Revolution R Enterprise DeployR 7.1 Enterprise Security Guide. Authentication, Authorization, and Access Controls

Revolution R Enterprise DeployR 7.1 Enterprise Security Guide Authentication, Authorization, and Access Controls

The correct bibliographic citation for this manual is as follows: Revolution Analytics, Inc. 2014. Revolution R Enterprise DeployR Enterprise Security Guide. Revolution Analytics, Inc., Mountain View, CA. Revolution R Enterprise DeployR Enterprise Security Guide Copyright 2014 Revolution Analytics, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of Revolution Analytics. U.S. Government Restricted Rights Notice: Use, duplication, or disclosure of this software and related documentation by the Government is subject to restrictions as set forth in subdivision (c) (1) (ii) of The Rights in Technical Data and Computer Software clause at 52.227-7013. Revolution R, Revolution R Enterprise, RPE, RevoScaleR, DeployR, RevoTreeView, and Revolution Analytics are trademarks of Revolution Analytics. Other product names mentioned herein are used for identification purposes only and may be trademarks of their respective owners. Revolution Analytics 2570 West El Camino Real Suite 222 Mountain View, CA, 94040 USA We want our documentation to be useful, and we want it to address your needs. If you have comments on this or any Revolution document, write to doc@revolutionanalytics.com.

Contents Chapter 1: Overview...1 Chapter 2: Authentication and Authorization...3 Siteminder Single Sign-On (Pre-Authentication)...4 LDAP Authentication...5 Active Directory Authentication...6 PAM Authentication...7 Basic Authentication...7 Chapter 3: Server Access Controls...9 Working with HTTPS...9 Mandatory HTTPS...9 Working with IP Address Filters...10 Working with XDR (CORS)...10 Chapter 4: Project and Repository File Access Controls...11 Project Access Controls...11 Repository File Access Controls...12 Repository File Download Controls...12 Repository Scripts Access Controls...13 Repository Script Download Controls...14 Chapter 5: Appendix: LDAP & Active Directory Properties...15 [i]

ii Chapter 1: Overview

Revolution R Enterprise DeployR Enterprise Security Guide Overview 1 1 DeployR is a server framework that exposes the R platform as a service to allow the integration of R statistics, analytics, and visualizations inside Web, desktop, and mobile applications. In addition to providing a simple yet powerful Web services API, the framework also supports a highly-flexible, enterprise security model. By default, DeployR supports basic authentication. Users simply provide plain text username and password credentials, which are then matched against user account data stored in the DeployR database. User accounts are created and managed by an administrator using the DeployR Administration Console. Given these credentials are passed from client to server as plain text, we strongly recommend that you enable and use HTTPS connections, in production environments, every time your application attempts to authenticate with DeployR. For more information, see the section Working with HTTPS in this document. While basic authentication provides a simple and reliable authentication solution, the ability to deliver a seamless integration with existing enterprise security solutions is often paramount. The DeployR enterprise security model can easily be configured to "plug" into a number of widelyadopted enterprise security solutions. The DeployR security model is sufficiently flexible that it can work with multiple enterprise security solutions at the same time. As such, DeployR ships with a number of security providers that together represent a provider-chain upon which user credentials are evaluated. For more information, see Chapter 2. Every aspect of the DeployR security model is controlled by simple configuration properties found in the DeployR external configuration file. This file can be found at $DEPLOYR_HOME/deployr/deployr.groovy. The following chapters in this guide detail how to work with these configuration properties to achieve your preferred security implementation.

2 Chapter 1: Overview

3 Revolution R Enterprise DeployR Enterprise Security Guide Authentication and 2 Authorization DeployR ships with security providers for the following enterprise security solutions: Siteminder Single Sign-On (Pre-Authentication) LDAP Authentication Active Directory Services PAM Authentication Services Basic Authentication The DeployR security model is sufficiently flexible that it can work with multiple enterprise security solutions at the same time. If two or more enterprise security solutions are active, then user credentials are evaluated by each of the DeployR security providers in the order indicated in preceding list. If a security provider, at any depth in the provider-chain, establishes that the credentials are valid, then the login call succeeds. If the user credentials are not validated by any of the security providers in the provider-chain, then the login call fails. When DeployR processes a user login, there are two key steps involved: 1. Credentials must be authenticated 2. Access privileges must be determined DeployR access privileges are determined by the roles assigned to a user. In the case of basic authentication, an administrator simply assigns roles to a user within the DeployR Administration Console. Learn More! For information on how to manage user accounts as well as how to use roles as a means to assign access privileges to a user or to restrict access to individual R scripts, refer to the Revolution R Enterprise DeployR Administration Console Guide. When you integrate with an external enterprise security solution, you want access privileges to be inherited from the external system. This is achieved with simple mappings in the DeployR configuration properties, which link external groups to internal roles.

4 Chapter 2: Authentication and Authorization Siteminder Single Sign-On (Pre-Authentication) By default, the Siteminder security provider is disabled. To enable Siteminder support you must update the relevant properties in your DeployR external configuration file. Configuring a Siteminder Policy Server is outside the scope of this document, we assume yours is already up and running and you understand what header fields your policy server is using. / Siteminder Single Sign-On (Pre-Authentication) Policy Properties / deployr.security.siteminder.preauth.enabled = false // deployr.security.preauth.username.header // Identify Siteminder username header, defaults to HTTP_SM_USER as used by Siteminder Tomcat 7 Agent. deployr.security.preauth.username.header = 'HTTP_SM_USER' // deployr.security.preauth.group.header // Identify Siteminder groups header. deployr.security.preauth.group.header = 'SM_USER_GROUP' // deployr.security.preauth.group.separator // Identify Siteminder groups delimiter header. deployr.security.preauth.group.separator = '^' // deployr.security.preauth.groups.map // Allows you to map Siteminder group names to DeployR role names: deployr.security.preauth.groups.map = [ 'SM_GROUP_A' : 'ROLE_BASIC_USER', 'SM_GROUP_B' : 'ROLE_POWER_USER' ] // deployr.security.preauth.default.role // Optional, grant default DeployR Role to all Siteminder authenticated users: deployr.security.preauth.default.role = 'ROLE_BASIC_USER'

Revolution R Enterprise DeployR Enterprise Security Guide 5 LDAP Authentication By default, the LDAP security provider is disabled. To enable LDAP authentication support, you must update the relevant properties in your DeployR external configuration file. The values you assign to these properties should match the configuration of your LDAP Directory Information Tree (DIT). Note: The LDAP and Active Directory security providers are, in fact, one and the same, and only their configuration properties differ. As such, you may enable the LDAP provider or the Active Directory provider but not both at the same time. / DeployR LDAP Authentication Configuration Properties / grails.plugins.springsecurity.ldap.context.managerdn = 'dc=example,dc=com' grails.plugins.springsecurity.ldap.context.managerpassword = 'secret' grails.plugins.springsecurity.ldap.context.server = 'ldap://localhost:10389/' grails.plugins.springsecurity.ldap.context.anonymousreadonly = true grails.plugins.springsecurity.ldap.search.base = 'ou=people,dc=example,dc=com' grails.plugins.springsecurity.ldap.search.searchsubtree = true grails.plugins.springsecurity.ldap.authorities.retrievegrouproles = true grails.plugins.springsecurity.ldap.authorities.groupsearchbase = 'ou=people,dc=example,dc=com' grails.plugins.springsecurity.ldap.authorities.defaultrole = "ROLE_BASIC_USER" grails.plugins.springsecurity.ldap.authorities.groupsearchfilter = 'member={0}' // Optionally, specify LDAP password encryption algorithm: MD5, SHA-256 // grails.plugins.springsecurity.password.algorithm = 'xxx' // deployr.security.ldap.user.properties.map // Allows you to map between LDAP user property names to DeployR user property names: deployr.security.ldap.user.properties.map = ['displayname':'cn', 'email':'mail'] // deployr.security.ldap.roles.map // Allows you to map between LDAP group names to DeployR role names: deployr.security.ldap.roles.map = ['ROLE_BASIC_USER':'ROLE_BASIC_USER', 'ROLE_SOME_LDAP_ROLE':'ROLE_POWER_USER'] Note: For a complete list of LDAP configuration properties, refer to the Appendix: LDAP & Active Directory Properties in this guide.

