Authentication and Access Control
Authentication
HVR supports the following modes to check the username and password when authenticating a connection to a remote HVR machine:
Operating System (default)
HVR asks the operating system to verify the username and password. This is the default authentication system of HVR when the others (below) are not configured.No Password Authentication
Authentication can also be disabled when connecting to a remote HVR hub/location. If option -N is supplied to HVR (see options of Hvr and Hvrremotelistener) then all valid operating system usernames with any password is accepted. This mode can be used for testing. It can also be configured with an access_conf.xml file to authenticate the identity of incoming connections using SSL. For more information, see option -a of Hvr.Pluggable Authentication Module (PAM)
PAM is a service provided by Linux & Unix as an alternative to regular username/password authentication, e.g. checking the /etc/passwd file. For more information see option –p pamsrv in Hvr and Hvrremotelistener.LDAP Authentication
HVR authenticates incoming username/password by invoking its Hvrvalidpwldap plugin.Private Password File Authentication
HVR authenticates incoming username/password by invoking its Hvrvalidpwfile plugin.Custom hvrvalidpw Authentication Plugin
HVR also allows you to supply your own authentication plugin. The custom plugin file should be named as Hvrvalidpw and saved in HVR_HOME/lib directory. It should also obey (simple) call conventions.
For some of the above authentication modes (e.g. PAM or LDAP), HVR should only use the username/password for authentication, but should not change from the current operating system user to that login. This is configured using option -A in Hvr and Hvrremotelistener. In this case the daemon should be configured to start the HVR child process as the correct operating system user (instead of root ).
Access Control
Since v5.3.1/22
HVR's access control feature enables you to set read/write permissions for HVR GUI users connecting remotely to HVR hub. HVR allows different access levels for the authenticated users based on their username, their LDAP groups (if configured), and the hub database name.
The following access levels are supported by HVR:
- ReadOnly : User can view catalog information and job status.
- ReadExec : User can view catalog information, job status and also execute HVR Compare, HVR Scheduler.
- ReadWrite : User can view catalog information, job status and modify catalogs. They also can execute HVR Compare, HVR Initialize, HVR Refresh, HVR Scheduler, etc.
- Refresh : User can execute HVR Refresh.
To enable access control, the file access_rights.conf must be created and saved in HVR_HOME/lib directory. The file access_rights.conf can be used together with LDAP or Private Password File Authentication to limit permissions of HVR GUIs connecting remotely to HVR hub. An example configuration file access_rights.conf_example is available in HVR_HOME/lib directory.
Following is the syntax for defining the parameters in configuration file:
user : hub : access_level
or
@group : hub : access_level
- user can be a specific username or to match any user.
- groups can be used only if Hvrvalidpwldap is configured to fetch the LDAP user groups.
- hub can be a hub database name, or it can be to match any hub database.
- access_level can be ReadOnly or ReadExec or ReadWrite or Refresh. Multiple access levels can be assigned at the same time as comma-separated values, e.g. ReadExec,Refresh
If a user is not assigned any access level then the connection is rejected even if the password is correct.
Example:
User1:Hub1:ReadExec # User1 has ReadExec access to Hub1. User2:Hub1:ReadExec,Refresh # User2 has ReadExec access to Hub1 and also execute HVR Refresh. User2:Hub2:ReadWrite # User2 has ReadWrite access to Hub2. *:Hub2:ReadWrite # All users have ReadWrite access to Hub2. @General-Users:*:ReadOnly # All members of General-Users group has ReadOnly access to all hubs. @Privilege-Users:*:ReadOnly,Refresh # All members of Privilege-Users group has ReadOnly access to all hubs and also execute HVR Refresh. @Admin-Users:*:ReadWrite # All members of Admin-Users group has ReadWrite access to all hubs.