Authentication and Authorization
Herd has a configurable method of interfacing with external authentication providers. This relies on the external authentication mechanism creating HTTP headers for authenticated users. Several values in the Configuration Values table control integration with external authentication providers:
- security.enabled.spel.expression - a logical expression to control whether or not security is enabled
- security.http.header.implementation - a boolean for whether or not Herd will look for authentication headers
- security.http.header.names - configurable list of what HTTP headers map to certain required fields for Herd security
- security.http.header.role.regex - the regular expression used to parse out roles from specific HTTP header
The authentication information can then be used to control authorization at two levels as described in the section below.
Each Herd service is typically mapped to one or more Roles in a database table in the Herd schema. If Herd service-level authorization is configured, each service call will check if the calling user's Role is authorized to execute the service. The service-to-Role mappings should be populated directly in the database by a Herd Administrator to reflect the desired level of authorization for each role. When a Herd service is not mapped to any of the Roles, it is accessible by any authenticated user.
Note: If service-level authorization is configured but Herd is not configured to look for authentication headers, every user is considered TRUSTED_USER and will appear as such in audit logs and will be authorized to execute all services by default.
As Herd evolved, it was clear that service-level authorization was too coarse-grained for security requirements of many organizations. Therefore Herd will soon include a more granular security model where operations are authorized at the Namespace level.
- All access to data in Herd will be controlled by the calling user's authorization to data in that Namespace.
- A user will be granted permissions to READ, WRITE, EXECUTE, or GRANT data in a set of Namespaces.
- These authorizations restrict access to all operations including:
- Meta-data services like reading and writing Business Object Definitions, Business Object Formats, and Business Object
- Data in a given Namespace
- Other services such as Clusters, Jobs, and Notifications owned by a given Namespace
- If not authorized, the services will return an appropriate HTTP error response such as 403 Forbidden
- Namespace-level authorization is controlled by the following configuration entry:
- user.namespace.authorization.enabled - a boolean that controls whether or not the user namespace authorization is enabled
- See User Namespace Authorization for more details
- Getting Started with herd
- herd Usage Pages
- herd API documentation
- herd Workflow Tasks
- herd Tools