Management User Authentication/Authorization

There are two types of management users that can connect to a Solace router:

  • CLI user—A user that connects to a router for the purpose of configuring, managing, and monitoring that router. A CLI user can be an administrator that uses the Solace Command Line Interface (CLI) or SolAdmin (a GUI-based equivalent of the Solace CLI). It can also be a management application that uses Solace Element Management Protocol (SEMP) request over HTTP service.
  • For information on SEMP service, refer to Using SEMP.

  • File Transfer user—A user that can remotely transfer files to and from specific directories on the selected Solace router using Secure File Transfer Protocol (SFTP) or Secure Copy (SCP).

Note:  When a user successfully logs in or logs out, or fails to authenticate for a CLI, SEMP, shell, scp, or sftp session to the router, an authentication event is written to the event log. If SEMP is used to manage the router, a persistent SEMP connection should be used if a high volume of authentication event logs is not desired.

CLI User Authentication

When a CLI user initially establishes a connection to the router, no requests by that user can be processed until it is authenticated according to the authentication type that has been configured for that CLI user account.

The following authentication types can be configured for a provisioned CLI user account:

  • Internal—The CLI user’s name and password are authenticated against an internal Solace router database.
  • RADIUS—The CLI user’s name and password are sent to an external RADIUS server for authentication.
  • LDAP—The CLI user’s name and password are sent to an external LDAP server for authentication. LDAP over TLS is also supported.

The Solace router always first attempts to authenticate a CLI user using internal authentication. If user does not exist in the internal database, the router checks if either RADIUS or LDAP authentication is configured (one of the two can be configured for the router). If RADIUS or LDAP authentication is configured, the router then attempts to authenticate the user using one of those authentication types. For information on how to configure RADIUS or LDAP authentication, refer to Managing Management User Authentication/Authorization.

If the CLI user is successfully authenticated, the Solace router permits the connection with the access privileges configured for the CLI user account.

Note:  If you are using RADIUS or LDAP user authentication, it is recommended that you configure a few internal user accounts that can be used to administer the router if the external RADIUS or LDAP servers are unreachable. However, do not duplicate internal user accounts on a RADIUS or LDAP server or vice versa, because this can cause confusion over where user account passwords reside. For example, if a user account password is changed on the RADIUS or LDAP server, and a duplicate account also exists locally on the router, internal authentication will be used and because the old password is expected, the user authentication will fail.

File Transfer User Authentication

A file transfer user is authenticated through the Internal authentication type. The File Transfer user’s name and password are verified against the internal Solace router database. If the verification is successful, the Solace router permits the connection.

Note:  File Transfer user accounts do not have a permission level associated with them. All File Transfer users can read, write, and delete files from the file system available to File Transfer users.

User Access To CLI Commands

Each command offered through the Solace CLI has a particular scope and access level requirement. Therefore, a CLI user can only use a command offered through the CLI if that user’s configured access levels are sufficient for the scope of the command.

CLI User Access Levels

Access levels are assigned to each CLI user account to control what types of commands the user is allowed to execute. The following access levels are available:

  • none—The CLI user cannot execute CLI commands except for a few that pertain to the log in and display preferences for the user’s own account.
  • read-only—The CLI user can execute CLI commands to display operational information about the router but cannot change its configuration. A monitoring application would typically use a read-only access level.
  • read-write—The CLI user can execute CLI commands to both display operational information about the router and perform most router configurations—including creating other CLI user accounts with none access levels. A management user responsible for configuring the router or Message VPN services would commonly be granted a read-write access level.
  • admin—The CLI user can execute all CLI commands on the router. This includes controlling router-wide authentication and authorization parameters and creating other admin users. (This access level can only be applied to global-scoped commands.)

Command Scopes

CLI users can be configured to manage the entire router and/or a subset of Message VPNs. To permit this level of control, each CLI user account is assigned access levels for the following different scopes:

  • global—a global access level dictates what the user is allowed to do across the entire router
  • Message VPN—one or more Message VPN access levels dictate what the CLI user is allowed to do within Message VPNs

An assigned Global access level is all-encompassing in that it gives a CLI user the same level of access to all CLI commands, even those that have a Message VPN scope.

In addition to a global access level, Message VPN access levels are assigned so that users with none or read-only global access levels can be granted, as required, increased access Message VPN-scoped CLI commands. An assigned Message VPN access level can only increase–not decrease–the Message VPN access level that a CLI user effectively receives from its assigned global access level.

Assigning both global-scoped and Message VPN-scoped access levels allows the appropriate access to be granted to users based on their administrative roles. Consider the two following examples:

  • A system‑wide administrator could be assigned a global access level of admin, which allows that user to run any command on the router, whether it is a global-scoped or Message VPN-scoped command.
  • A user who needs to monitor operational statistics within a Message VPN could be assigned a global access level of none and a Message VPN access level of read-only for that Message VPN.

Note:  For security reasons, only a few administrators should be given access to CLI user accounts with global access levels of read-write or admin.
In general, Message VPN-scoped CLI commands contain the "message-vpn" keyword, or they are contained in a CLI mode with the "message-vpn" keyword. For example, commands to configure client usernames, durable endpoints, and Distributed Caches are created on a per-Message VPN basis:
solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# acl-profile <name>
...
solace(configure)# message-spool message-vpn <vpn-name>
solace(configure/message-spool)# create queue <name>
...
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# distributed-cache-management

Assigning Access Levels

Each created CLI User must be assigned:

  • a single global access level
  • one or more specific Message VPN access levels

Message VPN access levels can be assigned through:

  • the default Message VPN access level—This provides a consistent Message VPN access level across all provisioned Message VPNs. A default Message VPN access level is always assigned to a CLI user, but it only affects a CLI user’s access to Message VPN-scoped CLI commands if it is greater than the user’s assigned global access level.
  • Message VPN exceptions—These are per-Message VPN exceptions to the default Message VPN access level. These exceptions can either increase or decrease the assigned default Message VPN access level for the specified Message VPN.

Creating and Managing CLI User Accounts

Your ability to create and delete user accounts, and to change the access levels and passwords of existing user accounts, depends on the global access level of the user account you use. The general limitations for each global access levels are as follows:

  • A CLI user with a global access level of admin can create, delete, or make changes to other CLI user accounts without any restrictions.
  • A CLI user account with a global access level of read-write can:
    • only create or delete other CLI user accounts with a global access level of none
    • set a Message VPN access level for any CLI user account
    • change the password for its own user account and user accounts with an access level of none
  • A CLI user account with a global access level of read-only or none can only change the password of its own user account.

When access level and password changes are made to a CLI user account, they do not affect any active sessions that are using that user account. The changes only take effect the next time a user logs in to that CLI user account.

Access Level Capabilities

There are multiple possible global access levels and Message VPN access levels that can be assigned to a CLI user with various capabilities and limitations.

Note:  CLI users only see commands that they are authorized to execute. This means, for example, that Help commands will not show unauthorized commands, and CLI tab‑completion will not complete a command for which the user is not authorized. In addition, wildcard characters used in CLI commands will not allow a user to see or access network resources, such as Message VPNs or client profiles, that they are not authorized for.

Global Access Levels

The table below provides information on the possible global access levels that can be assigned to a CLI user and many of the capabilities and limitations that those access levels present.

Global Access Levels

Level

Capabilities and Limitations...

none

The CLI user has access to minimal CLI commands, and no jail file system access. However, a CLI user with this global access level can:

  • use ?, help, and tree commands (unauthorized commands are not shown)
  • use the show authentication current-user User EXEC command to view its own access level information
  • change its own password, if the user is authenticated through the internal database
  • navigate through command modes, as required, to execute authorized commands
  • logout of the current session
  • enable/disable alarm display
  • set the number of lines to use for paging output
  • enable/disable strict column wrapping
  • disconnect CLI sessions that belong to the current user (but not the current session)

Note:  CLI users with a global access level of none can be given additional access to Message VPN commands by assigning them a default Message VPN access level of read-only or read-write or a Message VPN access level exception of read-only or read-write.

read-only

The default value for the global access level.

In addition to the capabilities offered by a global access level of none, a CLI user with a global access level of read-only can:

  • use show User EXEC commands to view status and configuration information for the router and for Message VPNs
  • clear events (but not statistics)
  • access the jail file system

Note:  CLI users with a global access level of read-only can be given additional capabilities at the Message VPN level by assigning them a default Message VPN access level or a Message VPN access level exception of read-write.

read-write

In addition to the capabilities offered by a global access level of read‑only, a CLI user with an access level of read-write can perform most configuration changes, including:

  • configuring default Message VPN access levels
  • creating Message VPN access level exceptions
  • creating, deleting, or renaming internally-authenticated CLI user accounts with an access level of none
  • Restarting the router from its current configuration file through the reload Privileged EXEC command.

admin

The CLI user has full access to all global and Message VPN-scoped CLI commands (it provides an effective Message VPN access level of read-write).

Some configuration changes or actions that can only be performed with a global access level of admin include:

  • Creating, deleting, or renaming internally-authenticated CLI user accounts with an access level greater than none.
  • Changing the global access level of any CLI user account.
  • Changing the authentication configuration of CLI users with a global access level greater than none.
  • Changing the authentication configuration of CLI users in LDAP groups.
  • Restarting the router through either the boot, reload default-config, or reload config <config-file> Privileged EXEC commands.
  • Making changes at the authentication CONFIG level of the CLI. (The only exception is the ability to make Message VPN-level changes when the CLI user is granted a sufficient default Message VPN access level.)
  • Changing the configuration database file that the router is currently running—changing to a different configuration database could result in a different authentication configuration.

VPN Access Levels

The following table provides information on the possible Message VPN access levels that can be assigned to a CLI user and many of the capabilities and limitations that those access levels present.

VPN Access Levels

Level

Capabilities and Limitations...

none

The default value for the default Message VPN access level.

The CLI user has no access to Message VPN-scoped CLI commands.

read-only

The CLI user can:

  • use show User EXEC commands to view status and configuration information for Message VPNs
  • clear Message VPN events (but not statistics)

read-write

In addition to the capabilities offered by a Message VPN access level of read-only, a CLI user with a Message VPN access level of read-write can perform most Message VPN scoped configuration changes.

Some of configuration changes or actions that are forbidden (and would require a higher global access level of read-write or admin) because they affect system resources include:

  • configuring client profiles
  • Global system administrators are expected to create client profiles that define how clients within a Message VPN are expected to behave. However, a CLI user limited to Message VPN scope does have access to show client profiles and assign client profiles to client username objects.

  • creating or deleting Message VPNs
  • configuring Message VPN parameters that affect system resources, such as:
    • export-policy
    • management-message-vpn
    • max-connections
    • max-subscriptions
    • semp-over-msgbus
    • max-egress-flows
    • max-endpoints
    • max-ingress-flows
    • max-spool-usage
    • max-transacted-sessions
  • configuring the following Message VPN parameters:
    • Message VPN authentication
    • Replication bridge configuration
    • Replication state and Replication [no] shutdown