Management User Authentication / Authorization Overview

There are two ways you can authenticate users to provide management access to a PubSub+ event broker: Basic Authentication or OAuth Authentication.

Basic Authentication

When setting up basic authentication, there are two types of management users that can connect to an event broker:

  • CLI user: A user that connects to an event broker for the purpose of configuring, managing, and monitoring that event broker. A CLI user can be an administrator that uses the Solace Command Line Interface (CLI) or Broker Manager (a browser-based administration console), or SolAdmin (a GUI-based equivalent of the Solace CLI). It can also be a management application that uses Solace Element Management Protocol (SEMP) request over HTTP service. (For information on SEMP service, see SEMP.)
  • File Transfer user: A user that can remotely transfer files to and from specific directories on the selected event broker using Secure File Transfer Protocol (SFTP) or Secure Copy (SCP).

When a user successfully logs in or logs out, or fails to authenticate for a CLI, SEMP, shell, scp, or sftp session to the event broker, an authentication event is written to the event log. If SEMP is used to manage the event broker, a persistent SEMP connection should be used if a high volume of authentication event logs is not desired.

OAuth 2.0 Authentication

There are two ways you can use OAuth to provide management access to an event broker:

  • Interactive: OAuth is used to authenticate a user interacting with Broker Manager or any other browser-based web application that use SEMPv2.
  • Automated: OAuth token is used as credentials to authenticate REST request from SEMPv2.

Basic Authentication

When a CLI user initially establishes a connection to the event broker, no requests by that user can be processed until it is authenticated according to the authentication type that has been configured for that CLI user account.

The following authentication types can be configured for a provisioned CLI user account:

  • Internal—The CLI user’s name and password are authenticated against an internal event broker database.
  • RADIUS—The CLI user’s name and password are sent to an external RADIUS server for authentication.
  • LDAP—The CLI user’s name and password are sent to an external LDAP server for authentication. LDAP over TLS is also supported.

The event broker always first attempts to authenticate a CLI user using internal authentication. If user does not exist in the internal database, the event broker checks if either RADIUS or LDAP authentication is configured (one of the two can be configured for the event broker). If RADIUS or LDAP authentication is configured, the event broker then attempts to authenticate the user using one of those authentication types. For information on how to configure RADIUS or LDAP authentication, see Setting CLI User Authentication Types.

If the CLI user is successfully authenticated, the event broker permits the connection with the access privileges configured for the CLI user account.

If you are using RADIUS or LDAP user authentication, it is recommended that you configure a few internal user accounts that can be used to administer the event broker if the external RADIUS or LDAP servers are unreachable. However, do not duplicate internal user accounts on a RADIUS or LDAP server or vice versa, because this can cause confusion over where user account passwords reside. For example, if a user account password is changed on the RADIUS or LDAP server, and a duplicate account also exists locally on the event broker, internal authentication will be used and because the old password is expected, the user authentication will fail.

File Transfer User Authentication

A file transfer user is authenticated through the Internal authentication type. The File Transfer user’s name and password are verified against the internal event broker database. If the verification is successful, the event broker permits the connection.

File Transfer user accounts do not have a permission level associated with them. All File Transfer users can read, write, and delete files from the file system available to File Transfer users.

OAuth 2.0 Authentication

OAuth allows applications to perform authentication using temporary tokens instead of permanent credentials. Using OAuth, users interacting with PubSub+ event brokers can be authenticated without requiring access to their permanent credentials. Note that OAuth is only supported over TLS.

There are two ways you can use OAuth to provide management access to an event broker:

  • Interactive: OAuth is used to authenticate a user interacting with Broker Manager or any other browser-based web application that use SEMPv2.
  • Automated: OAuth token is used is as credentials to authenticate REST request from SEMPv2.

When using OAuth to access Broker Manager, the user will be logged in based on the token from a third-party identity provider. If OAuth is configured as the authentication method, an OAuth login button will be displayed on the login screen. Clicking the button will redirect the user to the OAuth provider's login page where they can enter their credentials. If the user is already logged with the provider, they will be immediately redirected back to Broker Manager. For more information, see Configuring OAuth Authentication.

Similarly, with the automated setup, when a client makes a SEMP v2 request using OAuth, it will include one or more OAuth tokens in the HTTP Authorization header as a bearer token. The event broker will verify the token and automatically select the correct profile. For more information, see SEMP Authentication and Authorization.

User Access To CLI Commands

Each command offered through the Solace CLI has a particular scope and access level requirement. Therefore, a CLI user can only use a command offered through the CLI if that user’s configured access levels are sufficient for the scope of the command.

