O docutils.nodesdocument)}( rawsource children]h section)}(hhh](h title)}(h Metacat Authentication Mechanismh]h Text Metacat Authentication Mechanism}(hhparenthhhsourceNlineNuba
attributes}(ids]classes]names]dupnames]backrefs]utagnamehhhhhha/var/lib/jenkins/jobs/Metacat_stable/workspace/metacat/docs/user/metacat/source/authinterface.rsthKubh paragraph)}(hXZ Metacat supports either an internal password file authentication or the use of LDAP
as an external authentication mechanism. It does this by supplying two classes
(``AuthFile`` or ``AuthLDAP``) that implement authentication via a password file or
an external LDAP server. You may choose the authentication mechanism during initial configuration.h](hMetacat supports either an internal password file authentication or the use of LDAP
as an external authentication mechanism. It does this by supplying two classes
(}(hMetacat supports either an internal password file authentication or the use of LDAP
as an external authentication mechanism. It does this by supplying two classes
(hh-hhhNhNubh literal)}(h``AuthFile``h]hAuthFile}(hhhh8ubah}(h]h!]h#]h%]h']uh)h6hh-ubh or }(h or hh-hhhNhNubh7)}(h``AuthLDAP``h]hAuthLDAP}(hhhhKubah}(h]h!]h#]h%]h']uh)h6hh-ubh) that implement authentication via a password file or
an external LDAP server. You may choose the authentication mechanism during initial configuration.}(h) that implement authentication via a password file or
an external LDAP server. You may choose the authentication mechanism during initial configuration.hh-hhhNhNubeh}(h]h!]h#]h%]h']uh)h+hh*hKhhhhubh,)}(hX If neither of these choices is suitable for your deployment, a custom authentication mechanism can be built.
Metacat is written such that this Authentication provider is replaceable with
another class that implements the same interface (``AuthInterface``). As
an Administrator, you have the choice to provide an alternative implementation
of ``AuthInterface`` and then configuring ``metacat.properties`` to use that
class for authentication instead of LDAP or the internal password file.h](hIf neither of these choices is suitable for your deployment, a custom authentication mechanism can be built.
Metacat is written such that this Authentication provider is replaceable with
another class that implements the same interface (}(hIf neither of these choices is suitable for your deployment, a custom authentication mechanism can be built.
Metacat is written such that this Authentication provider is replaceable with
another class that implements the same interface (hhdhhhNhNubh7)}(h``AuthInterface``h]h
AuthInterface}(hhhhmubah}(h]h!]h#]h%]h']uh)h6hhdubhX). As
an Administrator, you have the choice to provide an alternative implementation
of }(hX). As
an Administrator, you have the choice to provide an alternative implementation
of hhdhhhNhNubh7)}(h``AuthInterface``h]h
AuthInterface}(hhhhubah}(h]h!]h#]h%]h']uh)h6hhdubh and then configuring }(h and then configuring hhdhhhNhNubh7)}(h``metacat.properties``h]hmetacat.properties}(hhhhubah}(h]h!]h#]h%]h']uh)h6hhdubhT to use that
class for authentication instead of LDAP or the internal password file.}(hT to use that
class for authentication instead of LDAP or the internal password file.hhdhhhNhNubeh}(h]h!]h#]h%]h']uh)h+hh*hKhhhhubh
)}(hhh](h)}(hFile-Based Authenticationh]hFile-Based Authentication}(hhhhhhhNhNubah}(h]h!]h#]h%]h']uh)hhhhhhh*hKubh,)}(hThis is the default authentication mechanism in Metacat. The password file
path can be specified during initial configuration. The Tomcat user should have
write/read permission to access the file. The password file follows this form:h]hThis is the default authentication mechanism in Metacat. The password file
path can be specified during initial configuration. The Tomcat user should have
write/read permission to access the file. The password file follows this form:}(hhhhhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hKhhhhubh
literal_block)}(hX
csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92
foo@foo.com
Smith
John
NCEAS
cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org
