From 5dab93b41fe61a2d9e79312190dc232f560bc383 Mon Sep 17 00:00:00 2001 From: Pavel Semyonov Date: Mon, 26 Aug 2024 12:02:15 +0700 Subject: [PATCH 1/9] Add TCM LDAP authentication --- doc/tooling/tcm/index.rst | 2 +- doc/tooling/tcm/tcm_access_control/index.rst | 35 +++++ .../tcm_access_control_list.rst | 74 +++++++++ .../tcm_access_control_rbac.rst} | 145 +----------------- .../tcm/tcm_access_control/tcm_api_tokens.rst | 54 +++++++ .../tcm/tcm_access_control/tcm_ldap_auth.rst | 36 +++++ .../tcm/tcm_access_control/tcm_sessions.rst | 12 ++ 7 files changed, 215 insertions(+), 143 deletions(-) create mode 100644 doc/tooling/tcm/tcm_access_control/index.rst create mode 100644 doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst rename doc/tooling/tcm/{tcm_access_control.rst => tcm_access_control/tcm_access_control_rbac.rst} (73%) create mode 100644 doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst create mode 100644 doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst create mode 100644 doc/tooling/tcm/tcm_access_control/tcm_sessions.rst diff --git a/doc/tooling/tcm/index.rst b/doc/tooling/tcm/index.rst index 08983d482..01a48ed25 100644 --- a/doc/tooling/tcm/index.rst +++ b/doc/tooling/tcm/index.rst @@ -41,7 +41,7 @@ to read data. LDAP authorization is supported as well. tcm_cluster_management/index tcm_cluster_data_access tcm_cluster_migrations - tcm_access_control + tcm_access_control/index tcm_audit_log tcm_configuration tcm_backend_store diff --git a/doc/tooling/tcm/tcm_access_control/index.rst b/doc/tooling/tcm/tcm_access_control/index.rst new file mode 100644 index 000000000..bdcbeb72a --- /dev/null +++ b/doc/tooling/tcm/tcm_access_control/index.rst @@ -0,0 +1,35 @@ +.. _tcm_access_control: + +Access control +============== + +.. include:: index.rst + :start-after: ee_note_tcm_start + :end-before: ee_note_tcm_end + +|tcm_full_name| features a role-based access control system. It enables flexible +management of access to |tcm| functions, connected clusters, and stored data. +The |tcm| access system uses three main entities: permissions, roles, +and users (or user accounts). They work as follows: + +- Permissions correspond to specific functions or objects in + |tcm| (*administrative permissions*) or operations on clusters (*cluster permissions*). +- Roles are predefined sets of *administrative* permissions to + assign to users. +- Users have roles that define their access rights to |tcm| functions and objects, and + *cluster* permissions that are assigned for each cluster individually. + +.. note:: + + |tcm| users, roles, and permissions are not to be confused with similar subjects + of the :ref:`Tarantool access control system `. To access Tarantool + instances directly, Tarantool users with corresponding roles are required. + +.. toctree:: + :maxdepth: 1 + + tcm_access_control_rbac + tcm_access_control_acl + tcm_access_control_api_tokens + tcm_ldap_auth + tcm_access_control_sessions \ No newline at end of file diff --git a/doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst b/doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst new file mode 100644 index 000000000..20a380bd4 --- /dev/null +++ b/doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst @@ -0,0 +1,74 @@ + +.. _tcm_access_control_acl: + +Access control list +------------------- + +|tcm|'s *access control list* (*ACL*) determines user access to particular data +and functions stored in clusters. You can use it to allow or deny access to specific +stored objects one by one. + +Each ACL entry specifies privileges that a |tcm| user has on a particular +space or a function. There are three access privileges that can be granted in the ACL: +read, write, and execute (for stored functions only). The privileges work as follows: + +- Spaces: + + - ``Read``: the user sees the space and its tuples on the **Tuples** and **Explorer** pages + - ``Write``: the user can add new and edit existing tuples of the space + +- Functions: + + - ``Read``: the user sees the function on the **Functions** tab of the instance details page. + - ``Write``: the user can edit or delete the function + - ``Execute``: the user can call the function + +.. important:: + + User access to space data and stored functions is primarily defined by the + :ref:`cluster permissions ` ``cluster.space.data.*`` and ``cluster.func.*``. + ACL only increases the access control granularity to particular objects. + Make sure that users have these permissions before enabling ACL for them. + +.. _tcm_access_control_acl_enable: + +Enabling ACL for a user +~~~~~~~~~~~~~~~~~~~~~~~ + +To granularly manage a user's access to particular objects in a cluster, enable +the use of ACL in the user profile: + +#. Go to **Users** and click **Edit** in the **Actions** menu of the corresponding table row. + +#. In the user's **Clusters** list, add a cluster on which you want to use ACL + or click the pencil icon if the cluster is already on the list. + +#. Select the **Use Access Control List (ACL)** checkbox and save changes. + +#. Repeat two previous steps for each cluster on which you want to use ACL for this user. + +#. Click **Update** to save the user account. + +If the user doesn't exist yet, you can do the same when creating it. + +.. important:: + + When ACL use is enabled for a user, this user loses access to all spaces and + functions of the selected cluster except the ones explicitly specified in the ACL. + +.. _tcm_access_control_acl_manage: + +Managing ACL +~~~~~~~~~~~~ + +The tools for managing ACL are located on the **ACL** page. + +To add an ACL entry: + +#. Click **Add**. +#. Select a user to which you want to grant access. +#. Select a cluster that stores the target object: a space or a function. +#. Select the target object type and enter its name. +#. Select the privileges you want to grant. + +To delete an ACL entry, click **Delete** in the **Actions** menu of the corresponding table row. diff --git a/doc/tooling/tcm/tcm_access_control.rst b/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst similarity index 73% rename from doc/tooling/tcm/tcm_access_control.rst rename to doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst index 373123fee..a6aae5953 100644 --- a/doc/tooling/tcm/tcm_access_control.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst @@ -1,7 +1,7 @@ -.. _tcm_access_control: +.. _tcm_access_control_rbac: -Access control -============== +Role-based access control +========================= .. include:: index.rst :start-after: ee_note_tcm_start @@ -259,145 +259,6 @@ There are the following password policy settings: - **Digits (0-9)** - **Symbols (such as !@#$%^&\*()_+№"':,.;=][{}`?>/.)** -.. _tcm_access_control_acl: - -Access control list -------------------- - -|tcm|'s *access control list* (*ACL*) determines user access to particular data -and functions stored in clusters. You can use it to allow or deny access to specific -stored objects one by one. - -Each ACL entry specifies privileges that a |tcm| user has on a particular -space or a function. There are three access privileges that can be granted in the ACL: -read, write, and execute (for stored functions only). The privileges work as follows: - -- Spaces: - - - ``Read``: the user sees the space and its tuples on the **Tuples** and **Explorer** pages - - ``Write``: the user can add new and edit existing tuples of the space - -- Functions: - - - ``Read``: the user sees the function on the **Functions** tab of the instance details page. - - ``Write``: the user can edit or delete the function - - ``Execute``: the user can call the function - -.. important:: - - User access to space data and stored functions is primarily defined by the - :ref:`cluster permissions ` ``cluster.space.data.*`` and ``cluster.func.*``. - ACL only increases the access control granularity to particular objects. - Make sure that users have these permissions before enabling ACL for them. - -.. _tcm_access_control_acl_enable: - -Enabling ACL for a user -~~~~~~~~~~~~~~~~~~~~~~~ - -To granularly manage a user's access to particular objects in a cluster, enable -the use of ACL in the user profile: - -#. Go to **Users** and click **Edit** in the **Actions** menu of the corresponding table row. - -#. In the user's **Clusters** list, add a cluster on which you want to use ACL - or click the pencil icon if the cluster is already on the list. - -#. Select the **Use Access Control List (ACL)** checkbox and save changes. - -#. Repeat two previous steps for each cluster on which you want to use ACL for this user. - -#. Click **Update** to save the user account. - -If the user doesn't exist yet, you can do the same when creating it. - -.. important:: - - When ACL use is enabled for a user, this user loses access to all spaces and - functions of the selected cluster except the ones explicitly specified in the ACL. - -.. _tcm_access_control_acl_manage: - -Managing ACL -~~~~~~~~~~~~ - -The tools for managing ACL are located on the **ACL** page. - -To add an ACL entry: - -#. Click **Add**. -#. Select a user to which you want to grant access. -#. Select a cluster that stores the target object: a space or a function. -#. Select the target object type and enter its name. -#. Select the privileges you want to grant. - -To delete an ACL entry, click **Delete** in the **Actions** menu of the corresponding table row. - -.. _tcm_access_control_sessions: - -Sessions --------- - -Administrators can view and revoke user sessions in |tcm|. All active sessions -are listed on the **Sessions** page. To revoke a session, click **Revoke** in the -**Actions** menu of the corresponding table row. - -To revoke all sessions of a user, go to **Users** and click **Revoke all sessions** -in the **Actions** menu of the corresponding table row. - -.. _tcm_access_control_api_tokens: - -API tokens ----------- - -|tcm| uses the Bearer HTTP authentication scheme with *API tokens* to authenticate -external applications' requests to |tcm|. For example, these can be Prometheus -jobs that retrieve metrics of connected Tarantool clusters. - -The API tokens functionality is disabled by default. To enable it, set the -:ref:`feature.api-token ` configuration option to ``true``. - -.. code-block:: yaml - - feature: - api-token: true - -Each |tcm| API token belongs to the user that created it and has the same :ref:`access permissions `. -Thus, if a user has a permission to view a cluster's metrics in |tcm|, this user's -API tokens can be used to read this cluster's metrics with Prometheus. - -API tokens have expiration dates that are set during the token creation and cannot -be changed. - -.. _tcm_access_control_api_tokens_manage: - -Managing API tokens -~~~~~~~~~~~~~~~~~~~ - -.. note:: - - Each user, including **Default Admin** and other administrators, can create only - their own tokens. There is no way to create a token for another user. - -To create a |tcm| API token: - -#. Open the user settings by clicking the user's name in the top-right corner. -#. Go to the **API tokens** tab and click **Add**. -#. Specify the token expiration date and an optional description and click **Add**. - -The created token is shown in a dialog. - -.. important:: - - An API token is shown only once after its creation. There is no way to view - it again after you close the dialog. Make sure to copy the token in a safe place. - -To delete an API token, click **Delete** in the actions menu of the corresponding -**API tokens** table row. - -Administrators can also view information about users' API tokens and delete them -on the **Secrets** page. To open a user's secrets, click **Secrets** in the **Actions** -menu of the corresponding **Users** table row. .. _tcm_access_control_permissions_ref: diff --git a/doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst b/doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst new file mode 100644 index 000000000..f745252f2 --- /dev/null +++ b/doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst @@ -0,0 +1,54 @@ + +.. _tcm_access_control_api_tokens: + +API tokens +---------- + +|tcm| uses the Bearer HTTP authentication scheme with *API tokens* to authenticate +external applications' requests to |tcm|. For example, these can be Prometheus +jobs that retrieve metrics of connected Tarantool clusters. + +The API tokens functionality is disabled by default. To enable it, set the +:ref:`feature.api-token ` configuration option to ``true``. + +.. code-block:: yaml + + feature: + api-token: true + +Each |tcm| API token belongs to the user that created it and has the same :ref:`access permissions `. +Thus, if a user has a permission to view a cluster's metrics in |tcm|, this user's +API tokens can be used to read this cluster's metrics with Prometheus. + +API tokens have expiration dates that are set during the token creation and cannot +be