Agent applies role based authorization for REST web service interface

Starting Situation

• With JS-1589 an Agent can be configured to require token based authentication by any clients that access the REST web service interface.
• A client that is authenticated by a token can access all web services offered by the Agent.

Desired Behavior

• The Agent maps authentication tokens to role based authorization, i.e. an authentication token is associated with a user and a number of roles that are authorized to access specific REST web services.
• Role based authorization is configured with Apache Shiro that allows configuration items such as users, roles and tokens to be managed with
  • local configuration files
    • Example

      [users]
      aUser = TEST-PASSWORD, specialJobStarter, terminator
      bUser = TEST-PASSWORD, terminator
      
      [roles]
      specialJobStarter = Command:StartApiTask
      terminator = Command:Terminate
      
      [accessTokens]
      A-SECRET-ACCESS-TOKEN = aUser
      B-SECRET-ACCESS-TOKEN = bUser
      

  • LDAP capable directory services
    • This interface has to be developped indivdually depending on the LDAP structure to which users, roles and tokens are mapped.
    • Therefore the LDAP extension is specific for a directory service operated by a JobScheduler user.