$2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC
Developers at NCEAS
h]hX
csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92
foo@foo.com
Smith
John
NCEAS
cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org
$2a$10$j8eGWJBEpj5MubdaqOeJje7oYw6JNc2aq2U7buoRw16kthwOEcWkC
Developers at NCEAS
}(hhhhubah}(h]h!]h#]h%]h'] xml:spacepreserveuh)hhKhhhhhh*ubh,)}(hNThe format of the DN must look like uid=john,o=NCEAS,dc=ecoinformatics,dc=org.h]hNThe format of the DN must look like uid=john,o=NCEAS,dc=ecoinformatics,dc=org.}(hhhhhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hK-hhhhubh,)}(hZThe format of the group name must look like cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org.h]hZThe format of the group name must look like cn=nceas-dev,o=NCEAS,dc=ecoinformatics,dc=org.}(hhhhhhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hK/hhhhubh,)}(hX. The password stored in the file is hashed using Bcrypt algorithm. If you have the "-i" in the
"useradd" or "usermod" commands when you run the command line utility (see the following section),
you will be prompted to input the password and the utility will hash the password and store it in
the file. You may also get the hash of a password from any online tool,
such as https://www.dailycred.com/blog/12/bcrypt-calculator (we don't have any guaranty on the security of those tools),
then use the "-h" to pass the hashed password to the file by the utility.h](hX The password stored in the file is hashed using Bcrypt algorithm. If you have the “-i” in the
“useradd” or “usermod” commands when you run the command line utility (see the following section),
you will be prompted to input the password and the utility will hash the password and store it in
the file. You may also get the hash of a password from any online tool,
such as }(hXt The password stored in the file is hashed using Bcrypt algorithm. If you have the "-i" in the
"useradd" or "usermod" commands when you run the command line utility (see the following section),
you will be prompted to input the password and the utility will hash the password and store it in
the file. You may also get the hash of a password from any online tool,
such as hhhhhNhNubh reference)}(h3https://www.dailycred.com/blog/12/bcrypt-calculatorh]h3https://www.dailycred.com/blog/12/bcrypt-calculator}(hhhj ubah}(h]h!]h#]h%]h']refurij uh)j hhubh (we don’t have any guaranty on the security of those tools),
then use the “-h” to pass the hashed password to the file by the utility.}(h (we don't have any guaranty on the security of those tools),
then use the "-h" to pass the hashed password to the file by the utility.hhhhhNhNubeh}(h]h!]h#]h%]h']uh)h+hh*hK1hhhhubeh}(h]file-based-authenticationah!]h#]file-based authenticationah%]h']uh)h hhhhhh*hKubh
)}(hhh](h)}(h.Utility for Password File Based Authenticationh]h.Utility for Password File Based Authentication}(hj+ hj) hhhNhNubah}(h]h!]h#]h%]h']uh)hhj& hhhh*hK:ubh,)}(hYou can edit the password file manually or use Metacat's command line utility
for managing users and groups. The utility is located in the deployed Metacat webapp::h]hYou can edit the password file manually or use Metacat’s command line utility
for managing users and groups. The utility is located in the deployed Metacat webapp:}(hYou can edit the password file manually or use Metacat's command line utility
for managing users and groups. The utility is located in the deployed Metacat webapp:hj7 hhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hK;hj& hhubh)}(h1$METACAT/WEB-INF/scripts/bash/authFileManager.sh.h]h1$METACAT/WEB-INF/scripts/bash/authFileManager.sh.}(hhhjF ubah}(h]h!]h#]h%]h']hhuh)hhK>hj& hhhh*ubh,)}(hOYou must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file::h]hNYou must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file:}(hNYou must be in the directory - $METACAT/WEB-INF/scripts/bash/ to run the file:hjT hhhNhNubah}(h]h!]h#]h%]h']uh)h+hh*hK@hj& hhubh)}(h!cd $METACAT/WEB-INF/scripts/bash/h]h!cd $METACAT/WEB-INF/scripts/bash/}(hhhjc ubah}(h]h!]h#]h%]h']hhuh)hhKBhj& hhhh*ubh,)}(h=In order to run the file, you must make the file executable::h]h