Security: User roles, accounts, and permissions
Security within IBM® Spectrum Conductor is controlled by two interdependent processes: authentication and authorization. Authentication is used to determine the identity of the user and verify and validate that identity. Authorization checks the permissions of the authenticated user and controls access to functions based on the roles that are assigned to the user.
Authentication versus authorization
Authentication is the process of verifying identity. This identity can be a user account used by a person, a host ID used by a machine, a server certificate used by a server software component, or a client certificate used by a client software component. Authentication is usually performed by proving the identity bearer has a secret that is known only to the bearer.
After an identity is authenticated, authorization is the process of determining who is allowed to do what. Authorization is accomplished by assigning permission or roles to an identity that accesses system objects.
A permission grants access to one or more system objects. A role is a group of permissions. Roles can be assigned to any user or user group, and a user or user group can have more than one role. Unlike hierarchical users, a role does not contain another role.
Security model
When a user submits a request, they are authenticated and then granted authorization based on their role. By default, the IBM Spectrum Conductor security model uses the EGO user account database. A user account is defined in the database and includes a password to provide authentication and an assigned role (which provides authorization).
User accounts
IBM Spectrum Conductor uses a number of user accounts to manage the cluster. User accounts are created and managed in EGO, with EGO authorizing users from its user database.
Each consumer is associated with a list of user accounts that are allowed to access the consumer. Different user accounts can submit or control workload. However, each consumer is associated with only one user account for running workload. All workload that runs under one consumer runs under one operating system account.
User roles and permissions
Regardless of the authentication method you use, IBM Spectrum Conductor uses role-based authorization to control access to system objects.
- The Cluster Administrator role can administer any object and workload in the cluster.
- The Cluster Administrator (read-only) role has read-only access to all cluster information.
- The Consumer Administrator role can administer any objects and workload in consumers to which they have access. Consumer administrators are assigned at any level of a branch in the consumer tree and they are administrators for all sub-consumers in that branch of the tree.
- The Consumer Administrator (read-only) role has read-only access to objects and workload in consumers to which they have access.
- The Consumer User role can only run workload in consumers to which they have access. Consumer users are assigned to individual consumers.
As an administrator, you can choose from an extensive list of fine-grained permissions and apply them to a new or existing user role.
Impersonation
Service instances at times require user-specific privileges to access certain resources. Sometimes because of security policies at an organization, it is necessary to isolate the user under which a process runs. With IBM Spectrum Conductor, you can configure the user account under which workload runs, allowing you to isolate users and applications.
Impersonation means that the system runs executables under a designated operating system account.
Security across communication channels
- SSL is a protocol that uses encryption and authentication techniques to secure connections between clients and servers. By default, web server communication is enabled over SSL during installation.
- Kerberos is a network authentication protocol that provides stronger authentication than regular UNIX and NIS authentication.