Authentication
This document describes the Authentication features for the Analysis Server
and ModelCenter products and gives several example use cases for how an
IT department can deploy these tools to large, geographically disparate
groups. It is intended to be accurate in concept but does not discuss
the underlying technology or implementation specifics.
The ultimate goal of Authentication in Analysis Server and ModelCenter
is to provide fine-grained control over who is given access to view and
run codes which are published on the Analysis Server. Combined with
the Secure Socket Layer feature and the Proxy Service a fully secure environment
is available for security and authentication over disparate networks.
Features
- ModelCenter
users should be able to specify username/password which is sent to the
Analysis Server for authentication
- Analysis Server can provide more fine grained control
over access based on who is logged in
- Analysis Server may provide login information to
external tools. For security only system configured Archive modules
have access to the user password (See information on our upcoming Archive
and Version Control features).
- Optionally a secure (SSL) connection may be required
by AS for login to protect the password over the network
End User Interface
The first time that a user clicks on an Analysis Server in ModelCenter’s
Server Browser, the user is prompted for a username and password for that
server (assuming that the server requires login). ModelCenter then
remembers the password in memory for the duration of that ModelCenter
session.
.
Figure 1 - Entering username and password
System Administrator / IT View
The Analysis Server must first be configured to use
a particular type of authentication using the aserver.conf
file.
- A pluggable authentication module must be chosen.
This interface is designed to enable Analysis Server to accept any type
of authentication backend required. Some possible options are:
- Flat File (Only module currently available, if
you have interest in other modules, please contact
us)
- Database / PDM
- UNIX login / PAM
- Windows NT Domain
- The pluggable authentication module chosen must be
configured.
- If “no-password” guest access is desired, this must
be enabled.
Access control can then be applied to the codes published with that Analysis
Server. This access control is configured using .aserver
files in the published directories, much like the existing host-based
security. These files can specify access control based upon hosts
as well as user and group memberships.
Example aserver.conf file:
# Tell AS what sub-system to use for authentication
AuthSystem: file
# Auth sub-system specific options
AuthOptions: passwd,group
# If you want to allow password-less guest access, specify
# a logical userID here. This is required to allow
# pre-v3.1 MC clients to connect.
AuthGuestAccount: guest
Example .aserver file:
# deny access to everyone we don't specify with an allow command
deny: *
# open up my analyses to people connecting from
# phoenix-int.com and test.aerospace.com, and
# also let me run analyses from home
# ‘user’ and ‘group’ are keywords.
allow: *.phoenix-int.com
allow: group.aerospace@*.test.aerospace.com
allow: user.nsharp@myhomecomputer.myisp.com