Transcript
Spectrum™ Technology Platform Version 9.0 SP2 Spectrum Spatial Administration Guide
Contents Chapter 1: Introduction.......................................................................................7 What's Included in This Guide.............................................................................8
Chapter 2: Configuring Your System................................................................9 Changing the Default Port Number for Spectrum Spatial...............................10 Changing Your Repository Database................................................................11 Set Up a PostgreSQL Repository Database..............................................11 Set Up an Oracle Repository Database ....................................................13 Uploading and Accessing Resources using Third Party Tools......................14 Using WebFolders to Access the Repository Resources...........................15 Using DAVExplorer to Access the Repository Resources..........................15 Configuring the Web Services...........................................................................16 About Web Service Configurations.............................................................17 How to Change Web Service Configuration Settings.................................17 Configuring Datum Transforms.........................................................................18 Running Spectrum™ Technology Platform as a Linux Service......................18 How to Run Spectrum™ Technology Platform as a Linux Service.............18 PBSpectrum Script.....................................................................................19
Chapter 3: Managing Security..........................................................................21 Security for the Spectrum™ Technology Platform...........................................22 Security Model............................................................................................22 Users..........................................................................................................23 Roles..........................................................................................................25 Secured Entity Overrides............................................................................28 Security for the Location Intelligence Module..................................................29 Example: Overriding Permissions at the Role Level..................................31 Example: Overriding Permissions at the User Level..................................34 Creating a Named Resources Administrator..............................................36 Creating a Spatial Dataflow Designer.........................................................37 Turning off Security for Services and the Repository.................................38 Disabling Platform Security Versus Turning Off Spatial Security..................40 Limiting WebDAV Access to the Repository....................................................40 Limiting Server Directory Access......................................................................41
Configuring HTTPS Communication.................................................................42
Chapter 4: Monitoring Your System................................................................45 Event Log.............................................................................................................46 Viewing the Event Log................................................................................46 Setting Event Log Options..........................................................................46 Spatial Logging...................................................................................................47 Configuring E-mail Notification.........................................................................49 Configuring License Expiration Notification....................................................49 Viewing Version Information..............................................................................50 Viewing and Exporting License Information....................................................50 Monitoring Performance.....................................................................................50 Monitoring Memory Usage.................................................................................51
Chapter 5: Managing Memory and Threading................................................53 Introduction to Managing Memory and Threading...........................................54 Spectrum Performance Tuning..........................................................................54 JVM Tuning.................................................................................................54 Remote Components Configuration...........................................................54 Increasing Heap Memory for Spatial Components..........................................55 Increasing Heap Memory for the Platform........................................................55
Chapter 6: Managing a Cluster........................................................................57 Clustered Architecture for the Location Intelligence Module.........................58 Configuring a Common Repository...................................................................59 Set Up a PostgreSQL Repository Database..............................................59 Set Up an Oracle Repository Database ....................................................61 Configuring Your System...................................................................................62 Adding a Map File Share............................................................................62 Modifying the Service Configurations.........................................................63 Modifying Java Properties File...................................................................63 Configuring Ports for Multiple Spectrum Instances....................................64 Shared Spectrum Local Data.....................................................................64 Using Client Tools with a Cluster.......................................................................64 Removing a Node from a Cluster.......................................................................64 Shutting Down a Cluster.....................................................................................65
Chapter 7: Troubleshooting Your System.......................................................67 Rebuilding a Corrupt Repository Index............................................................68 Monitoring Memory Usage of a Non-Responsive Server................................68
Chapter 8: Appendix - Managing Security with the User Management Service................................................................................................................71
4
Spectrum™ Technology Platform 9.0 SP2
Introduction..........................................................................................................72 What Is the User Management Service?....................................................72 Service URL Formats.................................................................................72 Creating and Managing Users For Spectrum™ Technology Platform........72 Rules Using the User Management Service SOAP Interface....................73 Managing Users...................................................................................................73 Starting the Management Console.............................................................73 Enabling User Permissions For Consoles..................................................74 Managing User Accounts...........................................................................74 Setting User Permissions...................................................................................75 GetPermissionsRequest.............................................................................75 SetPermissionsRequest.............................................................................76 AddPermissionsRequest............................................................................77 RemovePermissionsRequest.....................................................................78
Spectrum Spatial Administration Guide
5
Introduction
In this section: • What's Included in This Guide . . . . . . . . . . . . . . . . . . . . . . .8
1
What's Included in This Guide
What's Included in This Guide Welcome to the Spectrum Spatial Administration Guide. This guide will help you build a web mapping application or embed mapping in an existing application using a variety of web services, capabilities, tools and sample code. Addressed in this guide are: • Configuring your system by changing the default port number or repository database; accessing the repository; accessing and uploading resources; configuring web services; and running Spectrum™ Technology Platform as a Linux service • Managing security using the Management Console, including how to add users and roles, as well as how to apply security entity overrides • Monitoring your system, including logging, viewing version and license information, using the JMX Console to monitor performance, and monitoring memory usage • Managing memory and threading, including JVM performance tuning, adjusting pool size, and increasing heap memory • Load balancing spatial services for resilience or high capacity • Troubleshooting your system, including rebuilding a corrupt repository index and monitory memory usage of a non-responsive server • Managing security using the User Management Service (deprecated for the next release) Additional Spectrum™ Technology Platform and Location Intelligence Module documentation is located online at support.pb.com.
8
Spectrum™ Technology Platform 9.0 SP2
Configuring Your System
In this section: • Changing the Default Port Number for Spectrum Spatial .10 • Changing Your Repository Database . . . . . . . . . . . . . . . .11 • Uploading and Accessing Resources using Third Party Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 • Configuring the Web Services . . . . . . . . . . . . . . . . . . . . . .16 • Configuring Datum Transforms . . . . . . . . . . . . . . . . . . . . .18 • Running Spectrum™ Technology Platform as a Linux Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
2
Changing the Default Port Number for Spectrum Spatial
Changing the Default Port Number for Spectrum Spatial After you install the Spectrum™ Technology Platform, you can change the default port settings that were assigned during installation by manually editing the global, startup, and individual service configuration files (particularly the port of the repository). There are several reasons for needing to change the default port number: • Currently, the silent installer for Spectrum does not allow you to specify the port; it can only be specified after the install. • A port conflict occurs after the install. • You need a proxy on port 8080 but have a limited number of ports to expose externally, so you would like to move Spectrum without re-creating all your settings and data flows. • You want to try out a new version of Spectrum without removing your old one. Since you cannot install them both, you can turn off the existing one and put down a Spectrum image which uses a different port. Note: This task is only for experienced administrators who have application server experience changing port numbers, as network port conflicts can result in module components failing to start up. One indication that a component has failed to start up is if it does not appear in the Management Console. To troubleshoot the problem, look at the Spectrum Spatial server log file. This log shows which port is causing the problem. You can find the Spectrum Spatial Server log file in: [install folder]\server\app\repository\logs\server.log. The install folder default is C:\Program Files\Pitney Bowes\Spectrum. To change the default port number, you can either copy the entire configuration folder then edit the files locally, or you can edit the configuration files in place. If you copy locally, you cannot put the configuration folder back while the server is running; you must restart all the Spatial services after making the changes. If you edit in place, you do not need to stop the server; however, the changes will not take effect until you restart the server. The following network ports are used by default:
10
Port
Property
Description
2424-2430
spectrum.orientdb.binary.port This port is used by the Spectrum™ Technology Platform server's internal configuration database.
2434
spectrum.orientdb.hazelcast.port This port is used by the Spectrum™ Technology Platform server's internal configuration database.
2480-2486
spectrum.orientdb.http.port
This port is used by the Spectrum™ Technology Platform server's internal configuration database.
5701
spectrum.hazelcast.port
This port is used by Hazelcast for managing distributed processing between Spectrum™ Technology Platform servers in a cluster.
8080
spectrum.http.port
The port used for communication between the server and Enterprise Designer, Management Console, and Interactive Driver. This port is also used by web services.
Spectrum™ Technology Platform 9.0 SP2
Chapter 2: Configuring Your System
Port
Property
Description
10119
spectrum.socketgateway.port
This port is used for API calls made to services.
To change the default port number, with Spectrum™ Technology Platform running: 1. Decide whether to edit a local copy of the configuration files or in place. If you are going to edit the configuration files locally, use WebDAV to copy the Configuration folder from the repository to a local disk. 2. Edit all the configuration files (either in place or in a local copy) by changing all the ports. Note: There are other ports besides the repository port (for example, where the map images get accessed, the access port for WMS, WFS, and CSW). Change all references to the new port. 3. Stop the Spectrum server (via the tray control or services.msc). 4. Update the spectrum-container.properties file in [install folder]\server\app\conf (for example, C:\Program Files\Pitney Bowes\Spectrum\server\app\conf): # Server ports spectrum.http.port=8080 5. Update the java.properties file for Spatial in [install folder]\server\modules\spatial (for example, C:\Program Files\Pitney Bowes\Spectrum\server\modules\spatial. Change all references to port numbers for each service. 6. Restart Spectrum. • If you edited the configuration files in place everything should be working. • If you edited locally, Spectrum should be working but not much of Spectrum Spatial will be working, since all the repository URL ports have the old values. 1. Copy in the entire Configuration folder or its files from local copy to the Configuration folder of the repository via WebDAV. 2. Restart the Spatial services via JMX (one by one) or restart the server.
Changing Your Repository Database Spectrum stores named resources (maps, layers, tables and styles), geographic metadata and configuration in a repository. In the default single server installation an embedded database is used to store these resources on the local server. There are several reasons you may need to use a database other than the embedded Derby database: • To create a scalable solution that uses a resilient independent database. • To use an in-house database preferred or dictated by your company. In this release, Spectrum supports Oracle, PostGreSQL (PostGIS) and Microsoft SQL Server 2008/2012 as repository databases.
Set Up a PostgreSQL Repository Database These steps describe how to set up your repository on a PostgreSQL database: 1. Copy all repository resources to a local folder using WebDAV. The contents of the installed repository must be exported. This step only needs to be performed once, as the contents of the repository should be the same at this point for all instances of Spectrum™ Technology Platform. 2. Back up the folder /
/server/modules/spatial/jackrabbit to a local directory or disk.
Spectrum Spatial Administration Guide
11
Changing Your Repository Database 3. Stop Spectrum. 4. On all instances of Spectrum™ Technology Platform, add the database JDBC drivers to the Spectrum common lib directory to allow it to use the selected database. Copy the //server/modules/spatial/lib/postgresql-x.x-xxx.jdbc4.jar file to //server/app/lib/postgresql-x.x-xxx.jdbc4.jar. 5. On all instances of Spectrum™ Technology Platform, edit the //server/modules/spatial/jackrabbit/repository.xml file to point the repository to a database and add clustering. There are four separate changes you need to make: a) Modify the two FileSystem sections within the Repository and Workspace sections of the file: b) Modify the Persistence Manager within the Workspace: c) Enable Clustering at the end of the file, right above the tag. Each instance of Spectrum will need to have a distinct Cluster id to enable synchronization of clustering to work. The delay defines the time delay for synchronization in milliseconds. d) Comment out the DataStore section: 6. On all instances of Spectrum™ Technology Platform, remove the following folders from the /server/modules/spatial/jackrabbit directory: repository, version, workspaces.
12
Spectrum™ Technology Platform 9.0 SP2
Chapter 2: Configuring Your System 7. If your PostgreSQL database has previously had repository content added, you must remove tables from your database so a clean repository can be created. If you are starting with a new database, please make sure the tables do not exist. The following tables need to be removed from the database: public.default_names_id_seq public.default_binval public.default_bundle public.default_names public.default_refs public rep_fsentry public.rep_global_revision public.rep_journal public.rep_local_revisions public.security_binval public.security_bundle public.security_names public.security_refs 8. Start Spectrum. 9. Restore the resources by copying them from the local folder into the Repository using WebDAV. Import the content of the repository you previously exported back into the repository. This step only needs to be performed on one of the Spectrum™ Technology Platform instances.
Set Up an Oracle Repository Database These steps describe how to set up your repository on an Oracle database: 1. Copy all repository resources to a local folder using WebDAV. The contents of the installed repository must be exported. This step only needs to be performed once, as the contents of the repository should be the same at this point for all instances of Spectrum™ Technology Platform. 2. Back up the folder //server/modules/spatial/jackrabbit to a local directory or disk. 3. Stop Spectrum. 4. On all instances of Spectrum™ Technology Platform, verify an Oracle JDBC Driver exists under the folder /server/app/lib (for example, ojdbc6-11.2.0.3.jar). 5. On all instances of Spectrum™ Technology Platform, edit the //server/modules/spatial/jackrabbit/repository.xml file to point the repository to a database and add clustering. There are four separate changes you need to make: a) Modify the two FileSystem sections within the Repository and Workspace sections of the file: b) Modify the Persistence Manager within the Workspace:
Spectrum Spatial Administration Guide
13
Uploading and Accessing Resources using Third Party Tools
c) Enable clustering at the end of the file, right above the tag. Each instance of Spectrum will need to have a distinct id to enable synchronization of clustering to work. The delay defines the time delay for synchronization in milliseconds. d) Comment out the DataStore section: 6. On all instances of Spectrum™ Technology Platform, remove the following folders from the /server/modules/spatial/jackrabbit directory: repository, version, workspaces. 7. If your Oracle database has previously had repository content added, you must remove tables from your database so a clean repository can be created. If you are starting with a new database, please make sure the tables do not exist. The following tables need to be removed from the database: public.default_names_id_seq public.default_binval public.default_bundle public.default_names public.default_refs public rep_fsentry public.rep_global_revision public.rep_journal public.rep_local_revisions public.security_binval public.security_bundle public.security_names public.security_refs 8. Start Spectrum. 9. Restore the resources by copying them from the local folder into the Repository using WebDAV. Import the content of the repository you previously exported back into the repository. This step only needs to be performed on one of the Spectrum™ Technology Platform instances.
Uploading and Accessing Resources using Third Party Tools Named resource files are stored in the repository. A number of sample files that ship with Spectrum™ Technology Platform are located at http://localhost:8080/RepositoryService/repository/default/Samples under a particular folder. For example:
14
Spectrum™ Technology Platform 9.0 SP2
Chapter 2: Configuring Your System • • • • •
NamedLayers NamedMaps NamedStyles NamedTables NamedTiles
For your own named resources, you can create any folder name you wish. You can access these files manually using a WebDAV compliant tool. This section describes the manual method. To access resources manually, you must use a WebDAV protocol tool to access the JCR repository. There are many tools available to add and access resources in the repository using the WebDAV. We have provided two examples:
Using WebFolders to Access the Repository Resources To add or modify a resource, you must copy the resource to or from the repository using a WebDAV tool. Using WebFolders is an easy way to access the repository and the resources contained in the repository. Note: WebFolders is for Windows machines only. To access the repository, you must be on the same machine where Spectrum™ Technology Platform and the repository are installed. To configure a WebFolder on Windows 7: 1. Using Windows Explorer, select Map Network Drive... 2. In the pop-up window, click on the link 'Connect to a website...' to open the Add Network Location Wizard. 3. Click Next and select Choose a custom network location. Click Next. 4. In the Internet or network address field add the repository URL; for example, http://localhost:8080/RepositoryService/repository/default/. Click Next. 5. Enter your credentials (username and password) if you are prompted for them. 6. Give this connection a name; for example, Spectrum Spatial Repository. Click Next. Once finished, you will have a folder connection to the contents of the repository under your network places. The WebFolder connection to the repository can be used like any other Windows Explorer folder.
Using DAVExplorer to Access the Repository Resources To add or modify a resource, you must copy the resource to or from the repository using a WebDAV tool. Using DAVExplorer is an easy way to access the repository and the resources contained in the repository. DAVExplorer is a freely available WebDAV client application. This software is available from http://www.davexplorer.org. Note: DAVExplorer is for Windows machines only. To access the repository, you must be on the same machine where Spectrum™ Technology Platform and the repository are installed. To get or add resources from the repository using DAVExplorer, use the following instructions:
Getting Resources From the Repository Using DAVExplorer Use the following steps to get resources from the repository using DAVExplorer: 1. Open DAVExplorer. 2. In DAVExplorer, enter the URL of the Spectrum™ Technology Platform repository and click the Connect button. For example, enter localhost:8080/RepositoryService/repository/default/. (Note that DAVExplorer prepends http:// automatically.) If prompted, enter the admin/admin login name and password required to connect to the repository.
Spectrum Spatial Administration Guide
15
Configuring the Web Services Once you are connected to the repository, a node for the repository appears in the treeview pane on the left. 3. In the treeview pane on the left, expand the nodes under the repository node until you see the node that contains the type of resource you want to get. For example, if the named resource you want to get is a configuration, expand the repository nodes until you see the Configuration node. Click on the node to select it. The named configuration resources in the repository are then listed in the right pane. 4. In the right pane, click on the resource you want to get. You may click on any of the fields of the named resource to select it. 5. On the File menu, select Get File. The Save As dialog box opens. 6. In the Save As dialog box, enter a name for the named resource definition file and select the directory in which you want to save it, then click the Save button. The selected named resource definition file is saved to the selected file location. Note: You should always save the resource as the same name as it appears in the repository. By using this technique, you will never have a conflict when adding the resource back to the repository.
Adding Resources to the Repository Using DAVExplorer Use the following steps to add resources to the repository using DAVExplorer: 1. Open DAVExplorer. 2. In DAVExplorer, enter the URL of the Spectrum™ Technology Platform repository and click the Connect button. For example, enter localhost:8080/RepositoryService/repository/default/. (Note that DAVExplorer prepends http:// automatically.) If prompted, enter the admin/admin login name and password required to connect to the repository. Once you are connected to the repository, a node for the repository appears in the treeview pane on the left. 3. In the treeview pane on the left, expand the nodes under the repository node until you see the node that corresponds to the type of resource you are adding. For example, if you are adding a configuration resource, expand the repository nodes until you see the Configuration node. Click on the node to select it. 4. On the File menu, select Write File. The Write File dialog box opens. 5. In the Write File dialog box, select the definition file of the resource you want to add to the repository, then click the Open button. The selected resource is added to the repository.
Configuring the Web Services This section provides information about how to configure the Location Intelligence Module web services.
16
Spectrum™ Technology Platform 9.0 SP2
Chapter 2: Configuring Your System
About Web Service Configurations You can, and frequently must, explicitly specify the desired behavior of the Location Intelligence Module web services via settings in each web service's configuration file. The configuration file for each web 1 service is held in the Location Intelligence Module repository as a named configuration. Note: Named configurations are not like other named resources that are held in the repository. You cannot use the Named Resource Service to access named configurations. Instead, you must use a WebDAV tool of your choice, such as DAVExplorer or Windows web folders. Configuration files are pre-loaded in the repository for each service. These configuration files are located at http://localhost:8080/RepositoryService/repository/default/Configuration/. For information about the name and location of each web service's named configuration in the repository, as well as a list of the configuration parameters for each web service, refer to the "Working With Spatial Services" chapter in the Spectrum Spatial Developer Guide.
How to Change Web Service Configuration Settings To change web service configuration settings: 1. Pull the named configuration file for the web service out of the repository using your favorite WebDAV tool. Note: You cannot use the Named Resource Service to extract a named configuration file from the repository. 2. Using a text editor, make any required changes to the named configuration file. 3. Re-add the named configuration file back into the repository using your favorite WebDAV tool. Note: You cannot use the Named Resource Service to add a named configuration file to the repository. 4. Do one of the following to reload the web service configuration: • Restart the web service. • Use the Spectrum™ Technology Platform JMX Console (available at http://hostname[:portnumber]/jmx-console) to reload the configuration without restarting the web service.
Reload the Service Configuration using JMX Console Once you have modified a service configuration, you must reload the configuration in the repository using the JMX Console. The JMX console allows you to reload and administer a service, without having to restart the application container. To reload the service configuration: 1. Access the JMX Console using the following URL: http://localhost:8080/jmx-console/ 2. Under the Domain: Spatial section, select the administration link for the service. For example, Spatial:name=Administration,type=WMS Service. 3. Click the Invoke button for the reloadConfiguration operation. You will get a message on the status of the invocation.
1
The Geometry Service alone does not have a corresponding named configuration because the Geometry Service has no configurable settings.
Spectrum Spatial Administration Guide
17
Configuring Datum Transforms
Configuring Datum Transforms You can configure which datum transforms (such as NTV2, Nadcon, RGF93, and JGD2000) are used by modifying the java.properties file that is located in \server\modules\spatial. By default, all the datums are loaded and set to true in this file (for example, com.mapinfo.midev.coordsys.load.datum.ntv2=true ). To disable any datum, change the value to false (for example, com.mapinfo.midev.coordsys.load.datum.ntv2=false). Disabling transforms can have a positive effect on the performance of certain operations.
Running Spectrum™ Technology Platform as a Linux Service This tutorial will show you the steps you need to follow to run Spectrum™ Technology Platform as a Linux service.
How to Run Spectrum™ Technology Platform as a Linux Service These instructions describe how to run the Spectrum™ Technology Platform as a Linux service. 1. Modify the provided pbspectrum script which is located here: PBSpectrum Script on page 19. a) Modify the chkconfig parameter at line# 5. By Default this parameter is: # chkconfig: 35 90 10 First value(35) is runlevel. Use 'man init' for more information. Second value(90) is start priority Third value(10) is stop priority. Start and stop priority should be set according to the dependent services. For example, if Oracle Server is running on the same machine and is used by Spectrum™ Technology Platform then the Spectrum™ Technology Platform starting priority should be less than the Oracle Service and stopping priority should be higher than the Oracle service. Use 'man chkconfig' for more information. b) Modify SPECTRUM_ROOT variable at line #11 with your Spectrum™ Technology Platform installation directory. c) If you are using SUSE Linux, you must change the default preferred user from su to runuser. 2. Copy the modified pbspectrum script to either /etc/rc.d/init.d for RedHat Linux or /etc/init.d for Suse Linux. 3. Change the mode of the pbspectrum script to executable. /etc/rc.d/init.d for RedHat Linux or /etc/init.d for Suse Linux. cd /etc/init.d or cd /etc/rc.d/init.d depending on your Linux version. run chmod +x pbspectrum 4. Run chkconfig --add pbspectrum 5. Verify the script is working by restarting the machine. Use shutdown -r now to reboot from shell. Once completed, you may also use the following: • service pbspectrum start to start Spatial Server • service pbspectrum stop to stop Spatial Server
18
Spectrum™ Technology Platform 9.0 SP2
Chapter 2: Configuring Your System • service pbspectrum restart to restart Spatial Server Note: The provided script runs the command 'ulimit -n 8192' which is required to increase the number of open files in Linux.
PBSpectrum Script The following script is used as the basis for this procedure: How to Run Spectrum™ Technology Platform as a Linux Service on page 18.
#! /bin/bash # # # # # # # #
pbspectrum Bring up/down PB Spectrum platform chkconfig: 35 90 10 description: Starts and stops the spectrum /etc/rc.d/init.d/pbspectrum See how we were called.
SPECTRUM_ROOT=/root/PBSpectrum start() { su - spectrum -c ". $SPECTRUM_ROOT/server/bin/setup; ulimit -n 8192; $SPECTRUM_ROOT/server/bin/server.start" RETVAL=$? return $RETVAL } stop() { su - spectrum -c ". $SPECTRUM_ROOT/server/bin/setup; $SPECTRUM_ROOT/server/bin/server.stop" RETVAL=$? return $RETVAL } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart) stop start ;; *) echo $"Usage: pbspectrum {start|stop|restart}" exit 1 esac exit $RETVAL
Spectrum Spatial Administration Guide
19
Managing Security
The Location Intelligence Module uses the same role-based security model that is used for the Spectrum™ Technology Platform. Because security is handled at the platform level, the Management Console can be used to manage all Location Intelligence Module security activities.
In this section: • Security for the Spectrum™ Technology Platform . . . . .22 • Security for the Location Intelligence Module . . . . . . . . .29 • Disabling Platform Security Versus Turning Off Spatial Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 • Limiting WebDAV Access to the Repository . . . . . . . . . .40 • Limiting Server Directory Access . . . . . . . . . . . . . . . . . . .41 • Configuring HTTPS Communication . . . . . . . . . . . . . . . . .42
3
Security for the Spectrum™ Technology Platform
Security for the Spectrum™ Technology Platform The topics in this section cover the security model and procedures at the platform level that pertain to all modules. See Security for the Location Intelligence Module on page 29 for additional security information that is specific to the Location Intelligence Module.
Security Model Spectrum™ Technology Platform uses a role-based security model to control access to the system. The following diagram illustrates the key concepts in the Spectrum™ Technology Platform security model:
A user is an account assigned to an individual person which the person uses to authenticate to Spectrum™ Technology Platform, either to one of the client tools such as Enterprise Designer or Management Console, or when calling a service through the API. A user has one or more roles assigned to it. A role is a collection of permissions that grant or deny access to different parts of the system. Roles typically reflect the kinds of interactions that a particular type of user has with the system. For example, you may have one role for dataflow designers which grants access to create and modify dataflows, and another role for people who only need to process data through existing dataflows. A role grants permissions to secured entity types. A secured entity type is a category of items to which you want to grant or deny access. For example, there is a secured entity type called "Dataflows" which controls the default permissions for all dataflows on the system. If you need to fine-tune access you can optionally specify secured entity overrides. A secured entity override controls access to a specific secured entity on the system. For example, the secured entity type "Dataflows" specifies the default permissions for all dataflows on the system, while each individual dataflow is a secured entity. If you want to grant or deny access to a specific dataflow, you would specify a secured entity override for the dataflow. You can specify secured entity overrides for a user, which overrides the permissions granted to the user by the user's roles. You can also specify secured entity overrides for roles, which applies the overrides to all users who have that role. You can only apply overrides for roles and users that you create, not for predefined roles and users.
22
Spectrum™ Technology Platform 9.0 SP2
Chapter 3: Managing Security Related Links Disabling User Security on page 23 Creating a User on page 23 Creating a Role on page 25 Creating a Secured Entity Override on page 28
Users Spectrum™ Technology Platform user accounts control the types of actions users can perform on the system. User accounts are required to: • • • •
Use Management Console, Enterprise Designer, or Interactive Driver Run jobs on a schedule Run jobs from the command line Access services through web services or the API
There is an administrative account called admin that comes with the system. This account has full access. The initial password is "admin". Important: You should change the admin password immediately after installing Spectrum™ Technology Platform to prevent unauthorized administrative access to your system. In addition to these default accounts you can create as many user accounts as your business requires. Related Links Creating a Secured Entity Override on page 28
Disabling User Security User security is enabled by default. This means that the security restrictions assigned to users through roles are enforced. If you want to disable user security, the security restrictions assigned to users will not be enforced and all users will be able to access all parts of the system. Note that a valid user account is always required to access services even if you disable user security. This procedure describes how to disable user security. Warning: If you follow this procedure all users will have full access to your Spectrum™ Technology Platform system. 1. Open the Management Console. 2. Expand Security then click Options. 3. Clear the Limit access according to user permissions check box. Related Links Security Model on page 22 Disabling Platform Security Versus Turning Off Spatial Security on page 40
Creating a User This procedure describes how to create a Spectrum™ Technology Platform user account and assign a role to the account. 1. Open the Management Console. 2. Expand Security then click Users. 3. Click Add. The New User window appears. 4. Leave the Enable user box checked if you want this user account to be available for use. 5. Enter the user name in the User name field.
Spectrum Spatial Administration Guide
23
Security for the Spectrum™ Technology Platform Note: User names can only contain ASCII characters. 6. Enter the user's password in the Password field. 7. Reenter the user's password in the Confirm password field. 8. Enter the user's email address in the Email address field. 9. Enter a description of the user in the Description field. 10. Select the roles you want to give to this user. 11. Click OK. Related Links Security Model on page 22
Modifying a User This procedure describes how to modify an existing Spectrum™ Technology Platform user account. Note: You can modify all user information except user name. If you need to change a user name, you must first delete the user then create a user with the new user name. 1. Open the Management Console. 2. Expand Security then click Users. 3. Click Modify. The User Properties window appears. 4. Leave the Enable user box checked if you want this user account to be available for use. 5. To change the password, enter the new password in the New password field and again in the Confirm password field. If you do not want to change the password, leave the New password and Confirm password fields blank. 6. Enter the user's email address in the Email address field. 7. Enter the description of the user in the Description field. 8. Select the roles you want to give to this user. 9. Click OK.
Disabling a User Account You can disable a user account so that it cannot be used to gain access to Spectrum™ Technology Platform. When a user account is disabled it cannot be used to access Management Console, Enterprise Designer, or Interactive driver. In addition, any jobs that run on a schedule using a disabled user account will not run. API calls that use a disabled user account will also not work. Note: The user account "admin" cannot be disabled. 1. Open Management Console. 2. Expand Security then click Users. 3. Select the user account you want to disable and click Modify. 4. Clear the Enable user check box. The user account is now disabled and cannot be used to gain access to Spectrum™ Technology Platform.
Deleting a User This procedure describes how to permanently delete a Spectrum™ Technology Platform user account. Tip: User accounts can also be disabled, which prevents the account from being used to access the system without deleting the account. 1. Open the Management Console. 2. Expand Security then click Users.
24
Spectrum™ Technology Platform 9.0 SP2
Chapter 3: Managing Security 3. From the User Management screen, select the user you want to delete and click Delete. 4. Click Yes to delete or No to cancel. Note: The user account "admin" cannot be deleted.
Roles A role is a collection of permissions that grant or deny access to different parts of the system. Roles typically reflect the kinds of interactions that a particular type of user has with the system. For example, you may have one role for dataflow designers which grants access to create and modify dataflows, and another role for people who only need to process data through existing dataflows. The following roles are predefined: admin
This role has full access to all parts of the system.
designer
This role is for users that create dataflows and process flows in Enterprise Designer. It provides the ability to design and run dataflows.
integrator
This role is for users who need to process data through Spectrum™ Technology Platform but does not need to create or modify dataflows. It allows the user to access services through web services and the API, and to run batch jobs.
spatial-admin
This role is available only when the Location Intelligence Module module is installed. It provides full access to named resources for this module when using spatial services. (Additional access is required to manage spatial resources using Management Console. See Security for the Location Intelligence Module on page 29 for more information.)
spatial-user
This role is available only when the Location Intelligence Module module is installed. It provides read-only access to named resources for this module when using spatial services. (Additional access is required to view spatial resources using Management Console. See Security for the Location Intelligence Module on page 29 for more information.)
user
This is the default role. It provides no access to the system. Users who have this role will only gain access to the system if you grant permission through secured entity overrides.
To view the permissions granted to each of these roles, open Management Console, go to Security and click Roles. Then select the role you want to view and click View. Tip: You cannot modify the predefined roles. However, you can create new roles using the predefined roles as a starting point. Related Links Creating a Secured Entity Override on page 28
Creating a Role A role is a collection of permissions that you assign to a user. If the predefined roles that come with Spectrum™ Technology Platform do not fit your organization's needs, you can create your own roles. 1. In the Management Console, browse to Security then expand Roles. 2. Click Add. 3. In the Role field, enter the name you want to give to this role. The name can be anything you choose. 4. If you want to use one of the predefined roles as a starting point for your new role, check the Copy from box then select the role that you want to use as a starting point. The predefined role's permissions are selected for you. 5. Optional: Since the list of secured entity types can be long, you may want to display only a certain group of secured entity types. This can be useful if you want to apply the same permissions to all entities in a group. For example, if you want to remove the Modify permission from all database resources, you could filter to show just the Database Resources group. To display and modify only one group:
Spectrum Spatial Administration Guide
25
Security for the Spectrum™ Technology Platform a) b) c) d)
Check the Enable group filtering box. Click the funnel icon in the header of the Group column and select the group you want to display. Check or clear the box in the column header of the permission you want to apply. To return to the full list of secured entity types, click the filter icon and select (All) then clear the Enable group filtering box.
6. Select the permissions you want to grant for each entity type. The permissions are: View
Allows the user to view entities contained by the entity type. For example, if you allow the View permission for the JDBC Connection entity type, users with this role would be able to view database connections in Management Console.
Modify
Allows the user to modify entities contained by the entity type. For example, if you allow the Modify permission for the JDBC Connection entity type, users with this role would be able to modify database connections in Management Console.
Create
Allows the user to create entities that fall into this entity type's category. For example, if you allow the Create permission for the JDBC Connection entity type, users with this role would be able to create new database connections in Management Console.
Delete
Allows the user to delete entities contained by the entity type. For example, if you allow the Delete permission for the JDBC Connection entity type, users with this role would be able to delete database connections in Management Console.
Execute
Allows the user to initiate processing of jobs, services, and process flows. For example, if you allow the Execute permission for the Job entity type, users with this role would be able to run batch jobs. If you allow the Execute permission for the Service entity type, users with this role would be able to access services running on Spectrum™ Technology Platform through the API or web services.
7. Click OK. The role is now available to be assigned to a user. Note: You can delete a role that you create, but only after you unassign it from all user accounts. Related Links Security Model on page 22
Secured Entity Types - Platform An entity type is a category of items to which you want to grant or deny access. For example, there is an entity type called "Dataflows" which controls permissions for all dataflows on the system. Platform entity types apply to all Spectrum™ Technology Platform installations, as compared to module-specific entity types that apply only if you have installed particular modules. The platform-level entity types are:
26
Dataflows
Controls access to all dataflow types (jobs, services, and subflows) in Enterprise Designer.
Dataflows - Expose
Controls the ability in Enterprise Designer to make dataflows available for execution.
Event Log
Controls access to the Event Log node in Management Console.
Execution - File Monitor and Scheduling
Controls access to job schedule and file monitor configuration in Management Console.
Execution - Job Options
Controls access to the Job Options node in Management Console. All users have View access to job options. You cannot remove View access.
Execution - Report Options
Controls access to the Report Options node in Management Console. All users have View access to report options. You cannot remove View access.
Spectrum™ Technology Platform 9.0 SP2
Chapter 3: Managing Security Execution - Sort Performance
Controls access to the Sort Performance node in Management Console. All users have View access to sort performance options. You cannot remove View access.
Execution - Type Conversion Options
Controls access to the Type Conversion node in Management Console. All users have View access to type conversion options. You cannot remove View access.
Execution History - Jobs
Controls access to job execution history in Enterprise Designer and Management Console.
Execution History - Process Flows
Controls access to process flow execution history in Management Console and Enterprise Designer.
Jobs
Controls the ability to execute jobs in Enterprise Designer, Management Console, and job executor.
Notification - License Expiration Controls access to configure license expiration notification emails in Management Console. Notification - SMTP Settings
Controls access to the email notification options in Management Console.
Process Flows
Controls access to process flows in Enterprise Designer.
Process Flows - Expose
Controls the ability in Enterprise Designer to make process flows available for execution.
Remote Server
Controls access to the Remote Servers node in Management Console.
Resources - Database Connections
Controls the ability to configure JDBC connections in Management Console.
Resources - External Web Services
Controls access to managing external web services in Management Console.
Resources - File Servers
Controls the ability to configure file servers in Management Console.
Resources - JDBC Drivers
Controls the ability to configure JDBC drivers in Management Console.
Resources - Restrict server directory access
Controls the ability to enable or disable restrictions on server directory resources in Management Console.
Resources - Server directory paths
Controls the ability to configure server directory resources in Management Console.
Security - Options
Controls access to the Security Options node in Management Console.
Security - Roles
Controls access to role configuration in Management Console.
Security - Secured Entity Overrides
Controls access to secured entity overrides in Management Console.
Security - Users
Controls access for managing user accounts in the Users node of Management Console.
Services
Controls the ability to execute services through the API and web services.
Stages
Controls whether exposed subflows are available as a stage in dataflows in Enterprise Designer.
System - Licensing
Controls access to the license information displayed in Management Console.
Spectrum Spatial Administration Guide
27
Security for the Spectrum™ Technology Platform System - Version Information
Controls access to the Version Information node in Management Console.
Transaction History
Controls access to the Transaction History node in Management Console.
Secured Entity Types - Location Intelligence Module An entity type is a category of items to which you want to grant or deny access. The Location Intelligence Module has the following module-specific entity type: Named Resources Controls permissions to all named resources in the Location Intelligence Module, including named maps, named tiles, named tables, and named connections. Users of Location Intelligence Module services must have at least read permissions for the resources they use as well as for any dependent resources.
Secured Entity Overrides A secured entity override controls access to a specific secured entity on the system. For example, the secured entity type "Dataflows" specifies the default permissions for all dataflows on the system, while each individual dataflow is a secured entity. If you want to grant or deny access to a specific dataflow, you would specify a secured entity override for the dataflow. You can specify secured entity overrides for a user, which overrides the permissions granted to the user by the user's roles. You can also specify secured entity overrides for roles, which applies the overrides to all users who have that role. You can only apply overrides for roles and users that you create, not for predefined roles and users.
Creating a Secured Entity Override A secured entity override specifies permissions for specific secured entities in the system, such as specific dataflows or specific database connections. To create a secured entity override: 1. In Management Console, expand Security then click Secured Entity Overrides. 2. Do one of the following: • If you want to specify a secured entity override for a role, click Role. The overrides you specify will affect all users who have the role you choose. • If you want to specify a secured entity override for a user, click User. The overrides you specify will only affect the user you choose. 3. Click Browse to select the specific role or user then click OK. 4. Click Add then Browse. The Select Secured Entity Type window appears. 5. Select the secured entity type that contains the secured entity you want to override then click OK. For example, if you want to override a dataflow secured entity, choose Platform.Dataflows. Tip: To select multiple secured entity overrides, use CTRL+click. To select a range of secured entity overrides, use SHIFT+click. 6. Choose the secured entity that you want to override. Click Add then Close. The secured entities you chose are displayed. The secured entity type's row shows the permissions in effect for the selected role or user. A gray checked box indicates that the permission is enabled and a gray empty box indicates that the permission is disabled. 7. Specify the secured entity overrides you want. Each permission can have one of the following settings: There is no override for the permission. The permission is the default permission granted to the user or role. The permission is denied to the user or role, overriding whatever permission is specified in the secured entity type.
28
Spectrum™ Technology Platform 9.0 SP2
Chapter 3: Managing Security The permission is granted to the user or role, overriding whatever permission is specified in the secured entity type. Related Links Security Model on page 22 Users on page 23 Roles on page 25
Viewing a Secured Entity Override A secured entity override specifies permissions for specific secured entities in the system, such as specific dataflows or specific database connections. To view secured entity overrides for a role or user: 1. In Management Console, expand Security then click Secured Entity Overrides. 2. Do one of the following: • If you want to view a secured entity override for a role, click Role. • If you want to view a secured entity override for a user, click User. 3. Click Browse to select the specific role or user then click OK. The secured entities with overrides for the role or user you chose are displayed. The secured entity type's row (for example, Platform.Dataflows) shows the permissions in effect for the selected role or user. A gray checked box indicates that the permission is enabled and a gray empty box indicates that the permission is disabled. The secured entity rows (for example, the specific dataflow GeocodeAddress) shows the permissions in effect for that entity, each of which can have one of the following settings: There is no override for the permission. The permission is the default permission granted to the user or role. The permission is denied to the user or role, overriding whatever permission is specified in the secured entity type. The permission is granted to the user or role, overriding whatever permission is specified in the secured entity type.
Security for the Location Intelligence Module The Location Intelligence Module uses the same role-based security that is used for the Spectrum™ Technology Platform. Because security is handled at the platform level, the Management Console can be used to manage all Location Intelligence Module security activities. This includes setting permissions for named resources in addition to managing user accounts (that is, creating, modifying, and deleting user accounts). Note: The User Management Service can still be used to set permissions if desired; however, permissions are stored in the platform and not the repository. The User Management Service is set to be deprecated in the next release.
Predefined Spatial Roles After you install the Location Intelligence Module, two predefined roles are available in Management Console, spatial-admin and spatial-user. The spatial-admin role provides full permissions (View/Modify/Create/Delete) for all named resources (named maps, named tiles, named connections, and named tables), whereas the spatial-user role provides only View permissions to these resources. These permissions are controlled using the Location
Spectrum Spatial Administration Guide
29
Security for the Location Intelligence Module Intelligence Module's secured entity type, Location Intelligence.Named Resources. Users of Location Intelligence Module services must have at least View permissions for the resources they use as well as for any dependent resources. These predefined spatial roles, when assigned to a user, provide access to named resources only when using spatial services. They do not allow access to named resources in Management Console. The "admin" user in Spectrum has full access to manage all parts of the system, including named resources, via the Management Console. If you also want users who can access only named resources via the Management Console, you must manually create a "named resources administrator" role, using one of the predefined spatial roles as a base, that provides access to named resources in the repository then assign that role to a "named resources administrator" user account. For instructions on creating this additional resource-administrator role, see Creating a Named Resources Administrator on page 36. Dataflow designers who require access to named resources also need additional permissions beyond that of the "designer" role. For instructions on creating a spatial dataflow designer, see Creating a Spatial Dataflow Designer on page 37. Roles and associated permissions on the Location Intelligence.Named Resources secured entity type can all be viewed using Management Console. • Predefined roles, which are not editable:
• Permissions for spatial-admin, on the Location Intelligence.Named Resources secured entity:
• Permissions for spatial-user, on the Location Intelligence.Named Resources secured entity:
30
Spectrum™ Technology Platform 9.0 SP2
Chapter 3: Managing Security Note: The permission settings in the User Management Service are mapped to the Spectrum™ Technology Platform as follows: Read>View, Modify>Modify, Add>Create, and Remove>Delete.
Custom Spatial Roles and Security Overrides You can create custom roles based on the predefined spatial roles, assign them to user accounts, then fine-tune access to named resources for those roles and users by applying secured entity overrides to individual named resources or to folders or directories. For the Location Intelligence.Named Resources entity type, all listed resources that end with a forward slash (/) are folders or directories in the repository. Folder permissions are inherited by the resources and folders underneath as long as those resources and folders do not have any specific override settings. This is useful when you want to set permissions on a set of resources. You can make a folder accessible only to specified users or roles; other users will not see that folder or anything underneath it. Permissions at the folder level, however, do not override permissions set at the lower, individual resource level. For example, if a folder has Create permissions for a specific role or user, but a single resource in the folder (such as a named table) has a security override set to View permissions for that same role or user, the View (read-only) permissions for the single resource take precedence over the Create permissions for the folder. Related Links Appendix - Managing Security with the User Management Service on page 71
Example: Overriding Permissions at the Role Level A typical scenario and best practice for setting security for the Location Intelligence Module involves creating a custom role with no permissions, applying specific overrides to the custom role, then assigning that role to a user. In this example, you will create a custom role ("table-modifier") with no permissions, apply overrides to the table-modifier role allowing modify and delete permissions for resources in the /Samples/NamedTables/ folder, then create a user account ("user-tables") and assign the table-modifier and spatial-user roles to it. Note: For the Location Intelligence.Named Resources entity type, all the resources that end with a forward slash (/) are folders or directories in the repository. 1. Create a Custom Role. If the predefined roles that come with do not fit your organization's needs, you can create your own roles. In this first step of this example, you will create a custom role called table-modifier that initially has no permissions. Before you begin, verify that security is enabled, see Disabling User Security on page 23. a) In the Management Console, browse to Security then click Roles. b) Click Add. The Add Role dialog appears. c) In the Name field, enter the name you want to give to this role, table-modifier. No permissions are set for this role.
Spectrum Spatial Administration Guide
31
Security for the Location Intelligence Module
d) Click OK. The custom role is now available to be assigned overrides. 2. Apply Overrides to a Role. A secured entity override grants permissions for specific secured entities in the system, such as named tables that are in the repository. In this step of the example, you will create an override for the table-modifier role that allows modifying and deleting of resources in the /Samples/NamedTables/ folder. a) In Management Console, expand Security then click Secured Entity Overrides. b) Click Role then Browse. The Select Role dialog appears. c) Select the table-modifier role and click OK. d) Click Add. The Select Items dialog appears. e) Click Browse. The Select Secured Entity Type window appears. f) Select the Location Intelligence.Named Resources secured entity type. Click OK. A list of all secured entities that are named resources appears.
32
Spectrum™ Technology Platform 9.0 SP2
Chapter 3: Managing Security g) From the list of secured entities, locate then select all the named table resources (use the Shift key to select multiple consecutive items in this dialog). h) Click Add then Close. The secured entity (NamedTables folder) you chose is displayed. The secured entity type's row shows the permissions in effect for the table-modifier role. A gray checked box indicates that the permission is enabled and a gray empty box indicates that the permission is disabled. i)
Specify overrides on each secured entity (NamedTables folder) by selecting the checkboxes in the View, Modify, and Delete columns:
j)
Click Save or select File > Save. The asterisk next to the "Secured Entity Overrides" window title no longer appears, indicating that the changes are saved. The table-modifier role now permits viewing, modifying, and deleting of any folder or resource in the /Samples/NamedTables/ folder and can be assigned to a user account.
3. Create a User. In the final step of this example, you will create a user account to which you will assign both the pre-defined spatial-user role (which provides view-only permissions to named resources) as well as the custom table-modifier role (which grants additional permissions for modifying and deleting named tables; that is, for any folder or resource within the /Samples/NamedTables/ folder). a) In Management Console, expand Security then click Users. b) Click Add. The New User window appears. c) d) e) f) g) h) i)
Leave the Enable user box checked if you want this user account to be available for use. Enter the user name (user-tables) in the User name field. Enter the user's password in the Password field. Re-enter the user's password in the Confirm password field. Enter the user's email address in the Email address field. Enter a description of the user in the Description field. Select the spatial-user and table-modifier roles.
Spectrum Spatial Administration Guide
33
Security for the Location Intelligence Module
j)
Click OK.
A user-tables user account is now available with view-only permissions to all named resources as well as modify and delete permissions for any folder or resource within the /Samples/NamedTables/ folder.
Example: Overriding Permissions at the User Level A common scenario for setting security for the Location Intelligence Module involves establishing override permissions for a single user. In this example, you will create a user account ("user-tiles") with view-only permissions to named resources, then apply overrides to the user-tiles account that allow modifying and deleting of named resources in a specific folder (/Samples/NamedTiles/). Note: For the Location Intelligence.Named Resources entity type, all the resources that end with a forward slash (/) are folders or directories in the repository. 1. Create a User with View Permissions. First, you will create a user account to which you will assign the pre-defined spatial-user role. This role provides view-only permissions to named resources. a) In Management Console, expand Security then click Users. b) Click Add. The New User window appears. c) d) e) f) g) h)
34
Leave the Enable user box checked if you want this user account to be available for use. Enter the user name (user-tiles) in the User name field. Enter the user's password in the Password field. Re-enter the user's password in the Confirm password field. Enter the user's email address in the Email address field. Enter a description of the user in the Description field.
Spectrum™ Technology Platform 9.0 SP2
Chapter 3: Managing Security i)
Select the spatial-user role.
j)
Click OK. A user-tiles user account is now available with view-only permissions to all named resources.
2. Apply Overrides to a User. A secured entity override grants permissions for specific secured entities in the system. In the final step of this example, you will create an override that allows a single user (user-tiles) to modify and delete named resources in a specific folder in addition to being able to view all types of named resources. a) In Management Console, expand Security then click Secured Entity Overrides. b) Click User then Browse. The Select User dialog appears. c) Select the user (user-tiles) and click OK. d) Click Add. The Select Items dialog appears. e) Click Browse. The Select Secured Entity Type window appears. f) Select the Location Intelligence.Named Resources secured entity type. Click OK. A list of all secured entities that are named resources appears. g) From the list of secured entities, locate then select /Samples/NamedTiles/. h) Click Add then Close. The secured entity (named tiles folder) you chose is displayed. The secured entity type's row shows the permissions in effect for the user-tiles user. A gray checked box indicates that the permission is enabled and a gray empty box indicates that the permission is disabled. i)
Specify overrides on the secured entity (named tiles folder) by selecting the checkboxes in the Modify and Delete columns:
Spectrum Spatial Administration Guide
35
Security for the Location Intelligence Module
j)
Click Save or select File > Save. The asterisk next to the "Secured Entity Overrides" window title no longer appears, indicating that the changes are saved.
The user-tiles user can now view, modify, and delete any folder or resource within the /Samples/NamedTiles/ folder, but can only view all other named resources.
Creating a Named Resources Administrator To view or manage named resources in the repository using Management Console, a user must have an assigned role that allows full access to those resources in addition to the access that is provided by the predefined spatial roles. The predefined spatial roles cannot be modified and a predefined "Named Resources Administrator" role is not provided by the Spectrum™ Technology Platform; however, you can create such a role using a predefined spatial role as a base. 1. In the Management Console, browse to Security then click Roles. 2. Click Add. 3. In the Name field, enter the name you want to give to this role (for example, "resource-admin"). 4. Check the Copy from box then select either the spatial-admin or spatial-user role to use as a starting point. The spatial-admin role provides View, Modify, Create, and Delete permissions for the Location Intelligence Module.Named Resources secured entity type; the spatial-user role provides View permissions. 5. Set additional permissions as follows for these secured entity types: Database Resources: • Centrus Database Resources to View/Modify/Create/Delete/Execute (if required) • Enterprise Routing to View/Modify/Create/Delete/Execute (if required) • Spatial Database Resources to View/Modify/Create/Delete/Execute for a spatial-admin, or to View/Execute for a spatial-user Platform: • • • •
36
Resources - File Servers to View Resources - JDBC Drivers to View Services to View/Modify/Execute System - Version Information to View
Spectrum™ Technology Platform 9.0 SP2
Chapter 3: Managing Security
6. Click OK to save the new resource-admin role. 7. Under Security, click Users. 8. Either select an existing user and click Modify, or click Add to create a new user. 9. Assign the new "resource-admin" role to the user account to allow it to manage and/or view named resources in Management Console. The user now has the access required to view and/or manage named resources in Management Console.
Creating a Spatial Dataflow Designer To create dataflows for Location Intelligence Module stages and services, a user must have both the designer and spatial-user roles assigned. The spatial-user role provides View access to named resources under the Location Intelligence.Named Resources secured entity type. The designer role provides the necessary access to Platform secured entity types such as Dataflows. 1. In the Management Console, browse to Security then click Users. 2. Either select an existing user and click Modify, or click Add to create a new user.
Spectrum Spatial Administration Guide
37
Security for the Location Intelligence Module 3. Assign both the designer and spatial-user roles to the user account.
The user now has permission to view named resources and design dataflows using those resources for Location Intelligence Module stages and services.
Turning off Security for Services and the Repository All services and access to resources used by the Spectrum™ Technology Platform Location Intelligence Module are configured, by default, with authentication turned on. This allows certain functionality to restrict access to resources and the ability to modify resources in the repository. For example, the Named Resource Service AddNamedResource operation, and the CSW service Harvest operation both require authentication, as both of these operations require write permissions to the repository. The service-level authentication can be turned off for all services and the repository. This is useful if you have your own high-level authentication built into the solution that is using the Location Intelligence Module services. To turn off service and repository security, use the JMX console. 1. Access the JMX Console using the following URL: http://localhost:8080/jmx-console/ (replacing localhost and port 8080 with your correct configuration). 2. Under the Domain: com.pb.spectrum.platform.config section, select the administration link for the WebServiceSecurityConfigurationManager. 3. For RestServiceSecurityType and SoapServiceSecurityType enter OPEN in the value field and click set for each. 4. Restart the server. Once finished, security is turned off for the services and repository. Related Links
38
Spectrum™ Technology Platform 9.0 SP2
Chapter 3: Managing Security Disabling Platform Security Versus Turning Off Spatial Security on page 40
Turning off Security for the Repository To turn off repository security: 1. Launch the User Management Service Demo page at http://localhost:8080/Spatial/UserManagementService/DemoPage.html (replacing localhost and port 8080 with your correct configuration). 2. Using admin credentials in the User and Password fields, set the everyone user with the all permission using the following request:
everyone / all false
Once finished, security is turned off for the repository.
