Home
Configuring
Create a basic or an enterprise domain which is a single point for configuring and managing common resources, security, and instances.
Configuring security
Each Teracloud® Streams domain and instance maintains its own security configuration.
User authorization
Teracloud® Streams uses access control lists (ACLs) to manage user authorization for domains and instances. An ACL contains the type of domain and instance objects to secure and the actions that a user or group is authorized to perform against the object. The ACLs are initialized when you create a domain or instance.
Security objects and access permissions
Teracloud® Streams security objects and permissions enable you to control access to domain and instance resources and data. You can update security objects and access permissions by using the Streams Console or streamtool commands.

Welcome
Learn about the core capabilities of Teracloud® Streams, its architecture, and key concepts.
Installing
Use this information to install, upgrade, and uninstall the Teracloud® Streams product.
Configuring
Create a basic or an enterprise domain which is a single point for configuring and managing common resources, security, and instances.
- Setting up a basic domain on a single resource
  A basic domain has a single Teracloud® Streams resource and user. This type of domain is typically used for test or development environments.
- Setting up an enterprise domain on multiple resources
  An enterprise domain can have multiple resources and users. This type of domain is typically used for production environments. You can configure high availability to ensure that Teracloud® Streams can continue to run even if resources fail or are not available.
- Configuring security
  Each Teracloud® Streams domain and instance maintains its own security configuration.
  - User authorization
    Teracloud® Streams uses access control lists (ACLs) to manage user authorization for domains and instances. An ACL contains the type of domain and instance objects to secure and the actions that a user or group is authorized to perform against the object. The ACLs are initialized when you create a domain or instance.
    - Security objects and access permissions
      Teracloud® Streams security objects and permissions enable you to control access to domain and instance resources and data. You can update security objects and access permissions by using the Streams Console or streamtool commands.
      - Security objects for domains and instances
        This information describes the security objects for Teracloud® Streams domains and instances.
      - Access permissions for domain and instance objects
        This information describes the administrator and user access permissions for Teracloud® Streams domain and instance objects.
      - Example: Removing security permissions for users
        Removing the security permissions for a user might require that you remove role or group permissions in addition to the specific user permissions. This example shows you how to remove the security permissions for a Teracloud® Streams user by removing both specific user permissions and role permissions.
    - Roles
      A role is a collection of permissions that can be assigned to a user or group of users.
    - Job groups
      A job group is a group of jobs that have the same authority or permissions.
    - Viewing and configuring ACL settings for domains and instances
      You can review and configure the access control list (ACL) settings for Teracloud® Streams domains and instances by using the streamtool command-line interface. You can also grant access privileges to domain and instance resources by using the Streams Console.
    - Configuring user access to domains and instances
      By default, Teracloud® Streams domains and instances are private and can be accessed only by the user who creates the domain or instance. To set up a domain or instance that can be accessed by multiple users, you can use either the Teracloud Streams graphical user interfaces or streamtool commands.
    - Streamtool commands that require user authorization
      The streamtool command description provides information about the authority that is required to run each command.
  - User authentication
    The default user authentication method for Teracloud® Streams domains is PAM or LDAP. For a basic domain, Teracloud Streams uses PAM. For an enterprise domain, you can specify either LDAP or PAM as the default method when you create the domain, and then customize user authentication after the domain is created.
  - Linux users and Teracloud® Streams jobs
    To determine which Linux user has the authority to run the jobs for a Teracloud® Streams instance, you must first determine which user is running the domain controller services for your domain. The security implications of the instance.runAsUser and instance.canSetPeOSCapabilities property settings also need to be considered.
  - Changing the cryptographic protocol
    Many domain and instance services support connections that use Transport Layer Security (TLS) cryptographic protocols. You can specify which cryptographic protocols the services use for secure communication by setting domain and instance properties. Starting with Teracloud® Streams Version 7.2.0, the default protocol setting is TLSv1.3, which indicates that TLS 1.3 or later protocols are used.
  - Securing a Teracloud® Streams cluster
    While applications are deployed into production environments with specific recommendations that apply to individual customers, enterprise organizations generally have security policies and procedures that must be met and followed. To meet enterprise requirements, a combination of product and environment configuration is needed. The following are some key features using the standard information security CIA triad.
- Configuring audit logging
  Teracloud® Streams supports comprehensive, multiple-level auditing of product and user operations. By default, audit logging is not enabled.
- Configuring transport mechanisms
  Teracloud® Streams supports several high-performance and configurable transport mechanisms for communicating across processing elements (PEs). You can configure the transport mechanism by updating Teracloud Streams properties.
- Configuring a checkpoint data store
  Use this procedure to configure a checkpoint data store for Teracloud® Streams domains and instances.
Administering
Administer the product by using the Teracloud® Streams graphical user interface, APIs, or the streamtool command-line interface.
Developing
Develop stream applications with the Streams Processing Language (SPL), Java, and Python.
Troubleshooting
Resolve problems with Teracloud® Streams using the troubleshooting tools provided with the product as well as the resources offered by Teracloud Support.
Reference
Find details on the SPL language, toolkits, APIs, commands, and more.
Glossary
Use this glossary to find terms and definitions for Teracloud® Streams.

Security objects and access permissions for Teracloud® Streams domains and instances

Teracloud® Streams security objects and permissions enable you to control access to domain and instance resources and data. You can update security objects and access permissions by using the Streams Console or streamtool commands.

Security objects are hierarchical in nature, in that some objects are included by other objects. For example, a jobs object can include multiple jobgroup objects, which include job_id objects for each job that is running in the system.

Each object is assigned an access permission and a default permission:

The access permission identifies which users, groups, or roles have permission to perform operations against this type of object.
The default permission identifies the set of permissions that are granted to new child objects created under this object. Default permissions are only important for the jobs security object when you create new job groups.

You can set the access and default permissions by using the Streams Console or the following streamtool commands:

streamtool setdomainacl for domains
streamtool setacl for instances

The permissions for a submitted job are contained in its job group and are changed by using the streamtool grantjobpermission and streamtool revokejobpermission commands. The name of the default job group for an instance is default.

Teracloud® Streams determines the permissions for a user from the following types of permissions:

Specific user permissions
Role permissions
Group permissions

Therefore, removing permissions for a user might require that you remove role or group permissions in addition to the specific user permissions. You might also need to remove the user and their groups from one or more roles. For more information, see the example that shows how to remove security permissions for a Teracloud® Streams user.