Configuring file-level security in CAS

File-level security in Content-Aware Storage (CAS) ensures that users can access only the data they are authorized to read from the file system.

Before you begin

Set up the following components:

A directory server, such as OpenLDAP must store information about a user's numeric user ID and numeric group ID, and supplemental group IDs.
An external Identity Provider (IDP) that uses OpenID standard, such as Keycloak. The IDP must use the directory server for user federation to retrieve and provide the following user attributes to the /userinfo endpoint:
- userID
- groupID
- supplementalGroups
  Note: The supplementalGroups must contain the numeric IDs for the user's groups.
  
  Note: The attribute names (userID, groupID, and supplementalGroups) are used as examples. You can use different attribute names as needed. During the claim-mapping configuration, these custom attribute names are mapped to the standard names recognized by CAS: userID, groupID, and supplementalGroups.
File system clients
- File system clients remote mount the storage file system of the CAS data source. For more information, see Mounting a remote GPFS file system in IBM Storage Scale documentation.
- The file system client machines are then configured to use the same directory server for user authentication. For more information, see Setting up authentication servers to configure protocol user access in IBM Storage Scale documentation.
CAS
- Configure CAS to connect to the IDP that is configured to federate users from the same directory server used by the file system client machines. For more information, see Configuring CAS to connect to your Identity Provider (IDP).

About this task

File-level security uses an external identity provider (IDP) integrated with a directory server to retrieve your numeric user ID, numeric group ID, and supplemental group IDs. At the time of query, it performs a real-time access check to verify whether the user has the read permission for the parent file of each matching vector.

When file-level security is enabled, users and groups that are authorized through CAS Resource Access Control (CRAC) can still run CAS queries. However, query results are limited to files for which the user has 'read' access. File-level security is configured at the CAS deployment level and applies to all document processors and domains, both existing and newly created.

This feature requires CAS to be integrated with an external IdP that federates users from the same LDAP directory that is used to authenticate file system users.

Note: Without file-level security configuration, CAS returns results from all ingested data within a domain to any user who has domain-level access, regardless of file-level read permissions.

To enable file-level security, perform the following steps:

Procedure

Create a security context constraint that grants CAS ACL_Checker container SETUID and SETGID capabilities. For more information, see the Kubernetes documentation.
Using the following command, apply the script available in GitHub:
```
oc apply -f acl-checker-security.yaml
```
Note: Administrator privileges are required to apply the YAML script to your cluster.
Configure CAS to use the appropriate claims for user id, group id, and supplemental groups information in the external IDP and file system. For more information, see Configuring CAS to connect to your Identity Provider (IDP).
Configure CAS to enable file-level security during query execution.
1. Download the helper script available in GitHub.
2. Run the downloaded script with your CAS namespace as the first parameter and enable file-level security with "true" as the second parameter by using the following commands:
```
chmod +x ./configure-file-security.sh

./configure-file-security.sh <YourCasNamespace> true
```

Results

The file-level security feature is enabled in CAS ConfigMap and the CAS deployment gets restarted.

======= Fusion Content-aware Storage (CAS) Configure File Level Security Script Target Namespace: ibm-cas =======
ENABLE_FILE_LEVEL_SECURITY is now set to true
Patching query-search deployment
Restarting query-search deployment
Query-search deployment is available Patching Document Processor Deployments

Deleting <YourDocumentProcessor1Name> deployment
Restarting <YourDocumentProcessor1Name>
deployment
<YourDocumentProcessor1Name> deployment available
<YourDocumentProcessor1Name> deployment is running with file level security

Deleting <YourDocumentProcessor2Name> deployment
Restarting <YourDocumentProcessor2Name>
deployment
<YourDocumentProcessor2Name> deployment available
<YourDocumentProcessor2Name> deployment is running with file level security

File Level Security Script has completed successfully.