Management API Security

Introduction

The purpose of this document is to capture the requirements, considerations and desicions regarding the securing access to the management APIs for managing or monitoring both standalone JBoss AS7 installations and complete JBoss AS7 domains.

At a high level the JBoss AS7 domains will be managed by a single domain controller, the hosts will then establish a connection with this domain controller to recieve their management operations to be performed on the host or servers running on that host.  In addition to this there is also the possibility for clients to connect directly to hosts to retrieve state from those running hosts and their servers.

The standalone AS7 installations will have all of this combined into a single process, however the same management APIs will be exposed and the same operations possible in the context of a single standalone installation (i.e. operations such as starting a server on a remote host will no longer be applicable).

Authentication

For the authentication there are two distinct areas to consider, one is the transport used between the client and the domain controller or even host and the second is the actual authentication mechanism that will be used within the domain controller / host process.

To minimise calls to the security infrastructure some form of caching of the users identity will be required, this is being considered here: -

Design Consideration - Management API Authentication Caching

Transport

There may be different clients making use of the transports but essentially the transport will either be over the HTTP admin interface or over Remoting.

Server Integration

The domain management will be happening within the domain controller process, this is not a server so all integration will be specifically for use within the domain controller.

Multi-Node Request Handling

Administrators can submit requests to the domain controller and where required this will contact the relevent hosts and return a response back to the client aggregating the responses, the client can however for reading metrics at least contact the host directly - the reason for this is for performance gains so the security of the management API can not impose a large overhead on each node in the domain.

Independent Hosts

In addition to working in a full domain it is also possible for hosts to be running disconnected from any domain controller, this could happen if a host has been orphaned or it may mean the host is a new host that has not previously been associated with a domain controller.

I am proposing that we consider this a special case and have a single user defined against this host, the user would be given limited abilities to only view the domain controller connection settings and update if required.

Once the host is associated with the domain then the domain configured security will apply to the management APIs.

Authorization