How to setup Talend IAM for authenticating calls to Data Services

Problem Description

The default Karaf authentication mechanism does not manage users through external Identity and Access Management.

 

Root Cause

Default authentication in Karaf is managed by properties files. All users, groups, and roles must be defined in the file and passwords are in clear form.

 

Solution

Integrate Karaf authentication using Talend Identity and Access Management (IAM) module that is based on Apache Syncope.

 

By default, Karaf manages the ESB Service authentication. To separate the authentication and the ESB world, use Syncope. Syncope manages the authentication, and all ESB Services remain in the ESB layer.

 

Below is a short summary of the process to enable Syncope authentication:

 

Requirement

Talend IAM must be installed and running, check your TAC configuration before continuing:

Picture1.png

 

Syncope Configuration

  1. Connect using the URL http://iam_host:9080/syncope-console and login (admin/password):

    Picture1.png

     

  2. Once connected, the Dashboard view appears:

    Picture1.png

     

  3. Select Realms:

    Picture1.png

     

    In this view, you are going to create the users and groups necessary to replace the default Karaf authentication.

     

  4. Before you create users and groups, double check the default Karaf authentication. The default authentication file named user.properties under %container_folder%/etc, contains a list of users, groups, and roles:

    tadmin=tadmin,_g_:admingroup,sl_admin
    tesb=tesb,_g_:admingroup,sl_maintain
    karaf = karaf,_g_:admingroup
    _g_\:admingroup = group,admin,manager,viewer,systembundles
    

    The file format follows these rules:

    username=password, g_:groupname1,groupname2…
    _g_\:groupname=role1,role2,…
  5. Translate the contents of this file into a Syncope configuration using the rules below and by performing the next steps in Syncope:

    • User in file > User in Syncope

    • Role in file > Group in Syncope

    • Group in file > No corresponding type in Syncope

  6. On the GROUP tab, create the following groups:

    • admin
    • group
    • manager
    • sl_admin
    • sl_maintain
    • systembundles
    • viewer

      Picture1.png

       

  7. On the User tab, create the following users:

    • karaf
    • tadmin
    • tesb
    • test (additional user for test purpose)

      Picture1.png

       

  8. Users must include a password. In Karaf, default passwords were equals to the users. If you change them, be sure to change the tadmin password on TAC Server (Runtime Server Password). The tadmin user is used for deployment purposes. User and Groups relation must be:

     

    USER

    GROUPS

    karaf

    all groups listed except sl_mantains and sl_admin

    tadmin

    all groups listed except sl_admin

    tesb

    all groups listed except sl_mantains

    test

    no group

Karaf Configuration

 

  1. Copy the Blueprint descriptor (syncopeLoginModule.xml) under %container%/deploy folder of your runtime container. The content of the Blueprint descriptor is shown below:

    <?xml version="1.0" encoding="UTF-8"?>
    <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
               xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"
               xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
        <jaas:config name="karaf" rank="2">
            <jaas:module className="org.apache.karaf.jaas.modules.syncope.SyncopeLoginModule"
                         flags="required">
               address=http://iam_host:9080/syncope/rest
               admin.user=admin
               admin.password=password
               version=2
            </jaas:module>
        </jaas:config>
        <service interface="org.apache.karaf.jaas.modules.BackingEngineFactory">
            <bean class="org.apache.karaf.jaas.modules.syncope.SyncopeBackingEngineFactory"/>
        </service>
    </blueprint>
    

    This file adds the Syncope Login Module to the Karaf container. The deploy folder is dynamically loaded so you are not required to restart the container.

     

  2. To verify the configuration, connect in SSH to the container:

    • ssh karaf@runtime_server -p runtime_port

    • Password: the one configured in Syncope for the Karaf user

    • Run jaas:realm-list to verify the login module used

       

      Picture1.png

ESB Service Configuration

 

  1. From Studio, create an ESB Service (REST or Soap) and in a cREST/cSOAP component, enable the Use Authentication setting with the value HTTP BASIC. This option enables the authentication. In this example, Syncope manages the authentication.

  2. Publish the ESB Service:

    Picture1.png

    Note: The same configuration works with a Job, or a Data Service using a tRestRequest component.

     

  3. Deploy the ESB Service in the ESB Runtime and call if, for sample opening its URL in a browser. The browser asks you to log in. You can use any user you created in the Syncope Console to login. The user does not need to be associated with a specific Syncope group.

    Picture1.png

For more information about Syncope, see the Apache Syncope Documentation page.

Version history
Revision #:
12 of 12
Last update:
‎04-13-2019 12:35 PM
Updated by: