Cfgauth configuration

The following configuration items set up authentication and permissioning information for Liberator's cfgauth auth module

Note: The cfgauth module is not suitable for use in production.

Cfgauth enables you to configure authentication for Liberator users and establish simple permissions for the types of objects they access.

For background information, see the Liberator Features and Concepts page about User authentication and permissioning.

The general auth module configuration also applies to cfgauth. In particular, you use an auth-module configuration item to specify that Liberator is to use the cfgauth module.

auth-module cfgauth

Here are the cfgauth configuration items; to get more detail, just click on the item you're interested in.

​Also on this page:

The cfgauth.conf configuration file

The configuration for cfgauth is kept in a separate configuration file called cfgauth.conf. If you're not using the Caplin Deployment Framework, you should put the cfgauth configuration items you require into this file.

The CfgPermissioning blade

In Liberator version 6.2.6 or later

If you deploy Liberator version 6.2.6 or later using the Deployment Framework version 6.2.1 or later, there's a built-in CfgPermissioning Config blade that changes Liberator's auth module to cfgauth and supplies a skeleton configuration file for the module. This blade isn't activated by default. Before activating it, make sure you first deactivate the currently active permissioning blade (if you've just installed a new Liberator, this will be the OpenPermissioning blade, which loads the openauth module):

./dfw deactivate OpenPermissioning
./dfw activate CfgPermissioning

The blade's skeleton cfgauth.conf configuration file is in <Framework-root>/global_config/overrides/servers/Liberator/etc. Edit this file to set up the users you require and their access permissions. There are some commented out examples in the file for you to follow.

In older versions of Liberator (6.2.5 or earlier)

In older versions of Liberator (6.2.5 or earlier), there's no CfgPermissioning blade, so to set up cfgauth:

  1. Deactivate the OpenPermissioning blade:

    ./dfw deactivate OpenPermissioning
  2. Add the cfgauth module to <Framework-root>/global_config/overrides/servers/Liberator/etc/rttp.conf:
    auth-module cfgauth
  3. Create a configuration file called cfgauth.conf in <Framework-root>/global_config/overrides/servers/Liberator/etc/cfgauth.conf and put the cfgauth configuration you require in there.

Tip: There's an example cfgauth.conf file in <Framework-root>/kits/Liberator\Liberator-<version>/etc. If you want to add more users and permissions to cfgauth, you can copy this file to <Framework-root>/global_config/overrides/servers/Liberator/etc/ and edit that copy.

Don't edit the cfgauth.conf file directly in <Framework-root>/kits/Liberator\Liberator-<version>/etc

add-user

add-user specifes a Liberator user who will be authenticated by cfgauth, and the access permissions for that user. If the sigcheck option is supplied, cfgauth always authenticates the user against the signature in a credentials token, otherwise it authenticates against the user's password.

Syntax:

(Click on an option to see its description in the table below.)

add-user
   username [string]
   password [string]
   licenses [integer]
   read     [array of integers]
   write    [array of integers]
   prefix   [string]
   sigcheck [boolean]
   siguser  [string]
   http     [boolean]
   expire   [string]
end-user

The options for add-user are:

Name Type Default Description
expire string NULL Specifies a start date from which this user is allowed access to the Liberator and the duration in days for which access is valid. The format is YYYYMMDDNN, where YYYYMMDD is the start date and NN is the number of days. For example, 2015042030 allows the user access for 30 days starting from 20 April 2015.
http boolean FALSE

When http is set to TRUE, the user is allowed access to specified HTTP directories (HTTP-authenticated directories). Each allowed directory must be specified by an add-authdir configuration item in which the check-module option is set to TRUE.

licenses integer 1 The maximum number of concurrent Liberator sessions that a licenced user can have.
password string [none]

The password for this user.

If encrypted-passwords is set to 1, the passwords must be encrypted using the cfgpass utility

Note: cfgpass is only available in Linux-based Liberator installations.

To run cfgpass:

  1. Navigate to <Framework-root>/servers/Liberator/bin
    (where <Framework-root> represents the file path of the Deployment Framework's topmost directory for the Platform installation)
  2. Type the command ./cfgpass.
  3. When prompted, enter the password twice.

    cfgpass then displays the encrypted version of the password.
prefix string [none]

A prefix that's added to every subject this user subscribes to, before the subscription is actioned. This effectively personalises the subscription request.

Example:

add-user
   username UserA
​   ...
   prefix /TIER1
end-user

add-user
   username UserB
   ...
   prefix /TIER2
end-user


When UserA subscribes to /FX/GBPUSD, the request is actioned as a subscription to /TIER1/FX/GBPUSD

But when UserB subscribes to the same subject, the request is actioned as a subscription to /TIER2/FX/GBPUSD

read array of integers [none]

A space-separated list of the object types that this user can read.

The supported object types are:

* Unknown Objects are objects that have been requested from an active DataSource application. The actual type of such an object may not be known until the DataSource application returns the object together with information about its type.

** System Information Objects include /SYSTEM/AUTH/, /SYSTEM/LICENSE/, /SYSTEM/LICENSING/

sigcheck boolean FALSE

When TRUE, the password option is ignored and instead the cfgauth module authenticates this user against the signature in a credentials token supplied by KeyMaster.

If you set sigcheck to TRUE, you must supply a value for siguser.

siguser string [none]
(But option doesn't apply unless sigcheck is TRUE)

A signature key used to authenticate this user against the signature in a credentials token supplied by KeyMaster. If sigcheck is set to TRUE, you must supply a value for siguser. The value must be a signature key id that is the same as the key-id option of an add-sigkey configuration entry. (This means you can have several users for whom the cfgauth module uses the same signature checking key.)

username string [none] The username for this user.
write array of integers [none]

A space-separated list of the object types that this user can write to.

The supported object types are:

* Unknown Objects are objects that have been requested from an active DataSource application. The actual type of such an object may not be known until the DataSource application returns the object together with information about its type.

** System Information Objects include /SYSTEM/AUTH//SYSTEM/LICENSE/,  /SYSTEM/LICENSING/

encrypted-passwords

encrypted-passwords specifies whether or not the passwords specified in the password option of each add-user item are encrypted.

  • encrypted password 1 means the passwords are encrypted.
  • encrypted password 0 means the passwords are plain text.

Syntax:

encrypted-passwords <0-or-1>

Type: integer

Default value: 0 (passwords are plain text)


See also: