3.2.1 Managing Users
After you install GoldenGate Stream Analytics, it is important to authenticate and manage users who use the application.
User details are stored in a database. When you create a GGSA schema at the time of installation, the following database tables are populated with one record in each table:
- 
                     osa_users— table containing the users
- 
                     osa_user_roles— table containing the user names and their associated roles
When you execute a query to pull in all the data from the osa_users table, you can see the following:
               
select * from osa_users;+----+----------+--------------------------------------+ 
| id | username | pwd                                  | 
+----+----------+--------------------------------------+ 
|  1 | osaadmin | MD5:201f00b5ca5d65a1c118e5e32431514c | 
+----+----------+--------------------------------------+ where osaadmin is the pre-configured user along with the encrypted password.
               
When you execute a query to pull in all the data from the osa_user_roles table, you can see the following:
               
select * from osa_user_roles;+---------+---------+
| user_id | role_id |
+---------+---------+
|       1 |       1 |
+---------+---------+
where role_id of value 1 indicates that the user is an administrator.
               
3.2.1.1 Adding Users
Though you can continue using Oracle GoldenGate Stream Analytics through the pre-configured user, it is a best practice to create your own users and delete the default pre-configured user.
When you add a user, it is highly recommended, though not mandatory, to obfuscate or encrypt the password. You can use the utility provided with the application server (Jetty) to encrypt the password.
Add Users Through User Interface
You can add/create users through the Oracle GoldenGate Stream Analytics application user interface.
To add a new user:
- 
                           Go to System Settings. 
- 
                           Under the User Management tab, click Add user. 
- 
                           Enter details in the Username, Password, and Confirm Password fields. 
- click Create. 
                           You can see the new user along with the predefined user in the list of available users. 
Repeat these steps for as many users as you need, based on your requirement. If you try a user with the same name as that of an existing user, an error A user profile with the user name <username> already exists. Please specify another user name. pops up.
                     