changed. + +.. _tcm_access_control_api_tokens_manage: + +Managing API tokens +~~~~~~~~~~~~~~~~~~~ + +.. note:: + + Each user, including **Default Admin** and other administrators, can create only + their own tokens. There is no way to create a token for another user. + +To create a |tcm| API token: + +#. Open the user settings by clicking the user's name in the top-right corner. +#. Go to the **API tokens** tab and click **Add**. +#. Specify the token expiration date and an optional description and click **Add**. + +The created token is shown in a dialog. + +.. important:: + + An API token is shown only once after its creation. There is no way to view + it again after you close the dialog. Make sure to copy the token in a safe place. + +To delete an API token, click **Delete** in the actions menu of the corresponding +**API tokens** table row. + +Administrators can also view information about users' API tokens and delete them +on the **Secrets** page. To open a user's secrets, click **Secrets** in the **Actions** +menu of the corresponding **Users** table row. \ No newline at end of file diff --git a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst new file mode 100644 index 000000000..9638511bf --- /dev/null +++ b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst @@ -0,0 +1,36 @@ +.. _tcm_ldap_auth: + +LDAP authentication +=================== + +.. include:: index.rst + :start-after: ee_note_tcm_start + :end-before: ee_note_tcm_end + +|tcm_full_name| can be configured to use LDAP (Lightweight Directory Access Protocol) +for user authentication. + +Permissions are defined by mapping TCM permissions <> LDAP groups + +- can use ldap +- your own server +- over TLS +- distinct access +- local auth vs ldap? + +- prereq +- conflicts + +Enabling LDAP authentication +---------------------------- + +enable ldap in config when starting + +Configuring LDAP +---------------- + + +LDAP user permissions +--------------------- + +To define TCM permissions for LDAP users, diff --git a/doc/tooling/tcm/tcm_access_control/tcm_sessions.rst b/doc/tooling/tcm/tcm_access_control/tcm_sessions.rst new file mode 100644 index 000000000..96a04afdc --- /dev/null +++ b/doc/tooling/tcm/tcm_access_control/tcm_sessions.rst @@ -0,0 +1,12 @@ + +.. _tcm_access_control_sessions: + +Sessions +-------- + +Administrators can view and revoke user sessions in |tcm|. All active sessions +are listed on the **Sessions** page. To revoke a session, click **Revoke** in the +**Actions** menu of the corresponding table row. + +To revoke all sessions of a user, go to **Users** and click **Revoke all sessions** +in the **Actions** menu of the corresponding table row. From cd6b21079684650a6b1adbf633dda34b40c38646 Mon Sep 17 00:00:00 2001 From: Pavel Semyonov Date: Mon, 26 Aug 2024 18:11:09 +0700 Subject: [PATCH 2/9] Add TCM LDAP authentication --- doc/tooling/tcm/tcm_access_control/index.rst | 8 +- .../tcm_access_control_list.rst | 11 +- .../tcm_access_control_rbac.rst | 2 +- .../tcm/tcm_access_control/tcm_api_tokens.rst | 10 +- .../tcm/tcm_access_control/tcm_ldap_auth.rst | 118 ++++++++++++++++-- .../tcm/tcm_access_control/tcm_sessions.rst | 15 ++- doc/tooling/tcm/tcm_configuration.rst | 4 + doc/tooling/tt_cli/replicaset.rst | 2 +- 8 files changed, 142 insertions(+), 28 deletions(-) diff --git a/doc/tooling/tcm/tcm_access_control/index.rst b/doc/tooling/tcm/tcm_access_control/index.rst index bdcbeb72a..adcdfebda 100644 --- a/doc/tooling/tcm/tcm_access_control/index.rst +++ b/doc/tooling/tcm/tcm_access_control/index.rst @@ -3,7 +3,7 @@ Access control ============== -.. include:: index.rst +.. include:: ../index.rst :start-after: ee_note_tcm_start :end-before: ee_note_tcm_end @@ -29,7 +29,7 @@ and users (or user accounts). They work as follows: :maxdepth: 1 tcm_access_control_rbac - tcm_access_control_acl - tcm_access_control_api_tokens + tcm_access_control_list + tcm_api_tokens tcm_ldap_auth - tcm_access_control_sessions \ No newline at end of file + tcm_sessions \ No newline at end of file diff --git a/doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst b/doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst index 20a380bd4..ceab2465e 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst @@ -1,10 +1,13 @@ - .. _tcm_access_control_acl: Access control list -------------------- +=================== + +.. include:: ../index.rst + :start-after: ee_note_tcm_start + :end-before: ee_note_tcm_end -|tcm|'s *access control list* (*ACL*) determines user access to particular data +|tcm_full_name| *access control list* (*ACL*) determines user access to particular data and functions stored in clusters. You can use it to allow or deny access to specific stored objects one by one. @@ -59,7 +62,7 @@ If the user doesn't exist yet, you can do the same when creating it. .. _tcm_access_control_acl_manage: Managing ACL -~~~~~~~~~~~~ +------------ The tools for managing ACL are located on the **ACL** page. diff --git a/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst b/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst index a6aae5953..928c049ac 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst @@ -3,7 +3,7 @@ Role-based access control ========================= -.. include:: index.rst +.. include:: ../index.rst :start-after: ee_note_tcm_start :end-before: ee_note_tcm_end diff --git a/doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst b/doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst index f745252f2..d6bc8a942 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst @@ -2,9 +2,13 @@ .. _tcm_access_control_api_tokens: API tokens ----------- +========== -|tcm| uses the Bearer HTTP authentication scheme with *API tokens* to authenticate +.. include:: ../index.rst + :start-after: ee_note_tcm_start + :end-before: ee_note_tcm_end + +|tcm_full_name| uses the Bearer HTTP authentication scheme with *API tokens* to authenticate external applications' requests to |tcm|. For example, these can be Prometheus jobs that retrieve metrics of connected Tarantool clusters. @@ -26,7 +30,7 @@ be changed. .. _tcm_access_control_api_tokens_manage: Managing API tokens -~~~~~~~~~~~~~~~~~~~ +------------------- .. note:: diff --git a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst index 9638511bf..6aeb60bb6 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst @@ -3,14 +3,21 @@ LDAP authentication =================== -.. include:: index.rst +.. include:: ../index.rst :start-after: ee_note_tcm_start :end-before: ee_note_tcm_end -|tcm_full_name| can be configured to use LDAP (Lightweight Directory Access Protocol) -for user authentication. +In addition to its internal :ref:`role-based access model `, +|tcm_full_name| can be configured to use an external LDAP (Lightweight Directory Access Protocol) +server for user authentication. Both LDAP and secure LDAPS (LDAP over TLS) +protocols are supported. -Permissions are defined by mapping TCM permissions <> LDAP groups +|tcm| intergrates wit LDAP servers via *LDAP configurations*. A LDAP configuration +defines a +To manage access permissions of LDAP users, you can define a set of |tcm| +:ref:`administrative and cluster permissions ` +for each LDAP group. When authenticating an external user, +|tcm| checks this user's groups and displays the corresponding pages and controls. - can use ldap - your own server @@ -21,16 +28,109 @@ Permissions are defined by mapping TCM permissions <> LDAP groups - prereq - conflicts +.. _tcm_ldap_auth_enable: + Enabling LDAP authentication ---------------------------- -enable ldap in config when starting +To allow LDAP user authentication in |tcm|, enable the ``ldap`` authentication method +in the :ref:`security.auth ` configuration option before startup: + +- In the YAML |tcm| configuration: + + .. code-block:: yaml + + security: + auth: + - ldap + +- In the command line: + + .. code-block:: console + + $ tcm --security.auth="ldap" + +.. note:: + + If both authentication methods -- LDAP and local -- are enabled, |tcm| tries them + for each login attempt in the order they are specified in the configuration. + +.. _tcm_ldap_auth_config: + +LDAP configuration +------------------ + +To connect |tcm| to your LDAP server, create a *LDAP configuration*. A LDAP configuration +defines how |tcm| connects to the server and queries user data. + +To create a LDAP configuration, go to the **LDAP** page and click **Add**. + +.. note:: + + If there are several enabled LDAP configurations, |tcm| attempts to use them for + user authentication in the order they are created. + + +.. _tcm_ldap_auth_config_connect: + +LDAP server connection +~~~~~~~~~~~~~~~~~~~~~~ + +The LDAP server connection parameters are defines on the **General** step of the +configuration creation. Enter the LDAP server endpoints and request timeout +in seconds. If the server uses LDAPS, toggle **Enabled TLS** and specify +TLS connection parameters, such as a certificate or a key file. -Configuring LDAP ----------------- +Toggle **Automatically add non-existent users** to automatically save LDAP +users to the |tcm| :ref:`backend store ` upon their first login. +.. _tcm_ldap_auth_config_query: + +LDAP queries +~~~~~~~~~~~~ + +To define how |tcm| + +#. On the **Queries** page, specify the parameters of |tcm| queries to the LDAP server: + + - **Query user** and **Query password**. Credentials of the user on behalf of + which all LDAP queries are executed: distinguished name (DN) and password. + - **Base DN**. The base DN for making all LDAP requests. + - **Username regex**. A regular expression that defines a username template for + this LDAP configuration. This regex is used for selecting a correct LDAP server + by a username. + - **Template DN**. A template for building a DN + +To edit a LDAP configuration, click **Edit** in the **Actions** menu of the corresponding table row. + +To delete a LDAP configuration, click **Delete** in the **Actions** menu of the corresponding table row. + +.. _tcm_ldap_auth_config_permissions: + LDAP user permissions ---------------------- +~~~~~~~~~~~~~~~~~~~~~ + +LDAP users' permissions in |tcm| are defined by groups to which they belong. +You can map |tcm| administrative and cluster :ref:`permissions ` +to LDAP groups on the **Groups** step of the configuration creation. + +To assign permissions to an LDAP group, click **Add group**. In the dialog that opens, +enter the group name, for example, ``CN=Admins,CN=Builtin,DC=example,DC=com``. +Then, select administrative permission to grant in the **Permissions** list. + +To grant cluster permissions, click **Add cluster**. Select a cluster and the cluster +permissions to grant to the group. Save the group. + +Each user has permissions of all LDAP groups to which they belong. + +.. _tcm_ldap_auth_config_disable: + +Disabling LDAP configurations +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To stop using a LDAP configuration, open its **Edit** page and turn off the **Enabled** toggle. + + + -To define TCM permissions for LDAP users, diff --git a/doc/tooling/tcm/tcm_access_control/tcm_sessions.rst b/doc/tooling/tcm/tcm_access_control/tcm_sessions.rst index 96a04afdc..d8a585c36 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_sessions.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_sessions.rst @@ -1,12 +1,15 @@ - .. _tcm_access_control_sessions: Sessions --------- +======== + +.. include:: ../index.rst + :start-after: ee_note_tcm_start + :end-before: ee_note_tcm_end -Administrators can view and revoke user sessions in |tcm|. All active sessions -are listed on the **Sessions** page. To revoke a session, click **Revoke** in the -**Actions** menu of the corresponding table row. +|tcm_full_name| administrators can view and revoke user sessions in the web interface. +All active sessions are listed on the **Sessions** page. To revoke a session, click +**Revoke** in the **Actions** menu of the corresponding table row. -To revoke all sessions of a user, go to **Users** and click **Revoke all sessions** +To revoke all sessions of a |tcm| user, go to **Users** and click **Revoke all sessions** in the **Actions** menu of the corresponding table row. diff --git a/doc/tooling/tcm/tcm_configuration.rst b/doc/tooling/tcm/tcm_configuration.rst index d9627b993..f9929c1c0 100644 --- a/doc/tooling/tcm/tcm_configuration.rst +++ b/doc/tooling/tcm/tcm_configuration.rst @@ -13,6 +13,10 @@ Configuration This topic describes how to configure |tcm_full_name|. For the complete list of |tcm| configuration parameters, see the :ref:`TCM configuration reference `. +.. note:: + + To learn about Tarantool cluster configuration, see :ref:`configuration`. + Configuration structure ----------------------- diff --git a/doc/tooling/tt_cli/replicaset.rst b/doc/tooling/tt_cli/replicaset.rst index 286c6c6ce..af803802f 100644 --- a/doc/tooling/tt_cli/replicaset.rst +++ b/doc/tooling/tt_cli/replicaset.rst @@ -251,7 +251,7 @@ To expel an instance from a Cartridge cluster: .. _tt-replicaset-vshard: vshard ------ +------ .. code-block:: console From e30b63a02863bf4151dce52c4693a347afd1122c Mon Sep 17 00:00:00 2001 From: Pavel Semyonov Date: Tue, 27 Aug 2024 17:09:55 +0700 Subject: [PATCH 3/9] Add TCM LDAP authentication --- .../tcm/tcm_access_control/tcm_ldap_auth.rst | 116 +++++++++--------- 1 file changed, 61 insertions(+), 55 deletions(-) diff --git a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst index 6aeb60bb6..d2c21b0bc 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst @@ -9,24 +9,8 @@ LDAP authentication In addition to its internal :ref:`role-based access model `, |tcm_full_name| can be configured to use an external LDAP (Lightweight Directory Access Protocol) -server for user authentication. Both LDAP and secure LDAPS (LDAP over TLS) -protocols are supported. - -|tcm| intergrates wit LDAP servers via *LDAP configurations*. A LDAP configuration -defines a -To manage access permissions of LDAP users, you can define a set of |tcm| -:ref:`administrative and cluster permissions ` -for each LDAP group. When authenticating an external user, -|tcm| checks this user's groups and displays the corresponding pages and controls. - -- can use ldap -- your own server -- over TLS -- distinct access -- local auth vs ldap? - -- prereq -- conflicts +server for user authentication and authorization. Both LDAP and secure LDAPS +(LDAP over TLS) protocols are supported. .. _tcm_ldap_auth_enable: @@ -36,7 +20,7 @@ Enabling LDAP authentication To allow LDAP user authentication in |tcm|, enable the ``ldap`` authentication method in the :ref:`security.auth ` configuration option before startup: -- In the YAML |tcm| configuration: +- In the YAML |tcm| configuration: .. code-block:: yaml @@ -44,7 +28,7 @@ in the :ref:`security.auth ` configur auth: - ldap -- In the command line: +- In the command line: .. code-block:: console @@ -60,77 +44,99 @@ in the :ref:`security.auth ` configur LDAP configuration ------------------ -To connect |tcm| to your LDAP server, create a *LDAP configuration*. A LDAP configuration -defines how |tcm| connects to the server and queries user data. +To allow LDAP user access to |tcm|, create a *LDAP configuration* that connects +|tcm| to the LDAP server that stores the users. A LDAP configuration +defines how |tcm| connects to the server and queries user data. To create a LDAP +configuration, go to the **LDAP** page and click **Add**. -To create a LDAP configuration, go to the **LDAP** page and click **Add**. +To edit a LDAP configuration, click **Edit** in the **Actions** menu of the corresponding table row. -.. note:: +To delete a LDAP configuration, click **Delete** in the **Actions** menu of the corresponding table row. + +.. _tcm_ldap_auth_config_general: + +General settings +~~~~~~~~~~~~~~~~ + +Define the general configuration settings: + +* **Enabled**. Defines if the configuration is used. Turn the toggle off to + stop using the configuration. + + .. note:: - If there are several enabled LDAP configurations, |tcm| attempts to use them for - user authentication in the order they are created. + If there are several enabled LDAP configurations, |tcm| attempts to use them + for user authentication in the order they are created. +* **Automatically add non-existent users**. By default, |tcm| automatically saves + LDAP user information to its :ref:`backend store ` + upon their first login. Turn the toggle off if you don't want to save users from this LDAP server. .. _tcm_ldap_auth_config_connect: LDAP server connection ~~~~~~~~~~~~~~~~~~~~~~ -The LDAP server connection parameters are defines on the **General** step of the -configuration creation. Enter the LDAP server endpoints and request timeout -in seconds. If the server uses LDAPS, toggle **Enabled TLS** and specify -TLS connection parameters, such as a certificate or a key file. - -Toggle **Automatically add non-existent users** to automatically save LDAP -users to the |tcm| :ref:`backend store ` upon their first login. +Enter the LDAP server connection parameters: +* **Endpoints**. URLs of the LDAP server. +* **Request timeout**. The timeout for |tcm| requests to the LDAP server, in seconds. +* **Enabled TLS**. If the server uses LDAPS, toggle **Enabled TLS** and specify + TLS connection parameters, such as a certificate and a key file. .. _tcm_ldap_auth_config_query: LDAP queries ~~~~~~~~~~~~ -To define how |tcm| - -#. On the **Queries** page, specify the parameters of |tcm| queries to the LDAP server: - - - **Query user** and **Query password**. Credentials of the user on behalf of - which all LDAP queries are executed: distinguished name (DN) and password. - - **Base DN**. The base DN for making all LDAP requests. - - **Username regex**. A regular expression that defines a username template for - this LDAP configuration. This regex is used for selecting a correct LDAP server - by a username. - - **Template DN**. A template for building a DN +To define how |tcm| queries the LDAP server for user authentication and authorization, +fill in the fields of the **Queries** step: + +- **Query user** and **Query password**. Credentials of the LDAP user on behalf + of which all LDAP queries are executed: a distinguished name (DN) and a password. + Example DN: ``cn=admin,cn=users,dc=tarantool,dc=io``. +- **Base DN**. The DN of a directory that serves as a root for making all LDAP requests. + Example: ``dc=tarantool,dc=io``. +- **Username regex**. A regular expression that defines a username template for + this LDAP configuration. When a user enters their username on the login page, + |tcm| matches it against username regular expressions of all enabled LDAP + configurations and selects the one to use for this user authentication. + Example: ``^([\w\-\.]