User Authentication

Transformer can authenticate user accounts in several ways.

If you have an enterprise account, you typically use Control Hub authentication to access Transformer. You log in to Transformer using the authentication type configured for the Control Hub organization.

If you are not using Control Hub to access Transformer, you can configure Transformer to use LDAP authentication or file-based authentication. Best practice is to use LDAP authentication, particularly for a production deployment of Transformer. By default, Transformer uses file-based authentication.

Transformer provides several roles that determine the actions that users can perform. The steps you use to assign roles to user accounts vary, based on whether you are using LDAP or file-based authentication.

Configuring LDAP Authentication

If your organization uses LDAP and you want multiple users to access Transformer, you might configure Transformer to use LDAP authentication. After you configure LDAP authentication, users log in to Transformer using their LDAP username and password.

To configure LDAP authentication, see the Data Collector documentation.

Configuring File-Based Authentication

If your organization does not use LDAP and you want multiple users to access Transformer, you might configure Transformer to use the default file-based authentication.

To configure file-based authentication, perform the following tasks:

  1. Configure authentication properties.
  2. Configure Transformer users, groups, and roles.

Users can change their password after logging into Transformer.

Step 1. Configure Authentication Properties

Configure authentication properties in the Transformer configuration file, $TRANSFORMER_CONF/transformer.properties.

When you use file-based authentication, you can use the Basic, Digest, or Form type. By default, Transformer uses file-based authentication and uses the Form authentication type.

  1. In the Transformer configuration file, $TRANSFORMER_CONF/transformer.properties, enable file-based authentication by setting the http.authentication.login.module property to file.
  2. In the $TRANSFORMER_CONF/transformer.properties file, define the HTTP authentication type by setting the http.authentication property to basic, digest, or form.
  3. Specify whether Transformer checks the permissions for the associated realm.properties file for the type of authentication that you use. Set the http.realm.file.permission.check property to one of the following values:
    • true to ensure that the realm.properties file allows access only to the owner.
    • false to skip the permission check.
    You'll use the realm.properties file in the next step, when you configure Transformer users and roles.

Step 2. Configure Users, Groups, and Roles

For file-based authentication, you configure the users that can log in to Transformer. You assign roles to each user account and you can optionally create and assign groups to the user accounts.

Configure users, groups, and roles in the properties file for the type of authentication that you use: $TRANSFORMER_CONF/<authentication>-realm.properties.

Transformer roles determine the tasks that a user can perform. You can also create groups and assign the groups to related user accounts. Use groups to easily assign pipeline permissions to groups of users. Pipeline permissions determine the pipeline access that each user has.

For example, say you use file-based authentication and want to create an Ops group to manage pipelines. To handle this, when you configure users in the authentication properties file, you grant the Manager role and add the Ops group for each operations user. Then, you edit each pipeline they need to manage, assigning read and execute permission to the Ops group. For more information about permissions, see the Data Collector documentation.

Transformer provides several default user accounts and groups. You can change or remove these default user accounts and groups. For increased security, change the passwords for the default user accounts.
Note: Transformer installed through a cloud service provider marketplace includes only the default admin user account and no default groups.
For file-based authentication, Transformer provides the following default user accounts with corresponding roles:
User Login Role Tasks
admin / admin Admin Perform any Transformer task. Can perform all tasks listed below, as well as activate Transformer, restart and shut down Transformer, and view Transformer metrics. Enable Control Hub. Install libraries using Package Manager.
manager / manager Manager Start, stop, and monitor pipelines.
creator / creator Creator Create and configure pipelines, preview data, and monitor the pipeline. Import pipelines.
guest / guest Guest View pipelines and general monitoring information. Export a pipeline.
For file-based authentication, Transformer also provides a default all group that includes every user, and a dev and test group. The following default user accounts are available for the dev and test user groups:
User Login Roles Group
user1 / user1 Manager and Creator dev
user2 / user2 Manager and Creator dev
user3 / user3 Manager and Creator test
user4 / user4 Manager and Creator test

Configure users and groups in the properties file for the type of authentication that you use. For example, if you use basic authentication, use the basic-realm.properties file.

To hash login information, you can use an md5 program such as md5 on Mac OS X or md5sum on Linux. For example, you might use the following command to hash a password so that the password is not displayed in the prompt:
read -s pw && echo "$pw" | md5

For basic and form authentication, hash the password alone. For example, when the above command prompts you for the password, enter only the password.

For digest authentication, hash the combination of <user name>:<realm>:<password>, where <realm> is the authentication type. For example, when the above command prompts you for the password, enter:

<user name>:<realm>:<password>

as follows:

jdoe:digest-realm:JdoePass

  1. To configure users and groups, modify the properties file for the type of authentication that you use.
    The file name is $TRANSFORMER_CONF/<authentication>-realm.properties.
  2. For each new user, add a user definition using the following format: 
    <user name>: MD5:<md5-text>, user, <role> [, <additional role>, <additional role>...] [, group:<group>, group:<additional group>...]
    Note: Assign one or more roles to each user. Be sure to include user in every user definition.
    For example, the following line defines a user named jsmith assigned the Creator role and to the Development group:
    jsmith: MD5:6d0258c2440a7d19e916292b231e3190,user,creator,group:Development
  3. To make the new users available, restart Transformer.

Changing Your Password

When Transformer is configured for file-based authentication, you can use the Transformer UI to change your password.

  1. Click the User icon (), and then click Change Password.
  2. Enter your current and new password, verify the new password, and then click Save.

    Your changed password takes effect the next time you log in to Transformer.