Configuring file-level access control in CAS

File-level security in Content-Aware Storage (CAS) ensures that users can access only the data they are authorized to read from the file system.

Overview

File-level security uses an external identity provider (IDP) integrated with a directory server to retrieve your numeric user ID, numeric group ID, and supplemental group IDs. At the time of query, it performs a real-time access check to verify whether the user has the read permission for the parent file of each matching vector.

When file-level security is enabled, users and groups that are authorized through CAS Resource Access Control (CRAC) can still run CAS queries. However, query results are limited to files for which the user has 'read' access. File-level security is configured at the CAS deployment level and applies to all document processors and domains, both existing and newly created.

This feature requires CAS to be integrated with an external IDP that federates users from the same LDAP directory that is used to authenticate file system users.

Note: Without file-level security configuration, CAS returns results from all ingested data within a domain to any user who has domain-level access, regardless of file-level read permissions.

Before you begin

File-level access control in CAS requires the following setup:

A directory server, such as OpenLDAP must store information about a user's numeric user ID and numeric group ID, and supplemental group IDs.
An external Identity Provider (IDP) that uses OpenID standard, such as Keycloak. The IDP must use the directory server for user federation to retrieve and provide the following user attributes to the /userinfo endpoint:
- userID
- groupID
- supplementalGroups
  Note: The supplementalGroups must contain the numeric IDs for the user's groups, such as userID and groupID.
  
  Note: The attribute names (userID, groupID, and supplementalGroups) are used as examples. You can use custom attribute names in the directory server. During the claim-mapping configuration (in the CRAC CR), these custom attribute names are mapped to the standard names recognized by CAS: userID, groupID, and supplementalGroups.
File system clients
- File system clients remote mount the storage file system of the CAS data source. For more information, see Mounting a remote GPFS file system in IBM Storage Scale documentation.
- The file system client machines are then configured to use the same directory server for user authentication. For more information, see Setting up authentication servers to configure protocol user access in IBM Storage Scale documentation.
CAS
- Configure CAS to connect to the IDP that is configured to federate users from the same directory server used by the file system client machines. For more information, see Configuring CAS to connect to your Identity Provider (IDP).

Modifying file-level access control for a domain

Using command line: To enable or disable file-level permissions for a specific domain, add fileACL: true/false under the spec section in the CasResourceAccessControl instance for the domain. For more information, see Create a CAS Resource Access Control (CRAC) CR.

Using user interface

Open the IBM Fusion UI and go to Content-aware Storage > Domains.
Select the Domain to modify.
Select the Access control tab.
In the Search access settings section, select Edit.
Use the toggle to enable or disable File permission checking.