1. Using Visualizer for Oracle Stream Analytics
  2. Security Tasks

19 Security Tasks

The security tasks you can perform with Oracle Stream Analytics Visualizer, including managing users, groups, and roles, as well as managing HTTP publish-subscribe server channel security and SSL are introduced.

This chapter includes the following sections:

19.1 User, Group, and Role Management

Oracle Stream Analytics uses role-based authorization control to secure the Oracle Stream Analytics Visualizer and the wlevs.Admin command-line utility. There are a variety of default out-of-the-box security groups. You can add users to different groups to give them the different roles.

Administrators who use Oracle Stream Analytics Visualizer, wlevs.Admin, or any custom administration application that uses JMX to connect to an Oracle Stream Analytics instance use role-based authorization to gain access.

You can also use role-based authorization to control access to the HTTP publish-subscribe server.

There are two types of role:

  • Application roles: application roles grant users the permission to access various Oracle CQL applications deployed to the Oracle Stream Analytics server. You can create application roles and associate them with the task roles that Oracle Stream Analytics provides.

    By default, administrator users can access any application and non-administration users cannot access any applications. Before a none-administration user can access an application, an administration user must grant the user the associated application role.

  • Task roles: task roles grant users the permission to perform various tasks with the applications their application role authorizes them to access. Oracle Stream Analytics provides the default task roles that Table 19-1 describes.

Users that successfully authenticate themselves when using Oracle Stream Analytics Visualizer or wlevs.Admin are assigned roles based on their group membership, and then subsequent access to administrative functions is restricted according to the roles held by the user. Anonymous users (non-authenticated users) will not have any access to the Oracle Stream Analytics Visualizer or wlevs.Admin.

When an administrator uses the Configuration Wizard to create a new domain, they enter an administrator user that will be part of the wlevsAdministrators group. By default, this information is stored in a file-based provider filestore. The password is hashed using the SHA-256 algorithm. The default administrator user is named oepadmin with password welcome1.

Table 19-1 describes the default Oracle Stream Analytics task roles available right after the creation of a new domain, as well as the name of the groups that are assigned to these roles.

Table 19-1 Default Oracle Stream Analytics Task Roles and Groups

Task Role Group Privileges

Admin

 
wlevsAdministrators

Has all privileges of all the preceding roles, and permission to:

  • Create users and groups

  • Configure HTTP publish-subscribe security

  • Change the system configuration, such as Jetty, work manager, and so on.

ApplicationAdmin

 
wlevsApplicationAdmins

Has all Operator privileges except the permission to update the queries, which is allowed only with the Admin and BusinessUser roles. ApplicationAdmin includes permission to update the configuration of any deployed application.

BusinessUser

 
wlevsBusinessUsers

Has all Operator privileges and permission to update the Oracle CQL rules associated with the processor of a deployed application.

Deployer

 
wlevsDeployers

Has all Operator privileges and permission to deploy, undeploy, update, suspend, and resume any deployed application.

Monitor

 
wlevsMonitors

Has all Operator privileges and permission to monitor (diagnostic profile), record, playback, and to perform event traces and event injections.

Operator

 
wlevsOperators

Has read-only access to all server resources, services, and deployed applications.

Use Oracle Stream Analytics Visualizer to create a group for an existing domain and to assign roles to the group. When you assign a user to the group, the roles give that user the privileges to perform the actions allowed by the roles.

Using Oracle Stream Analytics Visualizer, you can:

19.2 HTTP Publish-Subscribe Server Channel Security Management

Oracle Stream Analytics provides an HTTP Publish-Subscribe Server (HTTP pub-sub server): a mechanism whereby Web clients subscribe to channels (similar to a topic in JMS) and then publish messages to these channels using asynchronous messages over HTTP and subscribe to these channels to receive messages as they become available.

Using Oracle Stream Analytics Visualizer, you can specify which users can access HTTP publish-subscribe server channels.

For more information, see HTTP Publish-Subscribe Server Security.

19.3 SSL Management

Oracle Stream Analytics provides one-way Secure Sockets Layer (SSL) to secure network traffic between Oracle Stream Analytics Visualizer and Oracle Stream Analytics server instances, between the Oracle Stream Analytics server instances of a multiserver domain, and between the wlevs.Admin command-line utility and Oracle Stream Analytics server instances.

You configure SSL in the Oracle Stream Analytics server config.xml file. By default, the Configuration Wizard creates the config.xml file in the Oracle/Middleware/my_oep/user_projects/domains/DOMAIN_DIR/servername/config directory.

For more information, see SSL Configuration.