Optional user access configurations
In addition to the webSecurity.xml file that allows you to define a basic registry for REST API calls, you can specify more files to configure the access to an Operational Decision Manager instance. These customizations are implemented with the customization.authSecretRef parameter.
Predefined configurations
{{
meta.name }}-odm-oidc-auth-operator-secret
:- openIdWebSecurity.xml contains the ODM Liberty configuration to communicate with the Zen proxy.
- openIdParameters.properties configures features like logout, allowed domains, and the OpenID provider to manage the Zen API key.
- server-configurations.json configures the Decision Center connection to the Decision Server console and to Decision Runner.
- group-security-configurations.xml contains the default groups and users for Decision Center.
- webSecurity.xml configures the basic registry for REST API calls.
openIdWebSecurity.xml and openIdParameters.properties are automatically provided to communicate with the Zen proxy. You do not customize these files.
oc create secret generic my-auth-secret --from-file=webSecurity.xml=<path>/webSecurity.xml --from-file=server-configurations.json=<path>/server-configurations.json
<server>
<basicRegistry id="basic" realm="basic">
<user name="odmAdmin" password="odmAdmin"/>
<user name="resExecutor" password="resExecutor"/>
<group name="basicRtsAdministrators">
<member name="odmAdmin" />
</group>
<group name="resExecutors">
<member name="resExecutor" />
<member name="odmAdmin" />
</group>
</basicRegistry>
<variable name="odm.rtsAdministrators.group1" value="group:basic/basicRtsAdministrators"/>
<variable name="odm.rtsConfigManagers.group1" value="group:basic/basicRtsAdministrators"/>
<variable name="odm.rtsInstallers.group1" value="group:basic/basicRtsAdministrators"/>
<variable name="odm.resAdministrators.group1" value="group:basic/basicRtsAdministrators"/>
<variable name="odm.resDeployers.group1" value="group:basic/basicRtsAdministrators"/>
<variable name="odm.resMonitors.group1" value="group:basic/basicRtsAdministrators"/>
<variable name="odm.resExecutors.group1" value="group:basic/resExecutors"/>
</server>
or
<server>
</server>
ldap-configurations.xml
The ldap-configurations.xml file automatically defines the LDAP configuration available under the Decision Center Administration tab.
For example:
<dc-usermanagement>
<ldapConnections>
<ldapConnection name="LDAP">
<ldapUrl>ldap://hostname</ldapUrl>
<searchConnectionDN>cn=admin,dc=example,dc=org</searchConnectionDN>
<searchConnectionPassword>password</searchConnectionPassword>
<groupSearchBase>ou=groups,dc=example,dc=org</groupSearchBase>
<groupSearchFilter>(cn=*)</groupSearchFilter>
<groupNameAttribute>cn</groupNameAttribute>
<groupMemberAttribute>member</groupMemberAttribute>
<userIdAttribute>uid</userIdAttribute>
<userNameAttribute>cn</userNameAttribute>
<userMailAttribute>mail</userMailAttribute>
<ldapProperties>
<ldapPropertyName/>
</ldapProperties>
</ldapConnection>
</ldapConnections>
</dc-usermanagement>
This option is equivalent to the manual procedure described in Synchronizing users and groups in Decision Center.
group-security-configurations.xml
The group-security-configurations.xml file automatically populates the groups and users under the Decision Center Administration tab to map roles to groups.