+)@tarantool.io$`` -- a regex to match employee + email addresses within the specified domain. +- **Template DN**. A template for building a DN to send in an authentication bind request. + Use the numbers in curly braces as placeholders to replace with username regex parts: + ``{0}``, ``{1}`` and so on. + Example: ``cn={0},cn=users,dc=tarantool,dc=io``. When used with the username regex + shown above, it takes only the username part of the email address (before ``@``) + entered into the login form. +- **Template query**. A template for searching DN in the LDAP directory for authentication. +- **Group query template**. A template for querying groups to which a user belongs + for authorization purposes. Learn more in :ref:`tcm_ldap_auth_config_permissions`. + Example: ``(&(objectCategory=person)(objectClass=user)(cn={0}))`` -To edit a LDAP configuration, click **Edit** in the **Actions** menu of the corresponding table row. - -To delete a LDAP configuration, click **Delete** in the **Actions** menu of the corresponding table row. .. _tcm_ldap_auth_config_permissions: LDAP user permissions ~~~~~~~~~~~~~~~~~~~~~ -LDAP users' permissions in |tcm| are defined by groups to which they belong. +Permissions of LDAP users in |tcm| are defined by groups to which they belong. You can map |tcm| administrative and cluster :ref:`permissions ` to LDAP groups on the **Groups** step of the configuration creation. To assign permissions to an LDAP group, click **Add group**. In the dialog that opens, -enter the group name, for example, ``CN=Admins,CN=Builtin,DC=example,DC=com``. -Then, select administrative permission to grant in the **Permissions** list. +enter the group name, for example, ``CN=Admins,CN=Builtin,DC=tarantool,DC=io``. +Then, select administrative permission to grant to this group in the **Permissions** list. To grant cluster permissions, click **Add cluster**. Select a cluster and the cluster permissions to grant to the group. Save the group. Each user has permissions of all LDAP groups to which they belong. + .. _tcm_ldap_auth_config_disable: Disabling LDAP configurations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -To stop using a LDAP configuration, open its **Edit** page and turn off the **Enabled** toggle. - - - - +To stop using a LDAP configuration, open its **Edit** page and turn off the **Enabled** toggle. \ No newline at end of file From b9e7c8215babd3c84cbbc4369504231ac0eb21c9 Mon Sep 17 00:00:00 2001 From: Pavel Semyonov Date: Tue, 27 Aug 2024 17:57:57 +0700 Subject: [PATCH 4/9] Add TCM LDAP authentication --- doc/tooling/tcm/tcm_access_control/index.rst | 28 +++++++-------- .../tcm/tcm_access_control/tcm_ldap_auth.rst | 36 +++++++++++-------- 2 files changed, 34 insertions(+), 30 deletions(-) diff --git a/doc/tooling/tcm/tcm_access_control/index.rst b/doc/tooling/tcm/tcm_access_control/index.rst index adcdfebda..10f9c535a 100644 --- a/doc/tooling/tcm/tcm_access_control/index.rst +++ b/doc/tooling/tcm/tcm_access_control/index.rst @@ -7,29 +7,25 @@ Access control :start-after: ee_note_tcm_start :end-before: ee_note_tcm_end -|tcm_full_name| features a role-based access control system. It enables flexible -management of access to |tcm| functions, connected clusters, and stored data. -The |tcm| access system uses three main entities: permissions, roles, -and users (or user accounts). They work as follows: +|tcm_full_name| provides means for managing user and client applications access +to its own functions and connected clusters: -- Permissions correspond to specific functions or objects in - |tcm| (*administrative permissions*) or operations on clusters (*cluster permissions*). -- Roles are predefined sets of *administrative* permissions to - assign to users. -- Users have roles that define their access rights to |tcm| functions and objects, and - *cluster* permissions that are assigned for each cluster individually. +- :ref:`Local role-based access model ` allow flexible + access management with user accounts created inside |tcm|. +- :ref:`LDAP authentication ` enable authentication with an external + directory server. +- :ref:`Access control list ` enables fine-grained access + to entities stored on connected clusters. +- :ref:`API tokens ` enable intergration with third-party applications. +- :ref:`Sessions management ` allow administrators to view and + revoke user sessions. -.. note:: - - |tcm| users, roles, and permissions are not to be confused with similar subjects - of the :ref:`Tarantool access control system `. To access Tarantool - instances directly, Tarantool users with corresponding roles are required. .. toctree:: :maxdepth: 1 tcm_access_control_rbac + tcm_ldap_auth tcm_access_control_list tcm_api_tokens - tcm_ldap_auth tcm_sessions \ No newline at end of file diff --git a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst index d2c21b0bc..51c05207d 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst @@ -7,10 +7,16 @@ LDAP authentication :start-after: ee_note_tcm_start :end-before: ee_note_tcm_end -In addition to its internal :ref:`role-based access model `, -|tcm_full_name| can be configured to use an external LDAP (Lightweight Directory Access Protocol) -server for user authentication and authorization. Both LDAP and secure LDAPS -(LDAP over TLS) protocols are supported. +In addition to its internal :ref:`role-based access control model `, +|tcm_full_name| can use an external LDAP (Lightweight Directory Access Protocol) +directory server for user authentication and authorization. + +When LDAP authentication is enabled, |tcm| attempts to authenticate users who submit +the login form on a connected LDAP directory server. |tcm| constructs requests to +the servers according to configuration parameters described on this page. Permissions +of LDAP users in |tcm| are defined by LDAP group mapping. + +Both LDAP and secure LDAPS (LDAP over TLS) protocols are supported. .. _tcm_ldap_auth_enable: @@ -44,14 +50,14 @@ in the :ref:`security.auth ` configur LDAP configuration ------------------ -To allow LDAP user access to |tcm|, create a *LDAP configuration* that connects -|tcm| to the LDAP server that stores the users. A LDAP configuration +To enable LDAP user access to |tcm|, create an *LDAP configuration* that connects +|tcm| to the LDAP server that stores the users. An LDAP configuration defines how |tcm| connects to the server and queries user data. To create a LDAP configuration, go to the **LDAP** page and click **Add**. -To edit a LDAP configuration, click **Edit** in the **Actions** menu of the corresponding table row. +To edit a LDAP configuration, click **Edit** in the **Actions** menu of the corresponding row. -To delete a LDAP configuration, click **Delete** in the **Actions** menu of the corresponding table row. +To delete a LDAP configuration, click **Delete** in the **Actions** menu of the corresponding row. .. _tcm_ldap_auth_config_general: @@ -81,7 +87,7 @@ Enter the LDAP server connection parameters: * **Endpoints**. URLs of the LDAP server. * **Request