MarkLogic Server authenticates users when they access an application. This chapter describes users and the available authentication schemes, and includes the following sections:
A user in MarkLogic Server is the basis for authenticating requests to a MarkLogic application server. Users are assigned to roles. Roles carry security attributes, such as privileges and default permissions. Permissions assigned to documents pair a role with a capability, therefore roles are central to document permissions. Users derive authorization to perform actions from their roles.
You configure users in the Admin Interface, where you assign a user a name, a password, a set of roles, and a set of default permissions. To see the security attributes associated with a given user, click on the User:username
link in the Admin Interface screen for the given user. For details on configuring users in the Admin Interface, see the Security Administration chapter in the Administrator's Guide.
During the initial installation of MarkLogic Server, four users are created. One of the users is an authorized administrator who has the admin
role. During the installation, you are prompted to specify the username and password for this user. Another user is a user named nobody
, which is created with the following roles: rest-reader, rest-extension-user, app-user, harmonized-reader
and is given a password which is randomly generated. Two other users are also created: healthcheck
, infostudio-admin
. For details about installing MarkLogic Server, see the Installation Guide.
You can control the authentication scheme for HTTP, WebDAV, ODBC, and XDBC App Servers. This section describes the authentication schemes and includes the following parts:
Basic authentication is the typical authentication scheme for web applications. When a user accesses an application page, she is prompted for a username and password. In basic mode, the password is obfuscated but not encrypted.
Digest authentication works the same way as basic, but offers encryption of passwords sent over the network. When a user accesses an application page, she is prompted for a username and password.
If you change an App Server from basic to digest authentication, it invalidates existing sessions. You must then reenter the passwords in the Admin Interface. Alternatively, you can migrate to digest-basic mode initially, then switch to digest-only mode once all users have accessed the server at least once. The first time the user accesses the server after changing from basic to digest-basic scheme, the server computes the digest password by extracting the relevant information from the credentials supplied in basic mode.
The digest-basic authentication scheme uses the more secure digest scheme whenever possible, but reverts to basic authentication when needed. Some older browsers, for example, do not support digest authentication. The digest-basic scheme is also useful if you previously used basic authentication, but want to migrate to digest. The first time a user accesses the server after changing from basic to digest-basic authentication scheme, the server computes the digest password by extracting the relevant information from the credentials supplied in basic mode.
Since the browser does not provide a way to clear a user's authentication information in basic or digest mode, the user remains logged in until the browser is shut down. In addition, there is no way to create a custom login page using these schemes. For certain deployments, application-level authentication may be more appropriate.
Certificate-based authentication requires internal and external users and HTTPS clients to authenticate themselves to MarkLogic Server via a client certificate, either in addition to, or rather than a password.
Certificate-based authentication can take the following forms:
For details on Certificate-based authentication, see Certificate-based Authentication.
Application-level authentication bypasses all authentication and automatically logs all users in as a specified default user. You specify the default user in the Admin Interface, and any users accessing the server automatically inherit the security attributes (roles, privileges, default permissions) of the default user. Application-level authentication is available on HTTP, ODBC, and WebDAV servers.
The default user should have the required privileges to at least read the initial page of the application. In many application scenarios, the user is then given the opportunity to explicitly log in to the rest of the application from that page. How much of the application and what data a user can access before explicitly logging in depends on the application and the roles that the default user is part of. For an example of this type of configuration, see Using Custom Login Pages.
The user is authenticated by Kerberos and a Kerberos session ticket is used to authenticate the user to access MarkLogic Server. For details, see Overview of External Authentication.
When SAML authentication is used, a client requests a resource from MarkLogic Server with no security context; MarkLogic redirects the authentication request to an Identity Provider. The Identity Provider prompts the user to login, if necessary, and sends the authentication request back to MarkLogic Server (the Service Provider) for validation.
There are two major components in SAML:
MarkLogic Server sends a redirect to the resource. The client requests the resource again with a security context. MarkLogic Server then authenticates the user using the information from the authentication request to grant the user access to the requested resource.
See SAML Authentication for more information.