Turning off Security for the REST Services To turn off security for REST services: 1. Access the JMX Console using the following URL: http://localhost:8080/jmx-console/ (replacing localhost and port 8080 with your correct configuration). 2. Under the Domain: com.pb.spectrum.platform.config section, select the administration link for the WebServiceSecurityConfigurationManager. 3. For RestServiceSecurityType enter OPEN in the value field and click set. 4. Restart the server. Once finished, security is turned off for the REST services.
Turning off Security for the SOAP services To turn off security for SOAP services: 1. Access the JMX Console using the following URL: http://localhost:8080/jmx-console/ (replacing localhost and port 8080 with your correct configuration). 2. Under the Domain: com.pb.spectrum.platform.config section, select the administration link for the WebServiceSecurityConfigurationManager. 3. For SoapServiceSecurityType enter OPEN in the value field and click set. 4. Restart the server. Once finished, security is turned off for the SOAP services.
Spectrum Spatial Administration Guide
39
Disabling Platform Security Versus Turning Off Spatial Security
Disabling Platform Security Versus Turning Off Spatial Security The Spectrum™ Technology Platform allows you to disable role-based security at the platform level and service-level security as two separate operations. Disabling role-based security at the platform level (by deselecting ‘Limit access according to user permissions’ on the Security > Options node in Management Console) means that the permissions assigned to users (via roles and secured entity overrides) will not be enforced and all users will be able to access all parts of the system. The Location Intelligence Module will then allow access to any named resource in the repository. Turning off service-level security on the JMX Console (by setting RestServiceSecurityType and SoapServiceSecurityType to OPEN) causes the execution of service requests to use the admin user. For the Location Intelligence Module this means that any named resource that is added to the repository is “owned” by the admin user; therefore, running the User Management Service’s getPermissions request will show that non-admin users have only "Read" permissions. Disabling both service-level and role-based security completely opens up the Location Intelligence Module's services and named resources. Running the User Management Service’s getPermissions request will also show that non-admin users now have "All" permissions Related Links Disabling User Security on page 23 Turning off Security for Services and the Repository on page 38
Limiting WebDAV Access to the Repository WebDAV is used as a protocol to access resources within the repository. By default, accessing the repository using WebDAV is not restricted to a particular server, rather open to all servers that can access the repository. You can restrict access to particular servers by modifying the spatial java property file. You can do this by adding the following property that includes a list of hostnames (IPs) that WebDAV is open to (comma separated). A Spectrum server restart is required after the change. To limit repository access using WebDAV: 1. Open the modules/spatial/java.properties file in an editor. 2. Add the following property to the file.
repository.accesscontrol.allows=
3. Include a list of IP addresses that you want to allow WebDAV access. Multiple servers can be added using a comma separated list of IP addresses. Leaving the property empty disables all access using WebDAV for all servers except the machine where Spectrum™ Technology Platform is installed.
repository.accesscontrol.allows=192.168.2.1,192.168.2.2
4. Restart the server.
40
Spectrum™ Technology Platform 9.0 SP2
Chapter 3: Managing Security Once finished, WebDAV access is limited for the repository.
Limiting Server Directory Access Enterprise Designer and Management Console users have the ability to browse the Spectrum™ Technology Platform server's folders and files when selecting an input or output file in a source or sink stage, or when defining a database resource. You may want to restrict file browsing so that sensitive portions of the server cannot be browsed. You can prevent all browsing or you can specify the folders that you want users to be able to browse. The folders you specify appear as the top-level folders in users' file browse windows. For example, if you allow users to only access a folder on the server named WestRegionCustomers, when users browse the server they would only see that folder, as shown here:
To restrict access to the server's file system, follow this procedure. 1. Open Management Console. 2. Under Resources, select Server Directory Access. 3. Do one of the following: • To prevent users from browsing the server entirely, check the box Restrict server directory access and do not perform any of the following steps. Users will have no access to any of the files or folders on the server. • To allow access to some folders on the server, proceed to the following step. 4. Click Add.
Spectrum Spatial Administration Guide
41
Configuring HTTPS Communication 5. In the Name field, give a meaningful name for the folder to which you are granting access. 6. In the Path field, specify the folder to which you want to grant access. Note: Users will be able to access all subfolders contained in the folder you specify. 7. Click OK. 8. If you want to grant access to additional folders, repeat the previous steps as needed. 9. Enforce the restrictions by checking the Restrict server directory access box. Users will now only have access to the folders you have specified. Note: If there are any dataflows that had previously accessed files that are no longer available because of file browsing restrictions, those dataflows will fail.
Configuring HTTPS Communication By default, Spectrum™ Technology Platform communication with the client tools (Enterprise Designer, Management Console, and Interactive Driver) and API occurs over HTTP. You can configure Spectrum™ Technology Platform to use HTTPS if you want to secure these network communications. 1. Stop the Spectrum™ Technology Platform server. • To stop the server on Windows, right-click the Spectrum™ Technology Platform icon in the Windows system tray and select Stop Server. Alternatively, you can use the Windows Services control panel and stop the Pitney Bowes Spectrum™ Technology Platform service. • To stop the server on Unix or Linux, source the /server/bin/setup script then execute the /server/bin/server.stop script. 2. Create a certificate signed by a trusted CA and load it into a JSSE keystore. For more information, see www.eclipse.org/jetty/documentation/current/configuring-ssl.html. 3. Create an XML file named spectrum-override-container-ssl.xml containing the following: 4. Modify the following lines as needed to reflect your environment:
42
Modify the value to be the path to the keystore you are using. This example assumes the keystore in the root of the drive on which the
Spectrum™ Technology Platform 9.0 SP2
Chapter 3: Managing Security Spectrum™ Technology Platform server is installed.
Modify the value to be the password to the key within the keystore.
5. Save the spectrum-override-container-ssl.xml file to SpectrumLocation/server/app/conf/spring. 6. Using a text editor, open the file spectrum-container.properties located in SpectrumLocation/server/app/conf. Uncomment and set the following properties: spectrum.http.port=port spectrum.runtime.port=port spectrum.runtime.hostname=dnsname Where port is the network port to use for communication with the clients (for example 8443) and dnsname is the hostname of the Spectrum™ Technology Platform server. The port you specify must be the same for both spectrum.http.port and spectrum.runtime.port. 7. If you are configuring HTTPS communication for the Location Intelligence Module and Spectrum Spatial services, you must perform additional configuration prior to restarting the Spectrum™ Technology Platform server: a) Modify the java.properties file (SpectrumLocation/server/modules/spatial) by changing all hostnames and ports to be exactly the same as the ones used for the Spectrum™ Technology Platform server. The hostname must match the DNS name of the server and the CN in the certificate. Set property repository.useSecureConnection to true. For example: images.webapp.url=https://www.spectrum.com:8443/Spatial/images thumbnail.location=https://www.spectrum.com:8443/Spatial/Thumbnails repository.host=www.spectrum.com repository.port=8443 repository.useSecureConnection=true b) Modify the service configuration files (SpectrumLocation\server\modules\spatial\Configuration) by changing all repository URLs to use https and the hostname and port defined in the previous step. For example, https://www.spectrum.com:8443/RepositoryService/rmi. Also, change these URLs in the value of the elements listed for the services: MappingConfiguration – WFSConfiguration, WMSConfiguration - ,
c) Upload the modified files into the Repository using WebDAV (see Using WebFolders to Access the Repository Resources on page 15 for instructions). 8. Start the Spectrum™ Technology Platform server. • To start the server on Windows, right-click the Spectrum™ Technology Platform icon in the Windows system tray and select Start Server. Alternatively, you can use the Windows Services control panel to start the Pitney Bowes Spectrum™ Technology Platform service. • To start the server on Unix or Linux, execute the SpectrumLocation/server/bin/server.start script.
Spectrum Spatial Administration Guide
43
Monitoring Your System
In this section: • • • • • • • •
Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Spatial Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Configuring E-mail Notification . . . . . . . . . . . . . . . . . . . . .49 Configuring License Expiration Notification . . . . . . . . . .49 Viewing Version Information . . . . . . . . . . . . . . . . . . . . . . .50 Viewing and Exporting License Information . . . . . . . . . .50 Monitoring Performance . . . . . . . . . . . . . . . . . . . . . . . . . .50 Monitoring Memory Usage . . . . . . . . . . . . . . . . . . . . . . . . .51
4
Event Log
Event Log Viewing the Event Log The event log displays messages from the Spectrum™ Technology Platform server's wrapper log. The event log contains information about server operations as well as requests made to services from the API and through web services. Use the event log when you experience trouble and are looking for information about possible causes. 1. Open the Management Console. 2. Expand Event Log then click Events. 3. Click Refresh to view the latest entries. 4. Check Show events upon open to automatically load the event log. If you do not check this option you must click the Refresh button to view the latest information. You can also view the event log by using a text editor and opening the file ServerLocation\server\app\repository\logs\wrapper.log.
Setting Event Log Options You can specify the default logging level as well as logging levels for each service on your system. When you change logging levels the change will not be reflected in the log entries made before the change. 1. Open the Management Console. 2. Expand Event Log then click Options. 3. Click the System default logging level drop-down list to select an event logging level. Event logging levels include the following: Disabled
No event logging enabled.
Fatal
Minimal logging, logs only fatal errors. Fatal errors are those that make the system unusable.
Error
Logs only errors and fatal errors. Errors make a single call unusable, possibly a single service, but not the whole system. The inability to load a specific service might be an error since other services would be available.
Warn
Event warnings and errors are logged. Warnings indicate problems that do not stop the system from working (for example, when loading a service where a parameter has an invalid value, a warning is issued and the default parameter is used). During the use of a service, if results are returned but there is a problem, a warning will be logged. An example might be that casing was set to lower case, but Canadian does not support casing. Results are returned with a warning that the casing option was ignored.
Info
Logging of high-level system information. This is the most detailed logging level suitable for production. Info level will typically be used during startup and initialization, providing product and version information, which services were loaded, etc.
Debug
A highly detailed level of logging, suitable for debugging problems with the system.
Trace
The most detailed level of logging, tracing program execution (method entry and exit). It provides detailed program flow information for debugging.
