The default Karaf authentication mechanism does not manage users through external Identity and Access Management.
Default authentication in Karaf is managed by properties files. All users, groups, and roles must be defined in the file and passwords are in clear form.
Integrate Karaf authentication using Talend Identity and Access Management (IAM) module that is based on Apache Syncope.
By default, Karaf manages the ESB Service authentication. To separate the authentication and the ESB world, use Syncope. Syncope manages the authentication, and all ESB Services remain in the ESB layer.
Below is a short summary of the process to enable Syncope authentication:
Syncope Configuration – Users and Groups Creation
Karaf Configuration – Adding Blueprint Descriptor
ESB Service Configuration – Enable Authentication on a REST Service
Talend IAM must be installed and running, check your TAC configuration before continuing:
Connect using the URL http://iam_host:9080/syncope-console and login (admin/password):
Once connected, the Dashboard view appears:
In this view, you are going to create the users and groups necessary to replace the default Karaf authentication.
Before you create users and groups, double check the default Karaf authentication. The default authentication file named user.properties under %container_folder%/etc, contains a list of users, groups, and roles:
karaf = karaf,_g_:admingroup
_g_\:admingroup = group,admin,manager,viewer,systembundles
The file format follows these rules:
Translate the contents of this file into a Syncope configuration using the rules below and by performing the next steps in Syncope:
User in file > User in Syncope
Role in file > Group in Syncope
Group in file > No corresponding type in Syncope
On the GROUP tab, create the following groups:
On the User tab, create the following users:
test (additional user for test purpose)
Users must include a password. In Karaf, default passwords were equals to the users. If you change them, be sure to change the tadmin password on TAC Server (Runtime Server Password). The tadmin user is used for deployment purposes. User and Groups relation must be:
all groups listed except sl_mantains and sl_admin
all groups listed except sl_admin
all groups listed except sl_mantains
Copy the Blueprint descriptor (syncopeLoginModule.xml) under %container%/deploy folder of your runtime container. The content of the Blueprint descriptor is shown below:
<?xml version="1.0" encoding="UTF-8"?>
<jaas:config name="karaf" rank="2">
This file adds the Syncope Login Module to the Karaf container. The deploy folder is dynamically loaded so you are not required to restart the container.
To verify the configuration, connect in SSH to the container:
ssh karaf@runtime_server -p runtime_port
Password: the one configured in Syncope for the Karaf user
Run jaas:realm-list to verify the login module used
ESB Service Configuration
From Studio, create an ESB Service (REST or Soap) and in a cREST/cSOAP component, enable the Use Authentication setting with the value HTTP BASIC. This option enables the authentication. In this example, Syncope manages the authentication.
Publish the ESB Service:
Note: The same configuration works with a Job, or a Data Service using a tRestRequest component.
Deploy the ESB Service in the ESB Runtime and call if, for sample opening its URL in a browser. The browser asks you to log in. You can use any user you created in the Syncope Console to login. The user does not need to be associated with a specific Syncope group.
For more information about Syncope, see the Apache Syncope Documentation page.
... View more