To protect your StreamBase environment from unintended use, one option is
to enable authentication directly in StreamBase by defining parameters in
the deployed sbconf configuration file, and by
associating users with three types of StreamBase roles. When this type of
authentication is enabled, each user must provide valid username and password
credentials when they enter StreamBase commands or use the
StreamBase Debugger.
By default, authentication is disabled. This topic explains how to change the authentication settings.
Notes
-
The authentication credentials that you define for use with StreamBase have no connection with system-level accounts: they are independent of each other. While you could use the same
user-nameandpasswordcombinations for StreamBase and a system-level account, it is not necessary. The important point is that the sbuseradmin command described in this topic does not interact with your operating system's accounts. -
Authentication directly in the StreamBase Server is not encrypted. For encrypted authentication using external X.509 certificates and LDAP, see Using the Proxy Server to Control Client Access.
Enabling StreamBase Server authentication involves the following steps:
Authentication directly in the StreamBase involves assigning users to any of three roles. For each role, users are authorized to run specific commands:
StreamBase Authorization: Roles and Commands
| Role | Commands Authorized |
|---|---|
| SBUser | sbc |
| SBDeveloper | sbc, sbdb |
| SBAdmin | sbc, sbdb, sbadmin |
That is, the SBDeveloper role and the SBAdmin role can perform all the tasks allowed by the SBUser role. A user can be assigned more than one
StreamBase user role.
If authentication is disabled (the default) these roles need not be defined.
You can change the authentication value for the sbd StreamBase Server that will host your
application by editing the respective sbconf files.
To customize a configuration file for use with one of your applications, use the
-s flag as shown in the next set of commands, and pipe
the output to a file. For example:
sbd -s > /home/myapps/sbd.sbconf
You can also modify a server configuration by using the text editor for sbd.sbconf (one per project) in StreamBase Studio, as described in Defining a StreamBase Server Configuration. For more details about the XML-based StreamBase configuration files, see the StreamBase References.
In each configuration file, there is an <authentication> section. For example the following section can be found in sbd.sbconf:
<authentication>
<param name="enabled" value="false"/>
<param name="type" value="sb-password-file"/>
<param name="filepath" value="${STREAMBASE_HOME}/etc/sbpasswd"/>
</authentication>
As noted earlier, authentication is disabled by default. If you want to enable it,
change the value of the enabled parameter to
true.
The user name and password are stored in the following file:
/opt/streambase/etc/sbpasswd
To add, update, or delete users, run the sbuseradmin command.
The format is:
$ sbuseradmin -a -nuser-name-ppassword-ruser-roles
On Windows, the sbpasswd file in the C:\Program Files\StreamBase Systems\StreamBase or .n.m\etcC:\Program
Files\StreamBase Systems\StreamBase\etc directory can be accessed only by
members of the Administrators group.
On UNIX, the /opt/streambase/etc/sbpasswd file is
installed with root as owner. If the sbpasswd file protection remains unchanged, you must have
root access to run the sbuseradmin command, which modifies authentication
credentials in the sbpasswd file. If you do not have
root access, an error is returned when you attempt to
run sbuseradmin. For example:
sbuseradmin -a -n smart -p guy -r SBDeveloperUnable to create temporary password file /opt/streambase/etc/sbpasswd_temp...suPassword:passwordsbuseradmin -a -n smart -p guy -r SBDeveloperAdded user smart
For the user-roles you can provide a
comma-separated list of user roles.
User names and passwords can be specified by the StreamBase Client
(sbc) and StreamBase
Administration Client (sbadmin) through
the URI or the environment variable STREAMBASE_SERVER. To
use the account that you defined for authentication, include ;user=
in username;password=passwordSTREAMBASE_SERVER. For example:
STREAMBASE_SERVER="sb://localhost:10000/;user=sbadmin;password=somePassw0rd1957"
The -u option of the sbc, sbadmin,
and sbdb commands allows you to provide
an URI that includes the authentication information. For example, use the following
command to list entities:
sbc -u
"sb://localhost:10000/;user=sbadmin;password=somePassw0rd1957" list