-
Notifications
You must be signed in to change notification settings - Fork 32
Security
By default, Zuul uses OpenID Single Sign On as its authentication mechanism (LDAP is also supported, see below). Users will be allowed in under a guest role until they complete their profile registration. Upon registration, they will become read-only users of the system.
The following roles are used to secure functions of the application.
Internal Name | Human Name | Description |
ROLE_GUEST | Guest | Used for login/registration workflow. Very limited access. |
ROLE_USER | User | Read only access to the application. This user is unable to decrypt values |
ROLE_ADMIN | Admin | Same rights as ROLE_USER but they can also edit settings and encrypt/decrypt values. |
ROLE_SYSTEM_ADMIN | Sysadmin | Same rights as ROLE_ADMIN but they can also edit encryption keys, manage users, etc. |
In order to ease the installation process, the first user to login to the system will automatically be granted ROLE_SYSTEM_ADMIN. Subsequent users will go through the normal workflow/role assignments.
Zuul takes a very liberal approach to accessing the configuration services. By default, everyone is allowed to read the services. Sensitive values should be encrypted. If you decide that you'd rather tweak the settings, take a look at the URL mappings in WEB-INF/classes/security-context.xml
<intercept-url pattern="/account/**" access="hasRole('ROLE_GUEST')"/>
<intercept-url pattern="/settings/create**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/settings/**/*.properties" access="permitAll" method="GET"/>
<intercept-url pattern="/settings/**/*.json" access="permitAll" method="GET"/>
<intercept-url pattern="/settings/**" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/system/**" access="hasRole('ROLE_SYSTEM_ADMIN')"/>
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/**" access="permitAll"/>
Please view the Spring-Security documentation for more details.
If you'd like tighter control over your authenitcation, you can use LDAP or Active Directory to secure Zuul. Enable this mode by adding the following flag to your server's JAVA_OPTS:
-Dspring.profiles.active="security-ldap"
This will require that create a ldap.properties file somewhere in your server's classpath (TOMCAT_HOME/lib/ldap.properties for instance).
Active Directory Example
ldap.properties
ldap.url=ldap://ldap.acme.com:389
ldap.username=DOMAIN\\\\Zuul
ldap.password=**********
ldap.dn.ROLE_SYSTEM_ADMIN=CN=Zuul System Admins,CN=Users,DC=acme,DC=com
ldap.dn.ROLE_ADMIN=CN=Zuul Admins,CN=Users,DC=acme,DC=com
ldap.dn.ROLE_USER=CN=Zuul Users,CN=Users,DC=acme,DC=com
ldap.group.search.base=cn=Users,DC=acme,DC=com
ldap.group.role.attribute=distinguishedName
ldap.group.filter=member={0}
ldap.user.search.base=cn=Users,DC=acme,DC=com
ldap.user.search.filter=samAccountName={0}
I'll be adding a more generic LDAP example soon.
- Home
- Installation
- [Client Integration] (https://github.com/mcantrell/Zuul/wiki/Client-Integration)
- [Encryption] (https://github.com/mcantrell/Zuul/wiki/Encryption)
- [Security] (https://github.com/mcantrell/Zuul/wiki/Security)
- [Developers] (https://github.com/mcantrell/Zuul/wiki/Developers)