WSO2 Identity Server 4.5.0 - User Store Management
In this post we will be going through the high level view of user management in WSO2 Carbon Products from Kernel 4.2.0 on. Specifically in WSO2 IS 4.5.0 which is based on this Kernel. These versions are armed with the capability to configure user stores at run time.
Org.wso2.carbon.user.core is the OSGI component responsible for handling users in Carbon products. There we have the concept of 'User Realm' which is a collection of users with attributes. It consists of following four aspects,
- Use store management
- Authorization Management
- Claim management
- Profile configuration management
You can get a clear picture of these 4 aspects from this blog, http://xacmlinfo.org/2012/06/21/user-core-concepts-in-wso2-identity-server/ . Here we will see into the improvements done in User Store Management aspects with the newly released version. It provides the capability to configure user stores at run time, even in a clustered mode as described in this previous post by myself, using a convenient UI. Following diagram shows how it happening.
In the implementation, once we enter the user name and password, those are sent to User Store Manager(Taken from User Realm of the Tenant according to the user name) to authenticate.
- If user is as 'user1' user realm of super tenant is used. If user is as 'user1@wso2.com', User realm of tenant 'wso2.com' is used. In any case the flow is same that, first Primary user store manager checks for a matching user with same credentials.
- If user name is correct, but password is wrong still it will not issue a decision on authentication, but continue to check. If there is a matching user it will return and go for the next step in the flow which is authorization.
- If a matching user is not found in primary user store, then the secondary user store manager is used and it will look in secondary user store whether a matching user exists. Like wise this will go till the end of user store manager chain. at this point the user is not authenticated and will provide the info that authentication is failed for provided credentials.
This procedure not new in the latest version. Plugging user store managers at run time is what is new. For this we have a UI which can be used to create the configuration file. Once this user store management configuration file is dropped into relevant folder 'Deployment Manager' is triggered and it updates the chain accordingly.
For super tenant files goes to,
CARBON_HOME/repository/deployment/server/userstores/
For a general tenant files goes to,
CARBON_HOME/repository/tenants/<tenantID>/userstores
How Configurations are Populated in Cluster
The user store configurations are populated in a cluster using 'SVN based deployment synchronizer' component of WSO2 Carbon. Once this is correctly enabled in the cluster, the modifications we do in the primary node are committed to the SVN repo. Once the committing is done this node sends a cluster message so that other nodes can check it out from the svn repo. Then the modifications are checked out to the relevant folders. So with this modification, the 'Deployment Manager' of each node is triggered and flow in a single node will start.
You can try this out following this post.
Cheers!
You can try this out following this post.
Cheers!