Expand Collapse
Just a second...

SystemAuthentication.store

The SystemAuthentication.store file defines the roles that are assigned by the system authentication handler to client sessions that have authenticated with a specific security principal. It also defines whether anonymous connections are allowed or denied.

Note: You should stop the server before editing the system authentication store directly. If you are using a cluster, all the servers in the cluster should be stopped before editing. If the server or cluster is running, changes should be made using the management console or the API.

The following sections each describe the syntax for a single line of the file.

Adding a principal

Railroad diagram
A railroad diagram that describes the syntax used to add a principal to the system authentication store: ADD PRINCIPAL principal password. This can, optionally, be followed by a comma-separated list of roles inside square brackets.
Backus-Naur form
add principal " principal_name " " password " [ '[' " role " [ , " role " ] ']' ]
Example 
add principal "user6" "passw0rd"
add principal "user13" "passw0rd" ["CLIENT", "TOPIC_CONTROL"]

The password is passed in as plain text, but is stored in the system authentication store as a secure hash.

Removing a principal

Railroad diagram
A railroad diagram that describes the syntax used to remove a principal from the system authentication store: REMOVE PRINCIPAL principal.
Backus-Naur form
remove principal " principal_name "
Example 
remove principal "user25"

Assigning roles to a principal

Railroad diagram
A railroad diagram that describes the syntax used to assign roles to a principal in the system authentication store: ASSIGN ROLES principal, followed by a comma-separated list of roles inside square brackets.
Backus-Naur form
assign roles " principal_name " '[' " role " [ , " role " ] ']'
Example 
assign roles "agent77" ["CLIENT", "CLIENT_CONTROL"]

When you use this command to assign roles to a principal, it overwrites any existing roles assigned to that principal. Ensure that all the roles you want the principal to have are listed in the command.

Setting the password for a principal

Railroad diagram
A railroad diagram that describes the syntax used to set the password of a principal in the system authentication store: SET PASSWORD principal password.
Backus-Naur form
set password " principal_name " " password "
Example 
set password "user1" "passw0rd"

The password is passed in as plain text, but is stored in the system authentication store as a secure hash.

Verifying the password for a principal

Railroad diagram
A railroad diagram that describes the syntax used to verify the password of a principal in the system authentication store: VERIFY PASSWORD principal password.
Backus-Naur form
verify password " principal_name " " password "
Example 
verify password "user1" "passw0rd"

The password is passed in as plain text, but is stored in the system authentication store as a secure hash.

Allowing anonymous connections

Railroad diagram
A railroad diagram that describes the syntax used to tell the system authentication handler to allow anonymous connections: ALLOW ANONYMOUS CONNECTIONS. This can, optionally, be followed by a comma-separated list of roles inside square brackets.
Backus-Naur form
allow anonymous connections [ '[' " role " [ , " role " ] ']' ]
Example 
allow anonymous connections [ "CLIENT" ]

Denying anonymous connections

Railroad diagram
A railroad diagram that describes the syntax used to tell the system authentication handler to deny anonymous connections: DENY ANONYMOUS CONNECTIONS.
Backus-Naur form
deny anonymous connections
Example 
deny anonymous connections

Abstaining from providing a decision about anonymous connections

Railroad diagram
A railroad diagram that describes the syntax used to tell the system authentication handler to abstain from decisions about anonymous connections: ABSTAIN ANONYMOUS CONNECTIONS.
Backus-Naur form
abstain anonymous connections
Example 
abstain anonymous connections

Accepting client-proposed session properties with approved values

Railroad diagram
A railroad diagram that describes the syntax used to tell the system authentication handler to accept client-proposed properties from a list.
Backus-Naur form
trust client proposed property " property_name " '[' " value " [ , " value " ] ']'
Example 
trust client proposed property "Foo" if value in ["x", "y", "z"]

Accepting client-proposed session properties matching a regex

Railroad diagram
A railroad diagram that describes the syntax used to tell the system authentication handler to accept client-proposed properties matching a regex.
Backus-Naur form
trust client proposed property " property_name " if value matches " regex "
Example 
trust client proposed property "Foo" if value matches "^\d{3}-?\d{2}-?\d{4}$"

Use Java-style regular expressions. Evaluation uses java.util.regex.Pattern.

Removing a previously-declared trusted client-proposed session property

Railroad diagram
A railroad diagram that describes the syntax used to tell the system authentication handler to ignore a previously trusted client-proposed property.
Backus-Naur form
ignore client proposed property " property_name "
Example 
ignore client proposed property "Foo"

Isolating a path from permissions inheritance

Railroad diagram
A railroad diagram that describes the syntax used to isolate a path..
Backus-Naur form
isolate path " path_name "
Example 
isolate path "foo/bar/baz"