Maestro is a distributed system, and needs to take security into account at multiple levels of the system’s execution. This document provides an overview of just some of the capabilities of Maestro’s security subsystems.
Let’s start with the basics: logging in, and roles.
Authentication and Authorization
Typically, Maestro is configured to integrate with an existing LDAP service, which provides the user accounts for the system. Maestro maintains its own roles internally, so they can be applied to a given user.
Login with the ‘admin’ account, and let’s create a new Project test with.
Save that, and then click on the new Project in the Project view.
Let’s create a new Composition to test with.
And add these two tasks, a simple “shell execute” and a “confirmation”.
Based on the “Demonstration User” roles configuration seen in the Roles Configuration we know that the user can only view projects, the infrastructure, and respond to confirmations. So, let’s logout and back in as ‘maestro’ (password is the same as the ‘admin’ account).
Go ahead and run the Tester Composition, and you’ll see the confirmation waiting. As the ‘maestro’ we will be able execute and accept the confirmation.
If we do accept, the Composition will complete successfully.
Notice that if you click the “edit” icon and go into the Composition Editor view you will not see the “Save” dialog icons in the top-right of the Composition pane…saving is not possible.
If you click on the “Infrastructure” link at the top, you’ll notice that none of the “Operations” icons appear in the right colummn, nothing is actionable.
Change the Assigned Role
To change the assigned role, let’s logout and back in as ‘admin’. Then, click the “Admin” link in the top Navigation strip.
Then click the ‘Users’ tab on the left, and enter ‘maestro’ in the “Username” field. Then click “show user” to view and edit the Role configuration for ‘maestro’.
Let’s go ahead and make ‘maestro’ the Project admin for the Role Test project. Click the “Add Role” button. You’ll get a dialog box:
Set the Role to “Project Administrator” and the Resource to “Role Test”. Then click the ‘Add’ button.
[Note: you may need to refresh the page to see the change applied.]
Now, if you log back into the ‘maestro’ user you’ll be able to add and edit Compositions for the Role Test project. However, you won’t have any additional access for the other Projects.