CLI User Access Levels

Access levels are assigned to each CLI user account to control what types of commands the user is allowed to execute. The following access levels are available:

  • none

    • The CLI user cannot execute CLI commands except for a few that pertain to the log in and display preferences for the user’s own account.

  • read-only

    • The CLI user can execute CLI commands to display operational information about the event broker but cannot change its configuration. A monitoring application would typically use a read-only access level.

  • read-write

    • The CLI user can execute CLI commands to both display operational information about the event broker and perform most event broker configurations—including creating other CLI user accounts with access levels of none. A management user responsible for configuring the event broker or Message VPN services would commonly be granted a read-write access level.

  • admin

    • The CLI user can execute all CLI commands on the event broker. This includes controlling event broker-wide authentication and authorization parameters and creating other admin users. (This access level can only be applied to global-scoped commands.)

CLI Command Scopes

CLI users can be configured to manage the entire event broker and/or a subset of Message VPNs. To permit this level of control, each CLI user account is assigned access levels for the following different scopes:

  • global

    • A global access level dictates what the user is allowed to do across the entire event broker.

  • Message VPN

    • One or more Message VPN access levels dictate what the CLI user is allowed to do within Message VPNs.

An assigned Global access level is all-encompassing and takes precedence over the Message VPN access level. It gives a CLI user the same level of access for all CLI commands, including those that have a Message VPN scope. To configure, see Configuring Global Access Levels.

In addition to a global access level, Message VPN access levels are assigned so that users with none or read-only global access levels can be granted increased access to Message VPN-scoped CLI commands, as required. An assigned Message VPN access level can only increase–not decrease–the Message VPN access level that a CLI user effectively receives from its assigned global access level. The Message VPN access levels can be assigned through:

  • The default Message VPN access level

    • This provides a consistent Message VPN access level across all provisioned Message VPNs. A default Message VPN access level is always assigned to a CLI user, but it only affects a CLI user’s access to Message VPN-scoped CLI commands if it is greater than the user’s assigned global access level. For more information, see Configuring Message VPN Default Access Levels

  • Message VPN exceptions

    • These are per-Message VPN exceptions to the default Message VPN access level. These exceptions can either increase or decrease the assigned default Message VPN access level for the specified Message VPN. For more information, see Configuring Message VPN Access Level Exceptions

Assigning both global-scoped and Message VPN-scoped access levels allows the appropriate access to be granted to users based on their administrative roles. Consider the two following examples:

  • A system‑wide administrator could be assigned a global access level of admin, which allows that user to run any command on the event broker, whether it is a global-scoped or Message VPN-scoped command.
  • A user who needs to monitor operational statistics within a Message VPN could be assigned a global access level of none and a Message VPN access level of read-only for that Message VPN.

For security reasons, only a few administrators should be given access to CLI user accounts with global access levels of read-write or admin. In general, Message VPN-scoped CLI commands contain the message-vpn keyword, or they are contained in a CLI mode with the message-vpn keyword. For example, commands to configure client usernames, durable endpoints, and Distributed Caches are created on a per-Message VPN basis:

solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# acl-profile <name>
...
solace(configure)# message-spool message-vpn <vpn-name>
solace(configure/message-spool)# create queue <name>
...
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# distributed-cache-management

Assigning Access Levels

For information on assigning access levels, refer to Configuring Default CLI User Access Levels with External Authentication.

Creating and Managing CLI User Accounts

Your ability to create and delete user accounts, and to change the access levels and passwords of existing user accounts, depends on the global access level of the user account you use. The general limitations for each global access levels are as follows:

  • A CLI user with a global access level of admin can create, delete, or make changes to other CLI user accounts without any restrictions.
  • A CLI user account with a global access level of read-write can:
    • only create or delete other CLI user accounts with a global access level of none
    • set a Message VPN access level for any CLI user account
    • change the password for its own user account and user accounts with an access level of none
  • A CLI user account with a global access level of read-only or none can only change the password of its own user account.

When access level and password changes are made to a CLI user account, they do not affect any active sessions that are using that user account. The changes only take effect the next time a user logs in to that CLI user account.

Access Level Capabilities

There are multiple possible global access levels and Message VPN access levels that can be assigned to a CLI user with various capabilities and limitations.

CLI users only see commands that they are authorized to execute. This means, for example, that Help commands will not show unauthorized commands, and CLI tab‑completion will not complete a command for which the user is not authorized. In addition, wildcard characters used in CLI commands will not allow a user to see or access network resources, such as Message VPNs or client profiles, that they are not authorized for.

