Cloud Cruiser became HPE Consumption Analytics on Nov. 1st. You'll still see the old name in places while we update this site.

 

 

Consumption Analytics Documentation

Home > Cloud Cruiser 4 > Installing > User authentication and authorization

User authentication and authorization

Cloud Cruiser can authenticate users through internal authentication, by integrating with a Lightweight Directory Access Protocol (LDAP) server, or by integrating with a single sign-on (SSO) service.

In all scenarios, authorization to access Cloud Cruiser data is governed at the database level, so you must manage user, group, and customer data through one of the following methods:

  • Directly in the Cloud Cruiser user interface
  • Importing the data from CSV files
  • Pushing the data from an identity access management (IAM) system through the Cloud Cruiser REST API

​For more information about configuring authentication in HPE Consumption Analytics Portal, see Configuring authentication.

Internal authentication

internal_authentication.png

  1. The authentication service gets the authentication method from the security.properties file at startup, and identifies the method as “internal”.
  2. A user enters username and password login credentials.
  3. The authentication service verifies those credentials in the Cloud Cruiser database.
  4. If authentication is successful, the user profile is loaded from the Cloud Cruiser database.

Authentication with LDAP

LDAP_authentication.png

  1. The authentication service gets the authentication method from the security.properties file at startup, and identifies the method as “LDAP”.
  2. A user enters username and password login credentials.
  3. The authentication service verifies those credentials in the LDAP server.
  4. If authentication is successful, the user profile is loaded from the Cloud Cruiser database. If the profile does not exist, Cloud Cruiser returns an error.

Authentication with SSO

SSO_authentication.png

  1. The authentication service gets the authentication method from the security.properties file at startup, and identifies the method as “SSO”.
  2. A user enters username and password login credentials.
  3. The HTTP server intercepts the request, and checks with the external IAM system to determine if the user is authenticated. If the user is not authenticated, IAM prompts the user to login.
  4. After IAM verifies the credentials, it sends a username to the HTTP server.
  5. The HTTP server forwards the login request to Cloud Cruiser, including tokens in the HTTP header.
  6. The Cloud Cruiser authentication service validates that the expected tokens are present.
  7. If authentication is successful, the user profile is loaded from the Cloud Cruiser database. If the profile does not exist, Cloud Cruiser returns an error.

Authorization

You can restrict user access to data in Cloud Cruiser based on the use of customers, user groups, and users. You can do this in the following ways:

  • You can create records manually through the Cloud Cruiser interface, as described in Creating customersGiving users permission to customer data, and Creating user groups.
  • If you do not want to create customer and user records in Cloud Cruiser manually, you can import existing records stored in CSV files. For more information see Importing customers and Importing users.
  • You can also automate the configuration of customers, user groups, and users by using the Cloud Cruiser REST API.  This API allows systems such as IAM to query, add, modify, and delete records. You can access the API through Java or Perl, a browser, or Powershell.

The following example shows a Perl script that creates a customer called Research as a child customer of the parent Sales customer:

# Create customer
$myurl = "http://localhost:8080/rest/v2/custom...Sales|Research";
$req = new HTTP::Request 'POST' => "$myurl";
$req->header('Accept' => 'application/xml');

# Set the Basic Authentication header
$req->authorization_basic('admin', '*********');

# New customer attributes
my $content = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><customer
xmlns=\"http://www.cloudcruiser.com/webservices/v2/Customer\"><accountId>GS|20020</accountId>
<active>true</active><accountingDay>1</accountingDay><fiscalStartMonth>1</fiscalStartMonth>
<description>Sales-Research</description><ratePlan name=\"Default\" id=\"1\"/></customer>";
$req->content($content);

# Send request
$ua = new LWP::UserAgent;
$res = $ua->request($req);

The following example shows a Perl script that creates a user group called FinancialReporters, and associate that group with two customers, Sales-Marketing and the Sales-Research customer created in the previous example: 

# Create group
$myurl = "http://localhost:8080/rest/v2/ccusers/groups/?groupName=FinancialReporters";
$req = new HTTP::Request 'POST' => "$myurl";
$req->header('Accept' => 'application/xml');

# Set the Basic Authentication header
$req->authorization_basic('admin', 'Cloud2999');

# New group attributes
my $content = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
<userGroup xmlns=\"http://www.cloudcruiser.com/webservices/v2/User\">
<groupName>FinancialReporters</groupName><accountView name=\"Default\" groupDefault=\"true\"/>
<allAccounts>false</allAccounts><allowedAccounts><accountid>Sales|marketing</accountid>
<accountid>Sales|Research</accountid></allowedAccounts></userGroup>";
$req->content($content);# Send request
$ua = new LWP::UserAgent;
$res = $ua->request($req);

The following example  shows a Perl script that creates a user named Andy Admin as a member of the FinancialReporters user group:

# Create user
$myurl = "http://localhost:8080/rest/v2/ccusers/users/?userName=Andy Admin";
$req = new HTTP::Request 'POST' => "$myurl";
$req->header('Accept' => 'application/xml');

# Set the Basic Authentication header
$req->authorization_basic('admin', 'sn34ky');

# New user attributes
my $content = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
<user xmlns=\"http://www.cloudcruiser.com/webservices/v2/User\">
<userName>Andy Admin</userName><active>true</active><userGroup name=\"FinancialReporters\" 
id=\"10303\"/><fullName>Administrator</fullName><domainName>MS</domainName>
<emailAddress>aadmin\@andyadmin.com</emailAddress><nativeCCUser>true</nativeCCUser>
<roles><role><name>Admin</name><type>ADMIN</type><description>Full access to all application 
functions</description></role><role><name>Advanced Analytics</name><type>ANALYTICS</type>
<description>Access advanced analytics functionality</description></role><role>
<name>Customer Budget</name><type>CUST_BUDGET</type><description>Access to customer 
budgets</description></role><role><name>Report User</name><type>REPORT_USER</type>
<description>Access only to running reports</description></role></roles></user>";
$req->content($content);

# Send request
$ua = new LWP::UserAgent;
$res = $ua->request($req);
Last modified

Tags

Classifications

This page has no classifications.
© Copyright 2018 Hewlett Packard Enterprise Development LP