6 Chapter 2: Authentication and Authorization Active Directory Authentication By default, the Active Directory security provider is disabled. To enable Active Directory authentication support you must update the relevant properties in your DeployR external configuration file. The values you assign to these properties should match the configuration of your Active Directory Directory Information Tree (DIT). Note: The LDAP and Active Directory security providers are, in fact, one and the same, and only their configuration properties differ. As such, you may enable the LDAP provider or the Active Directory provider but not both at the same time. / DeployR Active Directory Configuration Properties / grails.plugins.springsecurity.ldap.context.managerdn = 'dc=example,dc=com' grails.plugins.springsecurity.ldap.context.managerpassword = 'secret' grails.plugins.springsecurity.ldap.context.server = 'ldap://locahost:10389/' grails.plugins.springsecurity.ldap.authorities.ignorepartialresultexception = true grails.plugins.springsecurity.ldap.search.base = 'ou=people,dc=example,dc=com' grails.plugins.springsecurity.ldap.search.searchsubtree = true grails.plugins.springsecurity.ldap.search.attributestoreturn = ['mail', 'displayname'] grails.plugins.springsecurity.ldap.search.filter="samaccountname={0}" grails.plugins.springsecurity.ldap.auth.hideusernotfoundexceptions = false grails.plugins.springsecurity.ldap.authorities.retrievegrouproles = true grails.plugins.springsecurity.ldap.authorities.groupsearchfilter = 'member={0}' grails.plugins.springsecurity.ldap.authorities.groupsearchbase = 'ou=group,dc=example,dc=com' // Optionally, specify LDAP password encryption algorithm: MD5, SHA-256 // grails.plugins.springsecurity.password.algorithm = 'xxx' // deployr.security.ldap.user.properties.map // Allows you to map between LDAP user property names to DeployR user property names: deployr.security.ldap.user.properties.map = ['displayname':'cn', 'email':'mail'] // deployr.security.ldap.roles.map // Allows you to map between LDAP group names to DeployR role names: deployr.security.ldap.roles.map = ['ROLE_BASIC_USER':'ROLE_BASIC_USER', 'ROLE_SOME_LDAP_ROLE':'ROLE_POWER_USER'] Note: For a complete list of LDAP configuration properties, refer to the Appendix: LDAP & Active Directory Properties in this guide.

Revolution R Enterprise DeployR Enterprise Security Guide 7 PAM Authentication By default, the PAM security provider is disabled. To enable PAM authentication support, you must update the relevant properties in your DeployR external configuration file. PAM is the Linux Pluggable Authentication Modules provided to support dynamic authorization for applications and services in a Linux system. If DeployR is installed on a Linux system, then the PAM security provider allows users to authenticate with DeployR using their existing Linux system username and password. / DeployR PAM Authentication Policy Properties / deployr.security.pam.authentication.enabled = false // deployr.security.pam.groups.map // Allows you to map between PAM User group names to DeployR role names: deployr.security.pam.groups.map = [ 'PAM_GROUP_A' : 'ROLE_BASIC_USER', 'PAM_GROUP_B' : 'ROLE_POWER_USER' ] // deployr.security.pam.default.role // Optional, grant default DeployR Role to all PAM authenticated users: deployr.security.pam.default.role = 'ROLE_BASIC_USER' Basic Authentication By default, the Basic Authentication security provider is enabled. The Basic Authentication provider is always enabled and there are no additional security configuration properties for this provider. / DeployR Basic Authentication Policy Properties /

8 Chapter 2: Authentication and Authorization

Revolution R Enterprise DeployR Enterprise Security Guide Server Access Controls 3 9 Working with HTTPS The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of message transmissions on the Internet. By default, SSL on DeployR is disabled. To enable SSL support, follow the step-by-step instructions in the Configuring SSL for Tomcat section of the DeployR installation guide for your OS. Once your DeployR deployment has SSL enabled client applications can make API calls that connect over HTTPS. Also note that the following external configuration properties can be used to ensure all connections to the DeployR Administration Console are secured using HTTPS. / DeployR Administration Console Encryption (HTTPS) Configuration. Enable the following properties to enforce encryption on all Administration Console connections. / grails.plugins.springsecurity.auth.forcehttps = false grails.plugins.springsecurity.portmapper.httpport=7100 grails.plugins.springsecurity.portmapper.httpsport=7101 Mandatory HTTPS While the section Working with HTTPS details how you can enable SSL on the DeployR server so that client applications can make API calls that connect over HTTPS, providing this facility is not always enough. Sometimes you want to make it mandatory for client applications to connect over HTTPS. Using the Server Policies tab in the DeployR Administration Console, you can find a mechanism to enforce this policy at runtime. The Operation Policies for authenticated, asynchronous, and anonymous operations each support an HTTPS encrypted property. If you enable this property, then any non-https connections to the server will be automatically rejected.

10 Chapter 3: Server Access Controls Working with IP Address Filters While access to DeployR is typically controlled by the authentication mechanisms discussed in this document, DeployR also supports access controls based on IP address filters. Under the Server Policies tab in the DeployR Administration Console, you have a mechanism to configure your IP address filter policy. The Operation Policies for authenticated, asynchronous, and anonymous operations each support an IP filter property. If you assign an IP filter to this property, then any attempt by a client application to connect from outside of the IP address range on that filter will be automatically rejected. For example, you can make your DeployR server instance accessible only from IP addresses on the local LAN or VPN, such as 192.168.1.xxx or 10.xxx.xxx.xxx. Note that it is possible to achieve these same kinds of access controls with an appropriate configuration on your firewall and/or routers. Refer to the chapters Managing Access with IP Filters and Managing Server Policies in the Revolution R Enterprise DeployR Administration Console Guide for further details. Working with XDR (CORS) By default, support for CORS is disabled. To enable CORS support, you must update the relevant properties in your DeployR external configuration file. Once enabled, CORS support in the DeployR server permits cross-site HTTP requests, which are requests for resources from a domain other than where the DeployR is hosted. Optionally, you can specify a value for Access-Control-Allow-Origin on the cors.headers property if you want to restrict cross-site HTTP requests to only those requests coming from a specific domain. / DeployR CORS Policy Configuration cors.headers = [ 'Access-Control-Allow-Origin': 'http://app.example.com'] / cors.enabled = false

11 Revolution R Enterprise DeployR Enterprise Security Guide Project and Repository File 3 Access Controls DeployR enforces a consistent security model across projects and repository-managed files. This model is based on two simple precepts: ownership and access levels. Project Access Controls When a project is created, it is privately owned by default, meaning it is visible only to its owner. Such user-based privacy is a central aspect of the DeployR security model. The owner of a temporary or persistent project has, by default, full read-write access to that project and use of the full set of project-related APIs. Revolution R Enterprise DeployR 7.0 introduced a new type of secure, temporary project called a blackbox project. Blackbox projects restrict access to the underlying R session. In this case, the project owner can use only a small subset of the project-related APIs, collectively known as the Blackbox API Controls. If the owner of a project wants to grant read-only access to that project to other authenticated users, then the owner can set the access level for the project to Shared. You can change the access level on a project using the /r/project/about/update API call. Note: Anonymous users are not permitted access to projects. For more information, refer to the section Introducing Projects on the API in the DeployR API Reference Guide.

12 Chapter 3: Project and Repository File Access Controls Repository File Access Controls When a repository-managed file is created, it is privately owned by default, meaning it is visible only to its owner. Such user-based privacy is a central aspect of the DeployR security model. The owner of a repository-managed file has full read-write access to that file and use of the full set of repository-related APIs. If the owner of a repository-managed file wants to grant read-only access to that file to other users, then the owner can set the file s access level to one of the following values: Private - the default access level, the file is visible to its author(s) only. Restricted - the file is visible to authenticated users that have been granted one or more of the roles indicated on the restricted property of the file. Shared - the file is visible to all authenticated users when the shared property is true. Public - the file is visible to all authenticated and all anonymous users when the published property is true. You can change the access level on a repository-managed file using the /r/repository/file/update API call. For more information, refer to the section Introducing the Repository on the API in the DeployR API Reference Guide. Repository File Download Controls The repository file download controls provide fine-grain control over who can download repository file data. It is important to tailor the configuration of these controls in your DeployR external configuration file in order to enforce your preferred download policy for repositorymanaged files.

13 Revolution R Enterprise DeployR Enterprise Security Guide / DeployR Repository File Download Controls The repository file download controls provide fine grain control over user access to repository file data returned on the following API call: /r/repository/file/download The default repository file download policy is shown for each of the supported repository file access levels: [Private, Restricted, Shared, Public] - Files with private access can be downloaded by authors only. - Files with restriced access can be downloaded by authors and by authenticated users with sufficient privileges. - Files with shared access can be downloaded by authors and by authenticated users. - Files with public access can be downloaded by authors and by authenticated users. - Regardless of access level, by default anonymous users can not download repository files. Enable file.author.only.download to ensure only authors can download a repository-managed file. When this property is enabled the file.anonymous.download option is ignored. Enable file.anonymous.download to allow anonymous users to download files with public access. Note: The repository file download controls apply to all repository-managed files excluding R scripts. / deployr.security.repository.file.author.only.download=false deployr.security.repository.file.anonymous.download=false Repository Scripts Access Controls Repository-managed R scripts can be exposed as an executable on the API. Since repositorymanaged R scripts are a type of repository-managed files, all information in the previous section, Repository File Access Controls, also applies to repository-managed scripts. However, repository-managed R scripts deserve special mention since scripts can be managed through the Administration Console interface. Additionally, when you work with the R scripts in the Administration Console, you will likely also use and work with roles so as to impose restricted access to your R scripts. Learn More! For information on how to use roles as a means to restrict access to individual R scripts, refer to the Revolution R Enterprise DeployR Administration Console Guide.