<dc-usermanagement>
<role name="rtsAdministrator"/>
<role name="rtsConfigManager"/>
<role name="rtsInstaller"/>
<role name="rtsUser"/>
<group name="rtsAdministrators" roles="rtsAdministrator"/>
<group name="rtsConfigManagers" roles="rtsConfigManager"/>
<group name="rtsInstallers" roles="rtsInstaller"/>
<group name="rtsUsers" roles="rtsUser"/>
<user name="odmAdmin" groups="rtsAdministrators, rtsInstallers, rtsConfigManagers, rtsUsers"/>
<user name="rtsAdmin" groups="rtsAdministrators, rtsInstallers, rtsConfigManagers, rtsUsers"/>
<user name="rtsConfig" groups="rtsConfigManagers, rtsUsers"/>
<user name="rtsUser1" groups="rtsUsers"/>
<user name="rtsUser2" groups="rtsUsers"/>
</dc-usermanagement>
server-configurations.json
The server-configurations.json file must contain an array of JSON objects. Each JSON object defines a server by using the following fields:
Field | Description |
---|---|
name |
The name of the server as it is displayed in the Business console interface. |
kind |
Indicate the server type:
|
authenticationKind |
Indicate authentication type:
|
authenticationProvider |
If the authenticationKind is OAUTH , this property defines
the name of the OIDC provider. This name must match one of the OIDC providers that are uploaded to
the Business console. |
url |
The URL of the server. |
loginServer |
The username for logging in to this server. |
loginPassword |
The password for logging in to this server. |
builtIn |
If this field is set to false, the server configuration can be edited or removed. |
description |
A sentence describing the server. |
groups |
The list of groups. |
The following example illustrates the fields in a server-configurations.json file:
[
{
"name": "Test and Simulation Execution (BASIC)",
"kind": "DECISION_RUNNER",
"authenticationKind": "BASIC_AUTH",
"url": "https://cpd-odm.apps.XXX.XXX/odm/DecisionRunner",
"loginServer": "odmAdmin",
"loginPassword": "odmAdmin",
"builtIn": false,
"description": "Use this server to run tests and simulationsfor decision services.",
"groups": ["*"]
},
{
"name": "Decision Service Execution (OIDC)",
"kind": "RES",
"authenticationKind": "OAUTH",
"authenticationProvider": "frlab",
"url": "https://cpd-odm.apps.XXX.XXX/odm/res",
"loginServer": "odmAdmin",
"loginPassword": "odmAdmin",
"builtIn": false,
"description": "Use this server to deploy decision services that you want to execute.",
"groups": ["*"]
}
]
XXX.XXX corresponds to the OpenShift domain name.
If you want a Decision Center server configurations that is different from the default one, provide your own server-configurations.json file.
[
]
OdmOidcProviders.json
The OdmOidcProviders.json file provides the OpenID Connect client configuration to deploy decision services to Decision Server. In this case, Decision Center is the client of Decision Server for deploying decision services.You can specify several OpenID Connect Providers in the same JSON file.
{
"providers": [
{
"name": "OIDCProviderName1",
"grantType": "password",
"authorizationURL": "https://<host>:<port>/<path>/authorize",
"tokenURL": "https://<host>:<port>/<path>/token",
"introspectionURL": "https://<host>:<port>/<path>/introspect",
"clientId": "<client_id>",
"clientSecret": "<client_secret>"
},
{
"name": "OIDCProviderName2",
"grantType": "client_credentials",
"authorizationURL": "https://<host>:<port>/<path>/authorize",
"tokenURL": "https://<host>:<port>/<path>/token",
"introspectionURL": "https://<host>:<port>/<path>/introspect",
"clientId": "<client_id>",
"clientSecret": "<client_secret>"
}
]
}
The following table lists the attributes used in the
OdmOidcProviders.json file for Decision Center.Attribute | Value for Decision Center | Description |
---|---|---|
name |
Mandatory |
A short name to identify the OpenID Connect Provider. |
grantType |
Mandatory Values:
|
The flow that is used to obtain a token.
|
authorizationURL |
Mandatory |
|
tokenURL |
Mandatory |
It is used to obtain an access token by using the specified flow. |
introspectionURL |
Optional |
It is used to introspect the token that is received in API calls when the token is opaque (NON-JWT). When this URL is provided, the Operational Decision Manager OpenID Connect implementation caches access tokens that are used in the password flow or the client credentials flow. The introspection URL is invoked to verify that the cached token remains valid before it is reused. When this URL is not provided, the Operational Decision Manager OpenID Connect implementation does not cache access tokens that are used in the password flow or the client credentials flow because it cannot verify the validity of the cached tokens. Therefore, every new connection to Rule Execution Server requires re-execution of the flow. |
clientId |
Mandatory |
The client ID that is obtained after the registration. |
clientSecret |
Mandatory |
The client secret that is obtained after the registration. Before you specify the client secret in the JSON file, test the connection without the client secret to verify the connection. |