timeout**. The timeout for |tcm| requests to the LDAP server, in seconds. -* **Enabled TLS**. If the server uses LDAPS, toggle **Enabled TLS** and specify +* **Enabled TLS**. If the server uses LDAPS, turn this toggle on and specify TLS connection parameters, such as a certificate and a key file. .. _tcm_ldap_auth_config_query: @@ -106,10 +112,12 @@ fill in the fields of the **Queries** step: - **Template DN**. A template for building a DN to send in an authentication bind request. Use the numbers in curly braces as placeholders to replace with username regex parts: ``{0}``, ``{1}`` and so on. - Example: ``cn={0},cn=users,dc=tarantool,dc=io``. When used with the username regex - shown above, it takes only the username part of the email address (before ``@``) - entered into the login form. -- **Template query**. A template for searching DN in the LDAP directory for authentication. + Example: ``cn={0},cn=users,dc=tarantool,dc=io``. When used with the **Username regex** + shown above, it substitutes ``{0}`` with the username part of the email address (before ``@``) + entered into the login form. For example, the username ``user1@tarantool.io`` + forms the following DN for bind request: ``cn=user1,cn=users,dc=tarantool,dc=io``. +- **Template query**. A template for querying the LDAP server for the DN. This + way is used if **Template DN** is not provided. - **Group query template**. A template for querying groups to which a user belongs for authorization purposes. Learn more in :ref:`tcm_ldap_auth_config_permissions`. Example: ``(&(objectCategory=person)(objectClass=user)(cn={0}))`` @@ -139,4 +147,4 @@ Each user has permissions of all LDAP groups to which they belong. Disabling LDAP configurations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -To stop using a LDAP configuration, open its **Edit** page and turn off the **Enabled** toggle. \ No newline at end of file +To stop using an LDAP configuration, open its **Edit** page and turn off the **Enabled** toggle. \ No newline at end of file From 021c1d1308ef72eb46bb8c033a96c25adf9be307 Mon Sep 17 00:00:00 2001 From: Pavel Semyonov Date: Tue, 27 Aug 2024 18:18:20 +0700 Subject: [PATCH 5/9] Add TCM LDAP authentication --- doc/tooling/tcm/tcm_access_control/index.rst | 6 +++--- .../tcm/tcm_access_control/tcm_access_control_list.rst | 6 +++--- .../tcm/tcm_access_control/tcm_access_control_rbac.rst | 2 +- doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst | 1 - doc/tooling/tcm/tcm_cluster_data_access.rst | 2 +- doc/tooling/tcm/tcm_ui_overview.rst | 2 +- 6 files changed, 9 insertions(+), 10 deletions(-) diff --git a/doc/tooling/tcm/tcm_access_control/index.rst b/doc/tooling/tcm/tcm_access_control/index.rst index 10f9c535a..bdfebc524 100644 --- a/doc/tooling/tcm/tcm_access_control/index.rst +++ b/doc/tooling/tcm/tcm_access_control/index.rst @@ -10,14 +10,14 @@ Access control |tcm_full_name| provides means for managing user and client applications access to its own functions and connected clusters: -- :ref:`Local role-based access model ` allow flexible +- :ref:`Local role-based access model ` allow flexible access management with user accounts created inside |tcm|. - :ref:`LDAP authentication ` enable authentication with an external directory server. - :ref:`Access control list ` enables fine-grained access to entities stored on connected clusters. -- :ref:`API tokens ` enable intergration with third-party applications. -- :ref:`Sessions management ` allow administrators to view and +- :ref:`API tokens ` enable intergration with third-party applications. +- :ref:`Sessions management ` allow administrators to view and revoke user sessions. diff --git a/doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst b/doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst index ceab2465e..81d45ac7d 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_access_control_list.rst @@ -1,4 +1,4 @@ -.. _tcm_access_control_acl: +.. _tcm_access_control_list: Access control list =================== @@ -33,7 +33,7 @@ read, write, and execute (for stored functions only). The privileges work as fol ACL only increases the access control granularity to particular objects. Make sure that users have these permissions before enabling ACL for them. -.. _tcm_access_control_acl_enable: +.. _tcm_access_control_list_enable: Enabling ACL for a user ~~~~~~~~~~~~~~~~~~~~~~~ @@ -59,7 +59,7 @@ If the user doesn't exist yet, you can do the same when creating it. When ACL use is enabled for a user, this user loses access to all spaces and functions of the selected cluster except the ones explicitly specified in the ACL. -.. _tcm_access_control_acl_manage: +.. _tcm_access_control_list_manage: Managing ACL ------------ diff --git a/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst b/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst index 928c049ac..ca4507258 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst @@ -57,7 +57,7 @@ There are two types of permissions in |tcm|: *administrative* and *cluster* perm Cluster permissions are assigned to users individually when creating or editing them. For a fine-grained control over user access to particular spaces and functions stored - in clusters, there is the :ref:`access control list `. + in clusters, there is the :ref:`access control list `. Permissions are predefined in |tcm|, there is no way to change, add, or delete them. The complete lists of administrative and cluster permissions in |tcm| are provided diff --git a/doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst b/doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst index d6bc8a942..813dc9cb5 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_api_tokens.rst @@ -1,4 +1,3 @@ - .. _tcm_access_control_api_tokens: API tokens diff --git a/doc/tooling/tcm/tcm_cluster_data_access.rst b/doc/tooling/tcm/tcm_cluster_data_access.rst index 5ec470023..c71ee0f6d 100644 --- a/doc/tooling/tcm/tcm_cluster_data_access.rst +++ b/doc/tooling/tcm/tcm_cluster_data_access.rst @@ -13,7 +13,7 @@ web interface. You can view, add, edit, and delete tuples from spaces. .. note:: A |TCM| user's access to specific clusters and spaces is determined by their - :ref:`cluster permissions ` and :ref:`access control list `. + :ref:`cluster permissions ` and :ref:`access control list `. Data access is implemented in |tcm| on a per-instance basis: you can access data stored on one cluster instance