Each logging level includes the ones above it on the list. In other words, if Warning is selected as the logging level, errors and fatal errors will also be logged. If Info is selected, informational messages, warnings, errors, and fatal errors will be logged. Note: Selecting the most intensive logging level can affect system performance. Therefore, you should select the least intensive setting that meets your particular logging requirements.
46
Spectrum™ Technology Platform 9.0 SP2
Chapter 4: Monitoring Your System 4. If you want to specify different logging levels for each service choose the logging level you want.
Spatial Logging The JMX Console is equivalent to logger name="com.mapinfo.midev" in the logback.xml file. If you want to see debug info for a short time, use JMX Console, otherwise, use logback. The remote components (feature and mapping) in the JMX Console can be configured individually: • Spatial:name=Logging,type=Remote Feature Component • • • • • •
Feature Service Geometry Service Named Resource Service User Management Service WFS CSW
• Spatial:name=Logging,type=Remote Mapping Component • Mapping Service • Map Tiling Service • WMS
Users can enable debugging and specify additional output file for each one of them. By default, log messages go into wrapper.log. Services in a component will output to the same file and cannot be further split. The configuration change made here will not persist, and will be lost after restart. The logback.xml file provides finer control on logging behavior, such as sending output to a log file instead of by default sending it to the console which redirects to the wrapper.log. You can also set the log level to turn off logging altogether or log only fatal errors, for example. As described above for the JMX Console, the log can only be redirected based on components (feature and mapping), not by services. Default logback file:
[${component.name}] - [%thread] %-5level %logger{35} %msg%n ${g1.server.modules.dir}/spatial/${component.name}.log %d [%thread] %-5level %logger{35} - %msg%n true 10MB ${component.name}.log.%i 1
48
Option
Values
Level
• • • • •
Output
• CONSOLE-SPATIAL –sends log information to the JMX Console [default] • FILE-SPATIALL–sends log information to a log file based on component (feature or mapping)
OFF–turn off logging ERROR–log runtime or unexpected errors WARN–log warnings only; for example, using a deprecated API INFO–log runtime events such as startup or shutdown [default] DEBUG–log detailed debugging information
Spectrum™ Technology Platform 9.0 SP2
Chapter 4: Monitoring Your System
Configuring E-mail Notification Spectrum™ Technology Platform can alert you to potential problems to ensure that critical business processes are not interrupted. Notifications are sent as a result of conditions within dataflows and process flows. The messages can be formatted to contain context-sensitive information about the event that occurred. 1. Open the Management Console. 2. Expand System then click Notification. 3. In the Host field, enter a valid host name or IP address. 4. Enter a valid port number or range in the Port field. The default is 25. 5. Enter the user name for logging on to the SMTP server in the User Name field. 6. Enter a password for logging on to the SMTP server in the Password field. 7. If you completed the Password field, re-enter the password for logging on to the SMTP server in the Confirm Password field. 8. Enter a valid e-mail address to where notification e-mail will be sent in the From Address field. 9. Enter a valid e-mail address to where notification e-mail will be sent in the Test Address field. This is used to ensure the notification process works. 10. Click Test to send a test message.
Configuring License Expiration Notification You can have Spectrum™ Technology Platform send an email notification when a license is about to expire. 1. Open the Management Console. 2. Expand System then click Notification. 3. In the Host field, enter a valid host name or IP address. 4. Enter a valid port number or range in the Port field. The default is 25. 5. Enter the user name for logging on to the SMTP server in the User Name field. 6. Enter a password for logging on to the SMTP server in the Password field. 7. If you completed the Password field, re-enter the password for logging on to the SMTP server in the Confirm Password field. 8. Enter a valid e-mail address to where notification e-mail will be sent in the From Address field. 9. Enter a valid e-mail address to where notification e-mail will be sent in the Test Address field. This is used to ensure the notification process works. 10. Click Test to send a test message. 11. Click the Expiration Settings tab. 12. In the Days before expiration to send notification field, specify the number of days in advance that you want to be notified of a pending license or data expiration. For example, if you want to be notified 30 days before a license expires, specify 30. 13. Check the Send expiration notification check box. 14. Click Add and specify the email address you want to receive the notification. 15. Select File > Save.
Spectrum Spatial Administration Guide
49
Viewing Version Information
Viewing Version Information 1. In Management Console, expand System then click Version Information. 2. The Version Information window presents information on the configured services. Expanding the Server Information, System Information, Service Information, and Component Information folders will present the corresponding details. This includes versions numbers of the server, the operating system, the service software, and component versions. Note: This information is view-only.
Viewing and Exporting License Information 1. Open the Management Console. 2. Expand System then click Licensing. 3. Click the Expiration Info tab to view a list of licenses that are about to expire. Only licenses that are within the period specified on in the Notification node, Expiration Settings tab, are displayed. 4. Click the License Information tab to view a complete listing of all licenses installed on your system. To export your license information to a .lic file, click Export. This is helpful when resolving license issues with technical support.
Monitoring Performance The Spectrum™ Technology Platform JMX console provides a performance monitoring tool that records performance statistics for each stage in a dataflow. Use the JMX console to identify bottlenecks and observe the effects of different performance tuning adjustments. 1. Open a web browser and go to http://:/jmx-console Where: is the IP address or hostname of your Spectrum™ Technology Platform server. is the HTTP port used by Spectrum™ Technology Platform. The default is 8080. 2. Enter "admin" for both the user name and password. 3. Under " Domain: com.pb.spectrum.platform.performance", click com.pb.spectrumplatform.performance:server=PerformanceMonitorManager. 4. Click the Invoke button next to enable. 5. Click Return to MBean View to go back to the PerformanceMonitorManager screen. Performance monitoring is now enabled. When a dataflow runs, the performance statistics will display at the top of the PerformanceMonitorManager screen.
50
Spectrum™ Technology Platform 9.0 SP2
Chapter 4: Monitoring Your System
Note the following: • The statistics are reported in a semicolon-delimited format. The first row is the column header. We recommend putting the data into a spreadsheet for easier viewing. • The time values in the report (Avg, Min, Max, Total) are displayed in milliseconds. • You must refresh the screen to see updates. • To reset the counters, click the Invoke button next to reset. • If you stop the Spectrum™ Technology Platform server, performance monitoring will be turned off. You will have to turn it back on when you start the server again.
Monitoring Memory Usage The JMX Console allows you to monitor the JVM heap usage of each remote component. The monitoring processes for Spectrum Spatial are: • Spatial:name=Process,type=Remote Feature Component • • • • • •
Feature Service Geometry Service Named Resource Service User Management Service WFS CSW
• Spatial:name=Process,type=Remote Mapping Component • Mapping Service • Map Tiling Service • WMS
Spectrum Spatial Administration Guide
51
Monitoring Memory Usage
Memory usage (HeapMemoryUsage and NonHeapMemoryUsage) is based on the standard JVM memory MBean. It shows the memory usage of the JVM that the remote component running on. It includes the amount of init, max, committed and used memory. RuntimeName includes the process ID that you can use to find more information from the operating system (for example, by using the Windows Task Manager), or even kill the process. In the heap sections, ={committed=72351744, init=65157504, max=954466304, used=6559552}) are shown in bytes. The number is for a particular remote component, which includes multiple services. Each remote component runs in its own JVM, and the JVM only runs this component. Init is the initial amount JVM allocated (-Xms); max is the one specified by –Xmx. Used is the amount of memory that used by JVM for objects. The relationship is like this: –Xms < committed < -Xmx, and used < committed. You can modify the heap memory by modifying the -Xm in the java.vmargs file under the spatial folder (\Pitney Bowes\Spectrum\server\modules\spatial\java.vmargs). See Increasing Heap Memory for more instructions.
52
Spectrum™ Technology Platform 9.0 SP2
Managing Memory and Threading
In this section: • • • •
Introduction to Managing Memory and Threading . . . . .54 Spectrum Performance Tuning . . . . . . . . . . . . . . . . . . . . .54 Increasing Heap Memory for Spatial Components . . . . .55 Increasing Heap Memory for the Platform . . . . . . . . . . . .55
5
Introduction to Managing Memory and Threading
Introduction to Managing Memory and Threading This section describes approaches for improving performance by managing memory and threading, and also relates best practices for optimizing the performance of the Location Intelligence Module. It is intended for experienced administrators.
Spectrum Performance Tuning Spectrum provides several tuning options to optimize performance of the server. The optimal selection of settings is dependent on the nature of the deployment. To create a well-tuned server environment, it is recommended that performance tests should be executed in the deployed environment to determine optimal settings. This section provides some general guidance on performance tuning.
JVM Tuning Spectrum is a Java server, and as a result, JVM tuning parameters can be used to optimize performance of remote components. The JVM can be configured through the //server/modules/spatial/java.vmargs file. To optimize Spectrum's performance using JVM tuning parameters: 1. Stop the Spectrum server. 2. Open the java.vmargs file in a text editor. Set the maximum memory allocation on the JVM. An allocation of 512m for each active CPU core is generally appropriate. Do not exceed the maximum memory available to your operating system and leave a suitable space for the operating system to do its work. 3. Save the file. 4. Restart Spectrum.
Remote Components Configuration Each spatial service component in Spectrum™ Technology Platform is deployed into its own JVM instance separate from the platform run time. This ensures the platform is independent of the modules within it and that JVM configuration can be applied per service, allowing flexibility of memory allocation and tuning for performance based on the characteristics of the service. Remote components supply spatial functions to spatial services and stages. The pool size for a remote component is the number of requests the component can handle concurrently. This affects the throughput of both spatial services and spatial stages. Two remote components exist for the Location Intelligence Module: feature and mapping. Each of these components encompasses several services: • spatial.feature • • • • •
Feature Service Geometry Service Named Resource Service WFS CSW
• spatial.mapping • Mapping Service
54
Spectrum™ Technology Platform 9.0 SP2
Chapter 5: Managing Memory and Threading • Map Tiling Service • WMS
Modifying the Pool Size In addition to JVM tuning, you can also adjust the pool size of the spatial remote components. The pool size for a remote component is the number of requests the component can handle concurrently. This setting represents the number of threads on the components that are listening for service requests from the Spectrum™ Technology Platform or executing a Location Intelligence Module stage (that is, the maximum number of managed connections). Every web service request enters Spectrum from the platform and is passed to the components. The default value of 1 can be increased to accommodate greater request loads. A pool size that matches the number of CPUs is recommended. The maximum setting should not go above twice the number of the CPU core; for example, on a 4 CPU machine the combined number of threads for all services should not exceed 8. Performance tests should be run with various settings until optimal performance is achieved for the usage. You have the ability to adjust the pool size in Management Console for the spatial remote components: 1. Open the Management Console. 2. Expand Modules > Location Intelligence > Tools then click Remote Components. 3. Select the spatial component for which you want to adjust the pool size: spatial.feature or spatial.mapping. 4. Click Modify. The Modify Pool Size dialog box appears. 5. Change the pool size using the arrows or by typing in a value. 6. Click OK. 7. If you decreased the pool size, restart the server. (Increasing the pool size does not require a server restart.) Related Links Remote Components Configuration on page 54
Increasing Heap Memory for Spatial Components To increase the heap memory for spatial remote components: 1. Stop the Spectrum server. 2. In a text editor, open the java.vmargs file from \Pitney Bowes\Spectrum\server\modules\spatial\java.vmargs. 3. Change the vmargs default of 1GB (1024MB). For example, to increase the memory to 2GB, change the vmargs from the default of -Xmx1024m -Djava.io.tmpdir=../app/tmp to -Xmx1536m -Djava.io.tmpdir=../app/tmp. This increases the memory of each spatial remote component to 1.5GB and enables remote components to connect via Jconsole for debugging. 4. Save the java.vmargs file. 5. Restart the Spectrum server.
