ZLUX has a security system by which it can determine whether users should be permitted to do actions by running checks about user authenticity and authority that are relevant to the environment. It does this by providing an API such that security plugins can be installed to answer requests for authentication & authorization, such that regardless of what security manager or operating system ZLUX is running on, the rules of that security manager can be respected & leveraged. An example of this is that in past releases of Zowe, ZLUX has been configured to utilize either ZSS, API Mediation Layer, or z/OSMF to determine if a user's credentials are valid and if they are able to call a given REST API.

Server Configuration

ZLUX will not run without a security plugin being configured. Within the server configuration file, a section dataserviceAuthentication exists which describes which plugin(s) to use, and which one is the default. Several can be used, as different plugins/services can be protected by different security plugins.

dataserviceAuthentication has the following attributes within:

• defaultAuthentication: The name of the security plugin type that should be used for all plugins unless otherwise specified.
• implementationDefaults: The object describing the security plugin types requested, and the specific plugins that implement each type. This object has attributes equal to the name of the type.
  • type: Each type requires an implementing plugin in order for the server to utilize it.
    • plugins: This is an array listing the IDs of the security plugins for that type. Currently, only the first one in the array is utilized if found.
• rbac: A boolean that security plugins can utilize to determine whether the configuration should use role-based authorization control. Currently the org.zowe.zlux.auth.zss plugin uses this.

Example

An install of Zowe 1.5.0 with SSO turned has this configuration:

  "dataserviceAuthentication": {
    "defaultAuthentication": "zss",
    "rbac": false,
    "implementationDefaults": {
      "apiml": { 
        "plugins": ["org.zowe.zlux.auth.apiml"] 
      },
      "zss": {
        "plugins": ["org.zowe.zlux.auth.zss"]
      }
    }

Security Plugin API

Security plugins are plugins which have nodeJS code that the server can call to delegate security operations.

Constructor

The constructor is currently given 4 parameters:

• pluginDefinition: The object describing the plugin's definition file
• pluginConf: An object that gives the plugin it's configuration from the Config Service internal storage
• serverConfiguration: The object describing the server's current configuration
• context: An object holding contextual objects
  • logger: A logger with the name of the plugin's ID

Constructor return object

The constructor should return a capabilities object, which helps the server to know what sort of security operations it can handle. Currently, the following properties are used in the capabilities object.

• canGetStatus: If the getStatus(sessionState) function exists
• canRefresh: If the refreshStatus(request, sessionState) function exists
• canAuthenticate: If the authenticate(request, sessionState):Promise function exists (Required, assumed)
• canAuthorized: If the *authorized(request, sessionState, options) function exists (Required, assumed)
• proxyAuthorizations: If the addProxyAuthorizations(req1, req2Options, sessionState) function exists