Fusion Security integration with FMR

From FMR Knowledge Base
Revision as of 05:48, 25 March 2024 by Vmurrell (talk | contribs)
Jump to navigation Jump to search

Overview

This guide explains how to get Fusion Security to communicate with the Fusion Metadata Registry. Please note, that "Fusion Security" is an old Security Web Application and should not be confused with the newer product "Fusion Security Manager".

Support for Fusion Security was added in FMR version 11.9.0, so this information is only applicable to FMR 11.9.0 and subsequent versions.

Setting up Fusion Security

Fusion Security is a Java Web Application that can be deployed like any other WAR file. If possible it is recommended to have it on a different Tomcat to the one running FMR. For the purposes of this guide, it is assumed to be running on localhost, port: 8081 with the name of "Fusion Security". So direct access to its ui would be made at http://localhost:8081/FusionSecurity

Most of Fusion Security's configuration must be specified within the Fusion Security configuration file. To read more on this please refer to the Setup Guide. For the use of Fusion Security please refer to the User Guide.

Once Fusion Security has started you can check it is operational by checking the following pages:

Setting up Communication from FMR to Fusion Security

There is no User Interface to assign Fusion Security as FMR's security mechanism. The assignment must be performed via database manipulation.

  • Start your Fusion Security instance in the Tomcat of your choice. We recommend using port 8081.
  • Determine what the entry point for your Fusion Security instance is. An example of this is: http://localhost:8081/FusionSecurity . This value is the front page of Fusion Security but should not have any explicit pages (such as overview.html or index.html) in it.


This value needs to be specified as the security.url in the FMR database. You may not use the User Interface to do this. To modify the database:

1. Using the database tool of choice edit the table: registry_settings 2. Modify or add the following values 

 security.auth.prov:    registry
 security.url:          http://localhost:8081/FusionSecurity

or run the following SQL (for MySQL): 

INSERT  INTO `registry_settings`(`name`,`value`) 
VALUES
('security.auth.prov','registry'),
('security.url','http://localhost:8081/FusionSecurity')
ON DUPLICATE KEY UPDATE
    `name` = VALUES(`name`),
    `value` = VALUES(`value`);

FMR must be restarted after this. This change will not change a running Registry.

NOTE: When viewining an FMR connected to a Fusion Security, the Server Security page will not explicitly show this connection.

Troubleshooting

Eratic behaviour in the User Interface

Fusion Security will time out a user after 15 minutes of inactivity, where inactivity is defined as being no communication from client to server. After this period, the root / admin user of Fusion Security is logged out, but there is no clue given via the front-end User Interface. The User Interface may then act erratically. If you suspect Fusion Security is not performing tasks correctly:

  • In your browser of choice, navigate to the front page of Fusion Security. If logged in, explicitly click log out
  • Log in as the root user
  • Attempt the task again

Web Service Communication

Fusion Security communicate to FMR via the Web Service: 

http://localhost:8080/FusionRegistry/ws/public/sdmxapi/rest/organisationscheme/all/all/latest/?references=none&detail=full

This Web Service must be returning in SDMX 2.1 format all of the Organisations present in FMR.

FMR communicate to Fusion Security via the Web Service: 

http://localhost:8081/FusionSecurity/ws/auth/organisationscheme/all/all/latest/?references=none&detail=full

This is a secure Web Service and so is invoked with user and password credentials. It returns informnation about the user such as the user's role and administration permissions.

Ensuring Fusion Security can communicate with FMR

  • In your browser of choice, navigate to the front page of Fusion Security
  • Log in as the root user
  • Select a user other than the root user - if no other users exist, create one.
  • On the right-hand side of the screen should be 2 tabs: "User Details" and "Organisations". Click on Organisations
  • A tree of structures obtained from the FMR should be displayed. This is grouped by Agencies, Data Providers and Data Consumers.
  • If this list is populated with the correct structures, then Fusion Security can get information from FMR. If not, then Fusion Security has not been set up correctly.

Ensuring FMR can communicate with Fusion Security

  • Explicitly log out of Fusion Security (if logged in) and then log in as the root user.
  • Create a new user in Fusion Security with an easy name and simple password. Do not use unusual characters in either the username or password - stick to simple alphanumerics.
  • Set this new user to be an Administrator
  • In FMR attempt to logon as this user
  • If you are now logged in to the FMR and can access the Settings pages the 2 systems are communicating correctly

If you see failures, look at the FMR log and look for communication to Fusion Security. There should be entries like: 

INFO qtp1076496284-44 io.sdmx.fusion.service.manager.FusionSecurityRESTAuthenticationManager - Attempting authentication for: <user>
INFO qtp1076496284-44 io.sdmx.utils.http.broker.RestMessageBroker - Call URL: http://localhost:8081/FusionSecurity/ws/auth/organisationscheme/all/all/latest/?references=none&detail=full

Look for errors of mis-configured URLs

Retrieved from "https://fmrwiki.sdmxcloud.org/index.php?title=Fusion_Security_integration_with_FMR&oldid=7426"