Authentication¶
After the user enters the tool, he/she is shown a screen with a form where
he/she has to enter the URI of the Scheduler Server he/she wants to
connect to. The URI of the server has the format //<host>:<port>/
.
If the tool has not been configured to use Kerberos or Denodo
Single Sign On authentication he/she has to provide his/her user name and
password for connecting to it, as shown in Authentication screen.
The Scheduler supports the following authentication methods:
Authentication with login and password. To log in, you need to provide a username and a password. The Scheduler servers delegate the authentication to a Virtual DataPort server (see section Virtual DataPort Settings for instructions about how to configure it). It allows accessing to Scheduler with the existing Virtual DataPort users (including the Virtual DataPort “admin” user). Scheduler also retrieves the roles that have been assigned to the user on that server (roles can be created and assigned from the Virtual DataPort Administration Tool, see the Virtual DataPort Administration Guide). Scheduler allows assigning permissions to a specific role, to delimit the tasks a user with that role can perform over the Scheduler server. The permissions are assigned from the Scheduler Administration Tool (see section Permissions for more information).
Single sign-on with Kerberos. The browser automatically provides a Kerberos ticket that identifies the user logged in the system. The Scheduler sends it to your Kerberos server, typically an Active Directory, which performs the authentication.
Single sign-on with an Identity Provider. The Scheduler delegates the authentication to an external Identity Provider. Currently, the authentication protocols supported are:
SAML
OAuth
OpenID Connect
If the administrator enabled single sign-on with Kerberos or with an Identity
Provider but you want to log in with user and password go to
https://denodo-server.acme.com:9443/webadmin/denodo-scheduler-admin?auth=login
.
Note
You cannot configure Single sign-on with Kerberos and Single sign-on with an Identity Provider at the same time.
Note
Single sign-on is automatically configured when accessing Scheduler from Agora. Also, authentication with login and password is disabled.
Scheduler servers allow list
If you want to set a list of allowed Scheduler hostname servers that users can connect to
from the Scheduler Web Administration Tool, the parameter allowedSchedulerHostnames
can be set in the Scheduler Web Administration Tool configuration file
<DENODO_HOME>/conf/scheduler-webadmintool/ConfigurationParameters.properties
.
This change will take effect the next time the Scheduler Web Administration Tool server restarts.
With this parameter you can specify a list of allowed Scheduler servers, following the format
allowedSchedulerHostnames=["host_1","host_2",...,"host_n"]
.
For example: allowedSchedulerHostnames=["localhost","scheduler1.acme.com","scheduler2.acme.com"]
.
Connection details
Once authenticated, the information icon shows the host and port of the Scheduler server the administration tool is connected to.
And also the login name of the authenticated user can be checked in Logout link of the User menu.
From the Help menu you will get direct access to reference materials about the Scheduler: online documentation, tutorials, training courses, videos, and more.
To find out the subscription package you have, you can open the About dialog of the Scheduler.
Scheduler Server Local Authentication¶
In every Scheduler server, there is a local user out of the box
(with password initially set to “admin”) with administration rights for
the server. To connect to a server with that user, open the URL
https://denodo-server.acme.com:9443/webadmin/denodo-scheduler-admin/?auth=login/#/local-login
(if you use HTTP instead of HTTPS, the port is 9090
), and then enter the URI of the Scheduler
server and the password of its local administration user.
Note
This feature is disabled when accessing Scheduler from Agora.
Note
Any Virtual DataPort user with administration permissions over the Scheduler server has the same privileges as the local administration user, but VDP-based authentication and roles retrieval is only possible if the connection to the configured Virtual DataPort server is possible. For example, you could not authenticate if the Virtual DataPort server is down, or if it changes its execution port. In those cases, only local-based authentication can take place.
Web Administration Tool Local Authentication¶
In every Scheduler Web Administration Tool, there is a local user out of the box
(with password initially set to “admin”) with permissions to configure the tool (see section
Web Configuration).
To configure the Web Administration Tool, open the URL
https://denodo-server.acme.com:9443/webadmin/denodo-scheduler-admin/#/web-local-login
(if you use HTTP instead of HTTPS, the port is 9090
), and then enter the password of
the local web administration user.
To disable these local user accounts, follow these steps:
Open the file
<DENODO_HOME>/conf/scheduler-webadmintool/ConfigurationParameters.properties
.Set this property as follows:
weblogin.enabled=false