Add Users Through Code
To add a new user:
NewUser using <password>. Repeat these steps to create as many users as you require.
                  3.2.1.2 Changing Password
Change Password Through User Interface
To change a user password:
- 
                              Go to System Settings. 
- 
                              Click the User Management tab. 
- 
                              Click Change Password next to the required user within the list of available users and then provide a value for the new password and click Save. Passwords are stored in MD5 hash form. 
Change Password Using Code
To change a user password:
NewUser.
                  3.2.1.3 Removing Users
You may want to remove users when you no longer need them.
Before you proceed to delete any user, make a note of the following:
- 
                              If a user who owns draft pipelines is deleted, then the pipelines are either migrated to the current user or deleted, based on the selection you make at the time of deletion. 
- 
                              If you attempt to delete yourself, all your draft pipelines are deleted after you confirm. The current user session is invalidated and you will be signed out of the application immediately. 
Delete Users Through User Interface
To delete a user:
- 
                              Go to System Settings. 
- 
                              Click the User Management tab. 
- 
                              Click Delete next to the required user within the list of available users and then click OK within the confirmation dialog. 
Delete Users Through Code
To delete a user:
3.2.1.4 Configuring LDAP for User Authentication and Management
Oracle GoldenGate Stream Analytics makes use of the LDAP support for Jetty. The Lightweight Directory Access Protocol (LDAP) is an open source application accepted across various industries. This application protocol is used for obtaining and maintaining distributed directory information services over a network using an Internet Protocol (IP). With this feature, you can use the directory information services for user authentication and management. To use Microsoft directory services, set up a Microsoft Active Directory.
The user authentication and management can be through either internal LDAP or external LDAP.
For internal LDAP use the following command to create an LDAP service with default administrative access:
docker run --name LDAP-service --hostname LDAP-service -p 389:389 --detach osixia/openLDAP:1.2.13.2.1.4.1 Setting Up LDAP
To use LDAP for user authentication:
- Update etc/override-web.xml to specify ldap role (EMPLOYEE for oracle ldap) and realm as osa-realm-ldap.In case you need to switch back to data source from LDAP, you can update etc/override-web.xmlto specify role (admin) and realm asosa-realm-ds. By changing realm inetc/override-web.xml, you switch between LDAP and data source. You can keepldap-login.confconfigured to retain LDAP configuration and can toggle between LDAP and data source by just changingoverride-web.xmlfile.
- Update /osa-base/etc/LDAP-login.confas per LDAP user/group settings. For example:For User role: osa-demo-LDAP { org.eclipse.jetty.jaas.spi.LDAPLoginModule required debug="true" contextFactory="com.sun.jndi.LDAP.LDAPCtxFactory" hostname=<hostname> <!-- hostname of LDAP --> port="389" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="l=emea,dc=oracle,dc=com" userRdnAttribute="uid" userIdAttribute="mail" userPasswordAttribute="userPassword" userObjectClass="person" roleBaseDn="l=emea,dc=oracle,dc=com" roleNameAttribute="opn_access_level" roleMemberAttribute="targetdn" roleObjectClass="person"; };For Employee role: osa-demo-LDAP { org.eclipse.jetty.jaas.spi.LDAPLoginModule required debug="true" contextFactory="com.sun.jndi.LDAP.LDAPCtxFactory" hostname=<hostname> <!-- hostname of LDAP --> port="389" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="l=amer,dc=oracle,dc=com" userRdnAttribute="uid" userIdAttribute="mail" userPasswordAttribute="userPassword" userObjectClass="person" roleBaseDn="l=amer,dc=oracle,dc=com" roleNameAttribute="employeetype" roleMemberAttribute="targetdn" roleObjectClass="organizationalPerson"; };Remember to change userBaseDn and RoleBaseDn as per your locality name. If in America: userBaseDn="l=amer,dc=oracle,dc=com" roleBaseDn="l=amer,dc=oracle,dc=com"If in Asia Pacific: userBaseDn="l=apac,dc=oracle,dc=com" roleBaseDn="l=apac,dc=oracle,dc=com"If in Europe: userBaseDn="l=emea,dc=oracle,dc=com" roleBaseDn="l=emea,dc=oracle,dc=com"
- (Re) start the application.
3.2.1.4.2 Setting Up Microsoft Active Directory
To setup Microsoft Active Directory 2016:
- Ensure that role name is updated in the web.xml file located at /osa-base/etc/override-web.xml:<auth-constraint> <role-name>developer</role-name> </auth-constraint>
- Update /osa-base/etc/ldap-login.confas per LDAP user/group settings. For example:osa_demo_ldap { org.eclipse.jetty.jaas.spi.LdapLoginModule required debug="true" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" hostname=<hostname> <!-- this is the active directory server hostname --> port="389" <!-- this is the active directory server port --> bindDn="CN=Administrator,CN=Users,DC=corp,DC=oradev,DC=com" bindPassword=<password> <!-- If the active directory server allows anonymous login, no need to provide bindDn and bindPassword. Else, set the active directory server admin DN and password --> authenticationMethod="simple" <!-- if the active directory server allows anonymous login then set to 'none' otherwise set it to 'simple'--> forceBindingLogin="true" userBaseDn="l=amer,dc=oracle,dc=com" <!-- user attributes as per user setup in active directory server --> userRdnAttribute="uid" <!-- user attributes as per user setup in active directory server --> userIdAttribute="mail" <!-- user attributes as per user setup in active directory server --> userPasswordAttribute="userPassword" <!-- user attributes as per user setup in active directory server --> userObjectClass="person" <!-- user attributes as per user setup in active directory server --> roleBaseDn="l=amer,dc=oracle,dc=com" <!-- role (group) attributes as per user setup in active directory server --> roleNameAttribute="opn_access_level" <!-- role (group) attributes as per user setup in active directory server --> roleMemberAttribute="targetdn" <!-- role (group) attributes as per user setup in active directory server --> roleObjectClass="person"; <!-- role (group) attributes as per user setup in active directory server --> };