Global Access Levels

The table below provides information on the possible global access levels that can be assigned to a CLI user and many of the capabilities and limitations that those access levels present.

Global Access Levels
Level Capabilities and Limitations...

none

The CLI user has access to minimal CLI commands, and no jail file system access. However, a CLI user with this global access level can:

  • use ?, help, and tree commands (unauthorized commands are not shown)
  • use the show authentication current-user User EXEC command to view its own access level information
  • change its own password, if the user is authenticated through the internal database
  • navigate through command modes, as required, to execute authorized commands
  • logout of the current session
  • enable/disable alarm display
  • set the number of lines to use for paging output
  • enable/disable strict column wrapping
  • disconnect CLI sessions that belong to the current user (but not the current session)

CLI users with a global access level of none can be given additional access to Message VPN commands by assigning them a default Message VPN access level of read-only or read-write or a Message VPN access level exception of read-only or read-write.

read-only

(The default value for the global access level.)

In addition to the capabilities offered by a global access level of none, a CLI user with a global access level of read-only can:

  • use show User EXEC commands to view status and configuration information for the event broker and for Message VPNs
  • clear events (but not statistics)
  • access the jail file system

CLI users with a global access level of read-only can be given additional capabilities at the Message VPN level by assigning them a default Message VPN access level or a Message VPN access level exception of read-write.

read-write

In addition to the capabilities offered by a global access level of read‑only, a CLI user with an access level of read-write can perform most configuration changes, including:

  • configuring default Message VPN access levels
  • creating Message VPN access level exceptions
  • creating, deleting, or renaming internally-authenticated CLI user accounts with an access level of none
  • restarting the event broker from its current configuration file through the reload Privileged EXEC command

admin

The CLI user has full access to all global and Message VPN-scoped CLI commands (it provides an effective Message VPN access level of read-write).

Some configuration changes or actions that can only be performed with a global access level of admin include:

  • Creating, deleting, or renaming internally-authenticated CLI user accounts with an access level greater than none.
  • Changing the global access level of any CLI user account.
  • Changing the authentication configuration of CLI users with a global access level greater than none.
  • Changing the authentication configuration of CLI users in LDAP groups.
  • Restarting the event broker through either the boot, reload default-config, or reload config <config-file> Privileged EXEC commands.
  • Making changes at the authentication CONFIG level of the CLI. (The only exception is the ability to make Message VPN-level changes when the CLI user is granted a sufficient default Message VPN access level.)
  • Changing the configuration database file that the event broker is currently running—changing to a different configuration database could result in a different authentication configuration.
  • Generating the sequence of commands that are required to create the current configuration for the event broker.
  • Copying configuration files to and from the event broker.
  • Creating local backups of the event broker configuration file.
  • Displaying the contents of a text file located in an event broker directory.
  • Displaying internal debugging information.
  • Gathering a number of diagnostic files and command output into a single diagnostics file.
  • Setting the pre-shared authentication keys for the event broker in a redundant deployment.
  • Setting a server certificate for the event broker.

VPN Access Levels

The following table provides information on the possible Message VPN access levels that can be assigned to a CLI user and many of the capabilities and limitations that those access levels present.

VPN Access Levels
Level Capabilities and Limitations...

none

(The default value for the default Message VPN access level.)

The CLI user has no access to Message VPN-scoped CLI commands.

read-only

The CLI user can:

  • use show commands to view status and configuration information for Message VPNs
  • clear Message VPN events (but not statistics)

read-write

In addition to the capabilities offered by a Message VPN access level of read-only, a CLI user with a Message VPN access level of read-write can perform most Message VPN scoped configuration changes.

Some of configuration changes or actions that are forbidden (and would require a higher global access level of read-write or admin) because they affect system resources include:

  • configuring client profiles

    • Global system administrators are expected to create client profiles that define how clients within a Message VPN are expected to behave. However, a CLI user limited to Message VPN scope does have access to show client profiles and assign client profiles to client username objects.

  • creating or deleting Message VPNs
  • configuring Message VPN parameters that affect system resources, such as:
    • export-policy
    • management-message-vpn
    • max-connections
    • max-subscriptions
    • semp-over-msgbus
    • max-egress-flows
    • max-endpoints
    • max-ingress-flows
    • max-spool-usage
    • max-transacted-sessions
  • configuring the following Message VPN parameters:
    • Message VPN authentication
    • Replication bridge configuration
    • Replication state and Replication [no] shutdown