User Authentication
Transformer can authenticate user accounts in several ways.
If you have an enterprise account, you typically use Control Hub authentication to access Transformer. You log in to Transformer using the authentication type configured for the Control Hub organization.
If you are not using Control Hub to access Transformer, you can configure Transformer to use LDAP authentication or file-based authentication. Best practice is to use LDAP authentication, particularly for a production deployment of Transformer. By default, Transformer uses file-based authentication.
Transformer provides several roles that determine the actions that users can perform. The steps you use to assign roles to user accounts vary, based on whether you are using LDAP or file-based authentication.
Configuring LDAP Authentication
If your organization uses LDAP and you want multiple users to access Transformer, you might configure Transformer to use LDAP authentication. After you configure LDAP authentication, users log in to Transformer using their LDAP username and password.
To configure LDAP authentication, see the Data Collector documentation.
Configuring File-Based Authentication
If your organization does not use LDAP and you want multiple users to access Transformer, you might configure Transformer to use the default file-based authentication.
To configure file-based authentication, perform the following tasks:
- Configure authentication properties.
- Configure Transformer users, groups, and roles.
Users can change their password after logging into Transformer.
Step 1. Configure Authentication Properties
Configure authentication properties in the Transformer configuration file, $TRANSFORMER_CONF/transformer.properties
.
When you use file-based authentication, you can use the Basic, Digest, or Form type. By default, Transformer uses file-based authentication and uses the Form authentication type.
-
In the Transformer configuration file,
$TRANSFORMER_CONF/transformer.properties
, enable file-based authentication by setting the http.authentication.login.module property to file. -
In the
$TRANSFORMER_CONF/transformer.properties
file, define the HTTP authentication type by setting the http.authentication property to basic, digest, or form. -
Specify whether Transformer checks the permissions for the associated
realm.properties file for the type of authentication
that you use. Set the http.realm.file.permission.check
property to one of the following values:
- true to ensure that the realm.properties file allows access only to the owner.
- false to skip the permission check.
You'll use the realm.properties file in the next step, when you configure Transformer users and roles.
Step 2. Configure Users, Groups, and Roles
For file-based authentication, you configure the users that can log in to Transformer. You assign roles to each user account and you can optionally create and assign groups to the user accounts.
Configure users, groups, and roles in the properties file for the type of authentication that you use: $TRANSFORMER_CONF/<authentication>-realm.properties.
Transformer roles determine the tasks that a user can perform. You can also create groups and assign the groups to related user accounts. Use groups to easily assign pipeline permissions to groups of users. Pipeline permissions determine the pipeline access that each user has.
For example, say you use file-based authentication and
want to create an Ops
group to manage pipelines. To handle this,
when you configure users in the authentication properties file, you grant the
Manager role and add the Ops
group for each operations user. Then,
you edit each pipeline they need to manage, assigning read and execute permission to
the Ops
group. For more information about permissions, see the
Data Collector documentation.
admin
user account and no default
groups.User Login | Role | Tasks |
---|---|---|
admin / admin |
Admin | Perform any Transformer task. Can perform all tasks listed below, as well as activate Transformer, restart and shut down Transformer, and view Transformer metrics. Enable Control Hub. Install libraries using Package Manager. |
manager / manager |
Manager | Start, stop, and monitor pipelines. |
creator / creator |
Creator | Create and configure pipelines, preview data, and monitor the pipeline. Import pipelines. |
guest / guest |
Guest | View pipelines and general monitoring information. Export a pipeline. |
all
group that includes every user, and a
dev
and test
group. The following default user
accounts are available for the dev
and test
user
groups:User Login | Roles | Group |
---|---|---|
user1 / user1 |
Manager and Creator | dev |
user2 / user2 |
Manager and Creator | dev |
user3 / user3 |
Manager and Creator | test |
user4 / user4 |
Manager and Creator | test |
Configure users and groups in the properties file for the type of
authentication that you use. For example, if you use basic authentication, use the
basic-realm.properties
file.
read -s pw && echo "$pw" | md5
For basic and form authentication, hash the password alone. For example, when the above command prompts you for the password, enter only the password.
For digest
authentication, hash the combination of <user
name>:<realm>:<password>
, where <realm>
is
the authentication type. For example, when the above command prompts you for the
password, enter:
<user name>:<realm>:<password>
as follows:
jdoe:digest-realm:JdoePass
-
To configure users and groups, modify the properties file for the type of
authentication that you use.
The file name is $TRANSFORMER_CONF/<authentication>-realm.properties.
-
For each new user, add a user definition using the following format:
<user name>: MD5:<md5-text>, user, <role> [, <additional role>, <additional role>...] [, group:<group>, group:<additional group>...]
Note: Assign one or more roles to each user. Be sure to includeuser
in every user definition.For example, the following line defines a user named jsmith assigned the Creator role and to the Development group:jsmith: MD5:6d0258c2440a7d19e916292b231e3190,user,creator,group:Development
- To make the new users available, restart Transformer.
Changing Your Password
When Transformer is configured for file-based authentication, you can use the Transformer UI to change your password.
- Click the User icon (), and then click Change Password.
-
Enter your current and new password, verify the new password, and then click
Save.
Your changed password takes effect the next time you log in to Transformer.