Configuring CAS Query Access Control and Security

You can configure Content-Aware Storage (CAS) query access control and security to suit your requirements and environment by selecting one of the following methods:
  • Authorize CAS query users to CAS domains:
    • By default, all users of the Red Hat OpenShift cluster where CAS is deployed can issue CAS queries, depending on the domains they are authorized to access. In this context, they are referred to as CAS query users.
    • Configure CAS to authorize users to specific CAS domains. If an unauthorized CAS query user of a domain runs CAS queries, the query API fails with status code 403 (Invalid Access). For more information, see Configuring CAS Resource Access Control (CRAC).
  • Manage CAS users with your own Identity Provider (IDP):
  • Limit certain users to certain files:
    • To enforce stricter access control, you can configure CAS to serve only the content from files for which users have explicit file-level read permissions. Without this configuration, CAS returns results from all ingested data within a domain to any user who has domain-level access, regardless of file-level read permissions. For more information, see Configuring file-level security in CAS.
      Security type Red Hat OpenShift users External IDP users
      Domain-level security (mandatory) Supported Supported
      File-level security (optional) Unsupported Supported; an external IDP is required to federate user information from the Directory server used by the file system.
    • CAS query user setup: To designate users of Red Hat OpenShift or external IDP or Directory server as CAS query users, you must either configure the users or their groups through CAS Resource Access Control (CRAC). For more information, see Configuring CAS Resource Access Control (CRAC).