Thermostat/AccessControl

From IcedTea

Jump to: navigation, search

Thermostat Home

Contents

1 Access Control Design Documentation

This document, at present, aims to briefly describe address access control to data in Thermostat.

1.1 Role Based Access Control

Access control in Thermostat is role-based access control.

1.1.1 Subjects

  1. Thermostat user (of client application, whether GUI or CLI or eclipse plugin or ${other}).
  2. Thermostat agent user (producer of data)
  3. Thermostat administrator (not yet used, will likely be privileged user, which is allowed to assign roles to users)

1.1.2 Roles

The majority of access control that Thermostat is concerned with has to do with reading and writing monitoring data from storage. There is a basic set of roles which grant access to certain entry points to the web service (stop-gap):

thermostat-write
thermostat-query
thermostat-prepare-statement
thermostat-load-file
thermostat-save-file
thermostat-purge
thermostat-register-category
thermostat-cmdc-verify
thermostat-cmdc-generate
thermostat-login
thermostat-realm

There exist also more dynamically named roles, which individually grant read access to specific agent, host and JVM records. These are outlined in the Thermostat ACL Role Reference.

Due to the current implementation of how command channel actions work it is strongly advised that no client users get the thermostat-cmdc-verify role granted.

Here it is useful to recall some Thermostat basics. 1 or more agents (each likely running on a separate host) collect monitoring data and push to a common storage (potentially a database cluster). Some data collected is associated with the host itself, such as the hostname, network interface information, CPU usage. Other data will be specific to a particular java process. Each process will of course be owned by a particular user (OS-user) on that system. Ideally, thermostat agent runs with elevated permissions on the system, allowing it to collect data about the processes of all of the OS-users. Moreover, multiple agents running on different hosts may be sharing common storage. An arbitrary Thermostat user should only be allowed to see a subset of that data available in storage. One example of restricting what a thermostat client user would see is to limit the VMs the user sees by the owning user id of the process the JVM is running as (example: tomcat).

See also: Thermostat Access Control as part of our Security Considerations page.

1.1.3 Permissions

There are two basic permissions

r
Read permission, allowing a subject to read data.
w
Write permission, allowing a subject to write data.
CA
permits a command channel action.

A subject may have Read, Write and/or CA permissions.

Personal tools