Authentication Server third-party ACL integration

System administrators are able to create and implement Deephaven Authentication Server plugins that will execute Java code upon certain Authentication Server actions, such as user login or token verification.

This document describes a specific use case in which an "Auth Hook" (plugin) can be created to request and parse data from an external server and then import that data into the Deephaven system. The imported data may then be utilized in the ACL Editor by a corresponding, custom filter generator.

The following graphic demonstrates the general process:

img

There are four steps required to implementing the above system:

  1. Create the authentication server plugin by creating a class that implements the AuthHookModule interface.
  2. Specify the plugin through the authentication.server.hooks.class property.
  3. Set up a tailer to import logged data real-time.
  4. Create a custom filter generator that utilizes the imported data within an ACL.

AuthHookModule interface

To create your authentication hook, you must create a class that implements the com.fishlib.auth.AuthHookModule interface and overrides its methods.

The AuthHookModule interface follows:

package com.fishlib.auth;
/**
 * This interface allows you to run actions after useful authentication server operations; for example you may use
 * an AuthHookModule to perform post-login refresh of ACL entries.
 *
 * Implementations must implement a Constructor which takes a com.fishlib.io.logger.Logger.
*/
public interface AuthHookModule {
    /**
     * Called after a client successfully logs in to the authentication server.
     *
     * userContext is the context of the user logging in
     *
    void onLogin(UserContext userContext)

    /**
     * Called after a client logs out from the authentication server (i.e. disconnects).
     *
     * userContext is the context of the user logging out
     */
    void onLogout(UserContext userContext);

    /**
     * Called after an authentication token is created.
     *
     * authenticatedContext is the context of the user creating the token
     * service is the service the user is creating a token for
     */
    void onTokenCreate(UserContext authenticatedContext, String service);
    /**
     * Called after an authentication token is verified
     *
     * authenticatedContext is the context of the verified token
     * service is the service for which the token is valid
     */
    void onTokenVerify(UserContext authenticatedContext, String service);

    /**
     * Called after an authentication token fails verification
     *
     * authenticatedContext is the context of the verified token
     * service is the service for which the token is valid
     */
    void onTokenVerifyFailure(UserContext authenticatedContext, String service);
     /**
     * Called after the authentication server configuration is reloaded.
     */
    void onReload();

  class Null implements AuthHookModule {

        @Override
       public void onLogin(UserContext userContext) {

        }

        @Override
        public void onLogout(UserContext userContext) {

        }

        @Override
        public void onTokenCreate(UserContext authenticatedContext, String service) {

        }

        @Override
        public void onTokenVerify(UserContext authenticatedContext, String service) {

        }

        @Override
        public void onTokenVerifyFailure(UserContext authenticatedContext, String service) {

        }

        @Override
        public void onReload() {

        }
    }
}

The nested com.fishlib.auth.AuthHookModule.Null class provides an implementation with empty methods, which you may use as your base class. By using the Null implementation as your base, you only need to implement methods required for your use case, and your extension will continue to compile if additional methods are added to the AuthHookModule interface.

Authentication Server hooks property

To utilize the AuthHookModule implementation, you must specify the fully qualified class name of the hook in the authentication.server.hooks.class property:

authentication.server.hooks.class=<fully qualified class name>

Data import

Authentication hooks may utilize a logger like a client logger application would. If this is the case, you will need to set up a tailer to import the logged data real-time. Please refer to Importing Data > Deephaven Data Tailer for an example of tailer installation and configuration.

Custom Filter Generator

If you'd like to utilize the imported data in the ACL Editor, you must create a class that implements the FilterGenerator interface, and then apply it as an ACL. Refer to the Deephaven Javadoc and the ACL Editor documentation to learn more.