Optional user access configurations

In addition to the webSecurity.xml file that allows you to define a basic registry for REST API calls, you can specify more files to configure the access to an Operational Decision Manager instance. These customizations are implemented with the customization.authSecretRef parameter.

Predefined configurations

To manage user access, the following predefined files are provided in a secret named {{ meta.name }}-odm-oidc-auth-operator-secret:
  • openIdWebSecurity.xml contains the ODM Liberty configuration to communicate with the Zen proxy.
  • openIdParameters.properties configures features like logout, allowed domains, and the OpenID provider to manage the Zen API key.
  • server-configurations.json configures the Decision Center connection to the Decision Server console and to Decision Runner.
  • group-security-configurations.xml contains the default groups and users for Decision Center.
  • webSecurity.xml configures the basic registry for REST API calls.

openIdWebSecurity.xml and openIdParameters.properties are automatically provided to communicate with the Zen proxy. You do not customize these files.

For the other files, you can define your own configuration and then encapsulate them in a secret that you provide to the odm_configuration.customization.authSecretRef parameter. For example:
oc create secret generic my-auth-secret --from-file=webSecurity.xml=<path>/webSecurity.xml --from-file=server-configurations.json=<path>/server-configurations.json
If the webSecurity.xml file is not provided, a default one is generated with the following content:
  <server>
      <basicRegistry id="basic" realm="basic">
        <user name="odmAdmin" password="odmAdmin"/>
        <user name="resExecutor" password="resExecutor"/>
        <group name="basicRtsAdministrators">
          <member name="odmAdmin" />
        </group>
        <group name="resExecutors">
          <member name="resExecutor" />
          <member name="odmAdmin" />
        </group>
      </basicRegistry>

      <variable name="odm.rtsAdministrators.group1" value="group:basic/basicRtsAdministrators"/>
      <variable name="odm.rtsConfigManagers.group1" value="group:basic/basicRtsAdministrators"/>
      <variable name="odm.rtsInstallers.group1" value="group:basic/basicRtsAdministrators"/>
      <variable name="odm.resAdministrators.group1" value="group:basic/basicRtsAdministrators"/>
      <variable name="odm.resDeployers.group1" value="group:basic/basicRtsAdministrators"/>
      <variable name="odm.resMonitors.group1" value="group:basic/basicRtsAdministrators"/>
      <variable name="odm.resExecutors.group1" value="group:basic/resExecutors"/>
    </server>
If you do not want to allow basic authentication, you must provide an empty webSecurity.xml file:

or

<server>
</server>

ldap-configurations.xml

The ldap-configurations.xml file automatically defines the LDAP configuration available under the Decision Center Administration tab.

For example:

<dc-usermanagement>
        <ldapConnections>
                <ldapConnection name="LDAP">
                        <ldapUrl>ldap://hostname</ldapUrl>
                        <searchConnectionDN>cn=admin,dc=example,dc=org</searchConnectionDN>
                        <searchConnectionPassword>password</searchConnectionPassword>
                        <groupSearchBase>ou=groups,dc=example,dc=org</groupSearchBase>
                        <groupSearchFilter>(cn=*)</groupSearchFilter>
                        <groupNameAttribute>cn</groupNameAttribute>
                        <groupMemberAttribute>member</groupMemberAttribute>
                        <userIdAttribute>uid</userIdAttribute>
                        <userNameAttribute>cn</userNameAttribute>
                        <userMailAttribute>mail</userMailAttribute>
                        <ldapProperties>
                                <ldapPropertyName/>
                        </ldapProperties>
                </ldapConnection>
        </ldapConnections>
</dc-usermanagement>

This option is equivalent to the manual procedure described in Synchronizing users and groups in Decision Center.

Note: If you want to use SSL-enabled LDAP in your container environment, you must create the SSL secret with the certificate of the LDAP server. Put the LDAP server certificate in the operator trust list as described in Importing the certificate of an external service.

group-security-configurations.xml

The group-security-configurations.xml file automatically populates the groups and users under the Decision Center Administration tab to map roles to groups.

For example:
<dc-usermanagement>
        <role name="rtsAdministrator"/>
        <role name="rtsConfigManager"/>
        <role name="rtsInstaller"/>
        <role name="rtsUser"/>
        <group name="rtsAdministrators" roles="rtsAdministrator"/>
        <group name="rtsConfigManagers" roles="rtsConfigManager"/>
        <group name="rtsInstallers" roles="rtsInstaller"/>
        <group name="rtsUsers" roles="rtsUser"/>
        <user name="odmAdmin" groups="rtsAdministrators, rtsInstallers, rtsConfigManagers, rtsUsers"/>
        <user name="rtsAdmin" groups="rtsAdministrators, rtsInstallers, rtsConfigManagers, rtsUsers"/>
        <user name="rtsConfig" groups="rtsConfigManagers, rtsUsers"/>
        <user name="rtsUser1" groups="rtsUsers"/>
        <user name="rtsUser2" groups="rtsUsers"/>
</dc-usermanagement>

server-configurations.json

The server-configurations.json file must contain an array of JSON objects. Each JSON object defines a server by using the following fields:

Field Description
name The name of the server as it is displayed in the Business console interface.
kind Indicate the server type:
  • RES: RuleApp deployment
  • DECISION_RUNNER: test suite and simulation executions
authenticationKind Indicate authentication type:
  • BASIC_AUTH: basic username and password authentication (default)
  • OAUTH: OpenID authentication
authenticationProvider If the authenticationKind is OAUTH, this property defines the name of the OIDC provider. This name must match one of the OIDC providers that are uploaded to the Business Console.
url The URL of the server.
loginServer The username for logging in to this server.
loginPassword The password for logging in to this server.
builtIn If this field is set to false, the server configuration can be edited or removed.
description A sentence describing the server.
groups The list of groups.

The following example illustrates the fields in a server-configurations.json file:

[ 
 {
   "name": "Test and Simulation Execution (BASIC)", 
   "kind": "DECISION_RUNNER", 
   "authenticationKind": "BASIC_AUTH", 
   "url": "https://cpd-odm.apps.XXX.XXX/odm/DecisionRunner", 
   "loginServer": "odmAdmin",
   "loginPassword": "odmAdmin", 
   "builtIn": false, 
   "description": "Use this server to run tests and simulationsfor decision services.", 
   "groups": ["*"]
 }, 
 {
   "name": "Decision Service Execution (OIDC)", 
   "kind": "RES", 
   "authenticationKind": "OAUTH", 
   "authenticationProvider": "frlab", 
   "url": "https://cpd-odm.apps.XXX.XXX/odm/res", 
   "loginServer": "odmAdmin", 
   "loginPassword": "odmAdmin", 
   "builtIn": false, 
   "description": "Use this server to deploy decision services that you want to execute.", 
   "groups": ["*"] 
 } 
]

XXX.XXX corresponds to the OpenShift domain name.

If you want a Decision Center server configurations that is different from the default one, provide your own server-configurations.json file.

If you do not want the default Decision Center server configuration, you must provide an empty server-configurations.json file:
[
]

OdmOidcProviders.json

The OdmOidcProviders.json file provides the OpenID Connect client configuration to deploy decision services to Decision Server. In this case, Decision Center is the client of Decision Server for deploying decision services.

You can specify several OpenID Connect Providers in the same JSON file.

For example:
{
  "providers": [
    {
	"name": "OIDCProviderName1",
	"grantType": "password",
	"authorizationURL": "https://<host>:<port>/<path>/authorize",
	"tokenURL": "https://<host>:<port>/<path>/token",
	"introspectionURL": "https://<host>:<port>/<path>/introspect",
	"clientId": "<client_id>",
	"clientSecret": "<client_secret>"
    },
    {
	"name": "OIDCProviderName2",
	"grantType": "client_credentials",
	"authorizationURL": "https://<host>:<port>/<path>/authorize",
	"tokenURL": "https://<host>:<port>/<path>/token",
	"introspectionURL": "https://<host>:<port>/<path>/introspect",
	"clientId": "<client_id>",
	"clientSecret": "<client_secret>"
    }
  ]
}
The following table lists the attributes used in the OdmOidcProviders.json file for Decision Center.
Attribute Value for Decision Center Description
name

Mandatory

A short name to identify the OpenID Connect Provider.
grantType

Mandatory

Values:

  • password
  • client_credentials (default value)

The flow that is used to obtain a token.

  • password: Supports the current username and password authentication.
  • client_credentials: Uses the client credentials.
    Note: When you use client credentials, no username or password is needed when you select an OpenID Connect Provider in the Decision Center Business console. The fields for these credentials are hidden.
authorizationURL

Mandatory

  
tokenURL

Mandatory

It is used to obtain an access token by using the specified flow.
introspectionURL

Optional

It is used to introspect the token that is received in API calls when the token is opaque (NON-JWT).

When this URL is provided, the Operational Decision Manager OpenID Connect implementation caches access tokens that are used in the password flow or the client credentials flow. The introspection URL is invoked to verify that the cached token remains valid before it is reused.

When this URL is not provided, the Operational Decision Manager OpenID Connect implementation does not cache access tokens that are used in the password flow or the client credentials flow because it cannot verify the validity of the cached tokens. Therefore, every new connection to Rule Execution Server requires re-execution of the flow.
clientId

Mandatory

The client ID that is obtained after the registration.
clientSecret

Mandatory

The client secret that is obtained after the registration.

Before you specify the client secret in the JSON file, test the connection without the client secret to verify the connection.