at a time. For sharded clusters that use the diff --git a/doc/tooling/tcm/tcm_ui_overview.rst b/doc/tooling/tcm/tcm_ui_overview.rst index 2647e5133..b0dd7d0b5 100644 --- a/doc/tooling/tcm/tcm_ui_overview.rst +++ b/doc/tooling/tcm/tcm_ui_overview.rst @@ -267,7 +267,7 @@ The **ACL** page displays the |tcm| access control list. :width: 700 :alt: TCM ACL page -On this page, you can add and delete ACL entries. Learn more in :ref:`tcm_access_control_acl`. +On this page, you can add and delete ACL entries. Learn more in :ref:`tcm_access_control_list`. .. _tcm_ui_users: From 7759a4bfe1301fdb1f61054ef8bc73bb23c0af09 Mon Sep 17 00:00:00 2001 From: Pavel Semyonov Date: Wed, 28 Aug 2024 15:34:15 +0700 Subject: [PATCH 6/9] Apply suggestions from code review Co-authored-by: Andrey Aksenov <38073144+andreyaksenov@users.noreply.github.com> --- .../tcm/tcm_access_control/tcm_ldap_auth.rst | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst index 51c05207d..9ba9eff90 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst @@ -52,12 +52,12 @@ LDAP configuration To enable LDAP user access to |tcm|, create an *LDAP configuration* that connects |tcm| to the LDAP server that stores the users. An LDAP configuration -defines how |tcm| connects to the server and queries user data. To create a LDAP -configuration, go to the **LDAP** page and click **Add**. +defines how |tcm| connects to the server and queries user data. To create an LDAP +configuration, go to the **LDAP** page in the **Settings** group and click **Add**. -To edit a LDAP configuration, click **Edit** in the **Actions** menu of the corresponding row. +To edit an LDAP configuration, click **Edit** in the **Actions** menu of the corresponding row. -To delete a LDAP configuration, click **Delete** in the **Actions** menu of the corresponding row. +To delete an LDAP configuration, click **Delete** in the **Actions** menu of the corresponding row. .. _tcm_ldap_auth_config_general: @@ -100,7 +100,11 @@ fill in the fields of the **Queries** step: - **Query user** and **Query password**. Credentials of the LDAP user on behalf of which all LDAP queries are executed: a distinguished name (DN) and a password. - Example DN: ``cn=admin,cn=users,dc=tarantool,dc=io``. + Example DN: + + .. code-block:: text + + cn=admin,cn=users,dc=tarantool,dc=io - **Base DN**. The DN of a directory that serves as a root for making all LDAP requests. Example: ``dc=tarantool,dc=io``. - **Username regex**. A regular expression that defines a username template for @@ -111,7 +115,7 @@ fill in the fields of the **Queries** step: email addresses within the specified domain. - **Template DN**. A template for building a DN to send in an authentication bind request. Use the numbers in curly braces as placeholders to replace with username regex parts: - ``{0}``, ``{1}`` and so on. + ``{0}``, ``{1}``, and so on. Example: ``cn={0},cn=users,dc=tarantool,dc=io``. When used with the **Username regex** shown above, it substitutes ``{0}`` with the username part of the email address (before ``@``) entered into the login form. For example, the username ``user1@tarantool.io`` @@ -128,7 +132,7 @@ fill in the fields of the **Queries** step: LDAP user permissions ~~~~~~~~~~~~~~~~~~~~~ -Permissions of LDAP users in |tcm| are defined by groups to which they belong. +Permissions of LDAP users in |tcm| are defined by the groups to which they belong. You can map |tcm| administrative and cluster :ref:`permissions ` to LDAP groups on the **Groups** step of the configuration creation. From a3c8269f2fdb81f4d72ea1c74a13571083a4c18b Mon Sep 17 00:00:00 2001 From: Pavel Semyonov Date: Wed, 28 Aug 2024 15:42:20 +0700 Subject: [PATCH 7/9] Review fix --- doc/tooling/tcm/tcm_access_control/index.rst | 2 +- .../tcm/tcm_access_control/tcm_ldap_auth.rst | 42 +++++++++++++------ 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/doc/tooling/tcm/tcm_access_control/index.rst b/doc/tooling/tcm/tcm_access_control/index.rst index bdfebc524..69a2cd33d 100644 --- a/doc/tooling/tcm/tcm_access_control/index.rst +++ b/doc/tooling/tcm/tcm_access_control/index.rst @@ -16,7 +16,7 @@ to its own functions and connected clusters: directory server. - :ref:`Access control list ` enables fine-grained access to entities stored on connected clusters. -- :ref:`API tokens ` enable intergration with third-party applications. +- :ref:`API tokens ` enable integration with third-party applications. - :ref:`Sessions management ` allow administrators to view and revoke user sessions. diff --git a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst index 9ba9eff90..70d86f40e 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst @@ -11,8 +11,8 @@ In addition to its internal :ref:`role-based access control model Date: Wed, 28 Aug 2024 15:53:53 +0700 Subject: [PATCH 8/9] Review fix --- doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst index 70d86f40e..09f3243f1 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst @@ -112,6 +112,7 @@ fill in the fields of the **Queries** step: this LDAP configuration. When a user enters their username on the login page, |tcm| matches it against username regular expressions of all enabled LDAP configurations and selects the one to use for this user authentication. + Example: a regex to match employee email addresses within the specified domain. .. code-block:: text @@ -121,6 +122,7 @@ fill in the fields of the **Queries** step: - (Optional) **Template DN**. A template for building a DN to send in an authentication bind request. Use the numbers in curly braces as placeholders to replace with username regex parts: ``{0}``, ``{1}``, and so on. + Example: .. code-block:: text @@ -142,6 +144,7 @@ fill in the fields of the **Queries** step: Example: .. code-block:: text + ``(&(objectCategory=person)(objectClass=user)(cn={0}))`` From 85c144e2cad8517ff7c7f5c97700d79f48fa67b0 Mon Sep 17 00:00:00 2001 From: Pavel Semyonov Date: Wed, 28 Aug 2024 16:00:24 +0700 Subject: [PATCH 9/9] Review fix --- doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst index 09f3243f1..e60c22845 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst @@ -135,7 +135,7 @@ fill in the fields of the **Queries** step: .. code-block:: text - ``cn=user1,cn=users,dc=tarantool,dc=io``. + cn=user1,cn=users,dc=tarantool,dc=io - (Optional) **Template query**. A template for querying the LDAP server for the DN. This way is used if **Template DN** is not provided.