Streamtool security

The streamtool man security command provides an overview of security in Streams. For more information about configuring security, see the product documentation.

Streams domains include an authentication and authorization service (AAS) that mediates the use of the domain.

Domain users are first authenticated to validate their identity. Then, individual operations (such as starting a domain, updating properties, or submitting jobs) use a mechanism that is based on access control lists (ACL) to verify that the user is authorized to perform the operation.

Audit logging

You can also configure Streams to record audit log information to a file. Streams supports comprehensive, multiple-level auditing of product and user operations. By default, audit logging is not enabled. For information about enabling audit logging, see the product documentation.

Authentication

The authentication processing in Streams integrates with your existing user authentication infrastructure. For example, integration with PAM and LDAP back ends are supported. All user repository management occurs outside of Streams, directly by using the toolset of the back-end infrastructure.

The authentication configuration in Streams is associated with a domain. The authentication back end is either PAM or LDAP and can be specified only when the domain is created. By default, the PAM back end is used. The PAM authentication defaults to a PAM service named 'login'. To customize the name of the PAM service for a domain, specify the security.pamServiceName domain property in the streamtool mkdomain or streamtool setdomainproperty commands.

By default, the integration with PAM and LDAP also enables you to use a public or private key mechanism to construct a secure environment where users are not prompted to provide their passwords. To avoid password prompts, generate a public and private key pair by using the streamtool genkey command. To delete the public and private key pair, use the streamtool rmkey command.

The security session timeout is controlled by the domain.securitySessionTimeout domain property. You can specify this property when you run streamtool mkdomain or streamtool setdomainproperty commands. For details, see streamtool man domainproperties.

For information about configuring user authentication, see the product documentation.

Authorization

Streams uses access control lists to manage user authorization for domains and instances. An ACL contains the type of domain and instance objects to secure and the actions that a user or group is authorized to perform against the object. The ACLs are initialized when you create a domain or instance. You can view and update access control lists by using the Streams Console or streamtool commands.

Authorization also involves the concepts of roles and job groups. A role is a set of permissions or access rights that is managed by Streams. You can create roles or use default roles such as DomainAdministrator, DomainUser, InstanceAdministrator, and InstanceUser. The streamtool mkrole and streamtool mkdomainrole commands make roles for instances and domains.

A job group is a group of jobs that have the same authority or permissions. You can use job groups to limit who can perform tasks such as sending or receiving data from jobs, and stopping or restarting processing elements. When you submit a job, you can specify which job group it belongs to. If you do not specify a job group, the submitted job uses the following job group: default. To create more job groups, use the streamtool mkjobgroup command or the Streams Console.

When you run a command or a service performs an operation that requires authorization, the authentication and authorization service checks the ACL for the security object. The authentication and authorization service considers the user permissions, the group permissions, and the role permissions when it performs the authorization check.

For information about user authorization, see the product documentation.