14 Chapter 3: Project and Repository File Access Controls Repository Script Download Controls The repository script download controls provide fine-grain control over who can download repository script data. It is important to tailor the configuration of these controls in your DeployR external configuration file in order to enforce your preferred download policy for repositorymanaged scripts. / DeployR Repository Script Download Controls The repository script download controls apply to repository-managed scripts [.R/r] and markdown files [.Rmd/rmd] only. The repository script download controls provide fine grain control over user access to repository script data returned on the following API call: /r/repository/file/download Note: Script download controls do not intefere with permissions to execute a script. Execution permissions are entirely determined by the file access level assigned to the script by it's author. The default repository script download policy is shown for each of the supported repository script access levels: [Private, Restricted, Shared, Public] - Scripts with private access can be downloaded by authors only. - Scripts with restriced access can be downloaded by authors and by authenticated users with sufficient privileges. - Scripts with shared access can be downloaded by authors and by authenticated users. - Scripts with public access can be downloaded by authors and by authenticated users. - Regardless of access level, by default anonymous users can not download repository scripts. Enable script.author.only.download to ensure only authors can download a repository-managed script. When this property is enabled the script.anonymous.download option is ignored. Enable script.anonymous.download to allow anonymous users to download scripts with public access. Enabled script.list.authenticate to prevent anonymous users from calling the /r/repository/script/list API. / deployr.security.repository.script.author.only.download=false deployr.security.repository.script.anonymous.download=false deployr.security.repository.script.list.authenticate=false

15 Revolution R Enterprise DeployR Enterprise Security Guide Appendix: LDAP & Active Directory Properties The following table presents the complete list of LDAP and Active Directory properties. To use one of these configuration properties in the deployr.groovy external configuration file, you must prefix the property name with grails.plugins.springsecurity. For example, to use the ldap.context.server='ldap://localhost:389' property in deploy.groovy, you must write the property as such: grails.plugins.springsecurity.ldap.context.server='ldap://localhost:389' Table 1: Configruation Properties for LDAP and Active Directory. Property Default Value Description Context Properties ldap.context.server 'ldap://localhost:389' Address of the LDAP server. ldap.context.managerdn 'cn=admin,dc=example,dc=com' DN to authenticate with. ldap.context.managerpassword secret' Manager password to authenticate with. ldap.context.baseenvironmentproperties none Extra context properties. ldap.context.cacheenvironmentproperties true Whether environment properties should be cached between requests. ldap.context.anonymousreadonly false Whether an anonymous environment should be used for read-only operations. ldap.context.referral null ('ignore') The method to handle referrals. Can be 'ignore' or 'follow' to enable referrals to be automatically followed.

16 Appendix: LDAP & Active Directory Properties Search Properties ldap.search.base 'ou=users,dc=example,dc=com' Context name to search in, relative to the base of the configured ContextSource, e.g. 'ou=users,dc=example,dc=com'. ldap.search.searchsubtree true If true then searches the entire subtree as identified by context, if false (the default) then only searches the level identified by the context. ldap.search.filter '(uid={0})' The filter expression used in the user search. ldap.search.dereflink false Enables/disables link dereferencing during the search. ldap.search.timelimit 0 (unlimited) The time to wait before the search fails. ldap.search.attributestoreturn null (all) The attributes to return as part of the search. ldap.authenticator.dnpatterns null (none) Optional pattern(s) used to create DN search patterns, e.g. ["cn={0},ou=people"]. ldap.authenticator.attributestoreturn null (all) Names of attribute ids to return; use null to return all and an empty list to return none. Authorities Properties ldap.authorities.retrievegrouproles true Whether to infer roles based on group membership. ldap.authorities.retrievedatabaseroles false Whether to retrieve additional roles from the database using the User/Role many-to-many. ldap.authorities.grouproleattribute 'cn' The ID of the attribute which contains the role name for a group. ldap.authorities.groupsearchfilter 'uniquemember={0}' The pattern to be used for the user search. {0} is the user's DN. ldap.authorities.searchsubtree true If true a subtree scope search will be performed, otherwise a single-level search is used. ldap.authorities.groupsearchbase 'ou=groups,dc=example,dc=com' The base DN from which the search for group membership should be performed.

17 Revolution R Enterprise DeployR Enterprise Security Guide ldap.authorities.ignorepartialresultexception false Whether PartialResultExceptions should be ignored in searches, typically used with Active Directory since AD servers often have a problem with referrals. ldap.authorities.defaultrole none An optional default role to be assigned to all users. ldap.mapper.roleattributes null Optional names of role attributes. ldap.mapper.converttouppercase true Whether to uppercase retrieved role names (will also be prefixed with "ROLE_")