoles":["ROLE_ADMIN"]
}
}
Application admins, declared with adminPrincipals and adminRoles are de-facto users of the concerned application.
Notice how the functionCallAllowed and scriptSubmissionAllowed attributes are used to explicitly allow the users of secure_app_4 to execute jobs that can potentially impact the environment where R executes. This is disabled by default. Application admins are not affected by these flags.
RSB Admin Security
The following demonstrate how to configure the optional RSB admin roles/roles:
"rsbSecurityConfiguration": {
"adminPrincipals":["joe"],
"adminRoles":["ROLE_ADMIN"]
}
RSB admins are de-facto users and admins of all the applications.
Application Aware Catalog
In a secure environment, it can be desirable to partition the catalog per application name. This prevents one application or one application admin to read or write files in another application.
This option, which is off by default, is activated with the following configuration setting:
"applicationAwareCatalog" : true
JMX RMI
Once RSB is running in "Secure Mode" (see above), it's possible to secure the JMX RMI connector. It's done by editing jmx-beans.xml and uncommenting the blocks marked with "Uncomment to enable security".
Only the RSB admins (defined by users/roles as explained in "RSB Admin Security") will be allowed to connect to the JMX RMI interface.
If the default JMX ports have be left unchanged, the remote process URI to use to securely connect is:
service:jmx:rmi://localhost:9098/jndi/rmi://localhost:9099/jmxRMIConnector
JMX Web UI (MX4J)
It's possible to secure the JMX Web UI with HTTP Basic Auth by configuring a dedicated username / password pair in the RSB configuration:
"jmxConfiguration": {
"stubPort": 1098,
"registryPort": 1099,
"httpPort": 8889,
"httpAuthenticationUsername": "jmxui_username",
"httpAuthenticationPassword": "U2FsdGVkX1+nOXQF+qvSVHeDdDG+jUyJxPzm6NW4NkI="
}
The password is encrypted with DES3 using the username as the encryption password. For example, with jmxui_username / jmxui_pass as the username / password pair, one can encrypt the password with:
$ echo -n "jmxui_pass" | openssl enc -a -e -salt -des3 -pass pass:jmxui_username
U2FsdGVkX1+nOXQF+qvSVHeDdDG+jUyJxPzm6NW4NkI=
It is recommended to enable SSL encryption for the JMX Web UI by using a frontal web-server, like Nginx.
Note that this security option is available even if RSB is not running in "Secure Mode" (as described above).