Access Control
Version: 17.07
Supported Since: 17.01
Access control mechanisms facilitate the limiting of operational scopes of different users of an IPS installation.
IPS provides two modes of access control: one based on simple static username-password based authentication, and a more structured one based on Active Directory (LDAP).
Simple Authentication
This provides a single super-admin account (with all privileges) accessible via the username admin and password admin.
LDAP-based Access Control
| This mode of access control is not available in the demo IPS installation. |
IPS can be configured with an LDAP server by defining appropriate values for the following environment variable entries of the IPS web application runtime:
| Variable | Description | Example |
|---|---|---|
|
base URL of the LDAP server |
|
|
domain of the LDAP server |
|
|
base path of the LDAP user base |
|
|
username for LDAP login |
|
|
password for LDAP login |
|
|
DN of the super-admin LDAP group |
|
These can be configured by modifying the corresponding entries under the spec.template.spec.containers[0].env
section of the ipsweb replication controller.
This allows IPS to utilize the role-based access control model defined in the specified LDAP server.
Session Invalidation
In order to guarantee consistency between user sessions and access control policies, IPS invalidates all existing user sessions (effectively logging out all currently logged-in users) whenever an access control-related update (e.g. group deletion/modification) is performed. This includes the session of the user performing the update, meaning that if you made such a modification you will also be immediately logged out from the dashboard webapp (which is the expected behavior) and will have to log in again in order to continue accessing the dashboard.
Figure 1. Session invalidation confirmation prompt
In this topic
In this topic