Increasing Heap Memory for the Platform To increase the heap memory for the Spectrum platform: 1. Stop the Spectrum server.
Spectrum Spatial Administration Guide
55
Increasing Heap Memory for the Platform 2. In a text editor, open the wrapper.conf file from \Pitney Bowes\Spectrum\server\bin\wrapper. 3. Change the vmargs default of 1GB (1024MB). For example, to increase the memory to 2GB: # Maximum Java Heap Size (in MB) wrapper.java.maxmemory=2048 4. Save the java.vmargs file. 5. Restart the Spectrum server.
56
Spectrum™ Technology Platform 9.0 SP2
Managing a Cluster
In this section: • Clustered Architecture for the Location Intelligence Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 • Configuring a Common Repository . . . . . . . . . . . . . . . . .59 • Configuring Your System . . . . . . . . . . . . . . . . . . . . . . . . . .62 • Using Client Tools with a Cluster . . . . . . . . . . . . . . . . . . .64 • Removing a Node from a Cluster . . . . . . . . . . . . . . . . . . .64 • Shutting Down a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . .65
6
Clustered Architecture for the Location Intelligence Module
Clustered Architecture for the Location Intelligence Module In a clustered environment, processing is shared among two or more instances of the server. The diagram below illustrates the deployment architecture of such a configuration. Load balancing can be used to support high availability and scaling. The deployment architecture includes a load balancer, a Spectrum Spatial cluster, a database, and a file share. With this approach it is possible to scale both horizontally and vertically. You can cluster the Location Intelligence Module with or without platform clustering, starting from version 8.0.
Load Balancer The load balancer spreads requests between the Spectrum Spatial instances. Any load balancer that supports load balancing HTTP/HTTPs requests can be used. Spectrum Spatial Cluster The cluster is a collection of Spectrum instances with LIM sharing administration, named resources, geographical metadata content and configuration settings. Additional nodes can be added to the cluster
58
Spectrum™ Technology Platform 9.0 SP2
Chapter 6: Managing a Cluster for resilience or to deliver support for greater loads. Each node can be scaled vertically through additional hardware resources and/or additional instances should this be required for hardware with massive resources. Spectrum can be configured to use restricted numbers of CPUs. Database Spectrum stores named resources (maps, layers, tables and styles), geographic metadata and configuration in a repository. In the default single server installation an embedded database is used to store these resources on the local server. To create a resilient scalable solution this embedded database should be replaced with a resilient independent database. Oracle, PostGreSQL (PostGIS) and Microsoft SQL Server are the supported repository databases. In the load balanced configuration, Spectrum nodes cache these resources in a local cache and search index in each node in the cluster. When a Spectrum node receives a request it uses the local cache and index to find resources. Named resources can be added through any node in the cluster. Each node keeps its cache current by checking for differences between its local cache and the central database. This check occurs every 2 seconds by default. Time frequency can be configured. This architecture ensures the server delivers high performance transactions and the load on the repository database is kept to a minimum. If a new Spectrum node is added to the cluster the cache and index are created automatically. Such a scenario can occur to remedy a node failure or grow the capability of the deployment. File Share The file share provides a folder to hold map images generated by Spectrum. When maps are rendered using the web services the server supports the map images being returned through URLs or returned as a base 64 encoded image. When a URL is returned the map image is stored as a file and served on request of the URL. To ensure any Spectrum node can return the map image a file share is used to store the images.
Configuring a Common Repository You must configure Spectrum to use a common repository database for a clustered environment. This ensures that named resources, geographic metadata and configuration settings are managed across the cluster. You can configure Spectrum to use a common repository database using a PostgreSQL, an Oracle, or a Microsoft SQL Server database. The repository is installed with a set of named resources, geographic metadata and configuration files. To migrate these resources to the common database repository the resources need to be exported from the default internal repository database and reimported into the new shared repository database. To provide support for bulk export/import of repository content, the repository provides a WebDAV interface.
Set Up a PostgreSQL Repository Database These steps describe how to set up your repository on a PostgreSQL database: 1. Copy all repository resources to a local folder using WebDAV. The contents of the installed repository must be exported. This step only needs to be performed once, as the contents of the repository should be the same at this point for all instances of Spectrum™ Technology Platform. 2. Back up the folder //server/modules/spatial/jackrabbit to a local directory or disk. 3. Stop Spectrum. 4. On all instances of Spectrum™ Technology Platform, add the database JDBC drivers to the Spectrum common lib directory to allow it to use the selected database.
Spectrum Spatial Administration Guide
59
Configuring a Common Repository Copy the //server/modules/spatial/lib/postgresql-x.x-xxx.jdbc4.jar file to //server/app/lib/postgresql-x.x-xxx.jdbc4.jar. 5. On all instances of Spectrum™ Technology Platform, edit the //server/modules/spatial/jackrabbit/repository.xml file to point the repository to a database and add clustering. There are four separate changes you need to make: a) Modify the two FileSystem sections within the Repository and Workspace sections of the file: b) Modify the Persistence Manager within the Workspace: c) Enable Clustering at the end of the file, right above the tag. Each instance of Spectrum will need to have a distinct Cluster id to enable synchronization of clustering to work. The delay defines the time delay for synchronization in milliseconds. d) Comment out the DataStore section: 6. On all instances of Spectrum™ Technology Platform, remove the following folders from the /server/modules/spatial/jackrabbit directory: repository, version, workspaces. 7. If your PostgreSQL database has previously had repository content added, you must remove tables from your database so a clean repository can be created. If you are starting with a new database, please make sure the tables do not exist. The following tables need to be removed from the database: public.default_names_id_seq public.default_binval public.default_bundle public.default_names public.default_refs
60
Spectrum™ Technology Platform 9.0 SP2
Chapter 6: Managing a Cluster
public rep_fsentry public.rep_global_revision public.rep_journal public.rep_local_revisions public.security_binval public.security_bundle public.security_names public.security_refs 8. Start Spectrum. 9. Restore the resources by copying them from the local folder into the Repository using WebDAV. Import the content of the repository you previously exported back into the repository. This step only needs to be performed on one of the Spectrum™ Technology Platform instances.
Set Up an Oracle Repository Database These steps describe how to set up your repository on an Oracle database: 1. Copy all repository resources to a local folder using WebDAV. The contents of the installed repository must be exported. This step only needs to be performed once, as the contents of the repository should be the same at this point for all instances of Spectrum™ Technology Platform. 2. Back up the folder //server/modules/spatial/jackrabbit to a local directory or disk. 3. Stop Spectrum. 4. On all instances of Spectrum™ Technology Platform, verify an Oracle JDBC Driver exists under the folder /server/app/lib (for example, ojdbc6-11.2.0.3.jar). 5. On all instances of Spectrum™ Technology Platform, edit the //server/modules/spatial/jackrabbit/repository.xml file to point the repository to a database and add clustering. There are four separate changes you need to make: a) Modify the two FileSystem sections within the Repository and Workspace sections of the file: b) Modify the Persistence Manager within the Workspace:
Spectrum Spatial Administration Guide
61
Configuring Your System c) Enable clustering at the end of the file, right above the tag. Each instance of Spectrum will need to have a distinct id to enable synchronization of clustering to work. The delay defines the time delay for synchronization in milliseconds. d) Comment out the DataStore section: 6. On all instances of Spectrum™ Technology Platform, remove the following folders from the /server/modules/spatial/jackrabbit directory: repository, version, workspaces. 7. If your Oracle database has previously had repository content added, you must remove tables from your database so a clean repository can be created. If you are starting with a new database, please make sure the tables do not exist. The following tables need to be removed from the database: public.default_names_id_seq public.default_binval public.default_bundle public.default_names public.default_refs public rep_fsentry public.rep_global_revision public.rep_journal public.rep_local_revisions public.security_binval public.security_bundle public.security_names public.security_refs 8. Start Spectrum. 9. Restore the resources by copying them from the local folder into the Repository using WebDAV. Import the content of the repository you previously exported back into the repository. This step only needs to be performed on one of the Spectrum™ Technology Platform instances.
Configuring Your System Once the Spectrum™ Technology Platform is installed and you have configure a common repository, you need to configure your instance before you can replicate it to another virtual machine. If you are not using a virtual machine environment, you will need to perform these steps on each of your Spectrum™ Technology Platform installations.
Adding a Map File Share You can add a map file share (a shared image folder) to Spectrum™ Technology Platform. (To create a map file share, see Setting Up a Map Image File Share on page 63.)
62
Spectrum™ Technology Platform 9.0 SP2
Chapter 6: Managing a Cluster To add a map file share: 1. Modify the Mapping Service configuration by pointing to a shared image folder and load balance server. In the ImageCache change the Directory parameter to a common image directory, and change the AccessBaseURL parameter to the load balancer machine image URL. If you are using a virtual machine environment, remember this IP address, as you must set the load balancer VM to this IP address. /mnt//images http:///Spatial/images 30 30 2. Set up symbolic link to enable map images to go to the shared file system. cd //server/modules/spatial rm –Rf images ln -s / mnt//images
Setting Up a Map Image File Share The file share provides a folder to hold map images generated by Spectrum Spatial. Create a shared folder accessible to all Spectrum nodes. The file share is not required if maps are returned from the web services as Base64-encoded images. To set up a map image file share: 1. Mount a shared folder on each operating system hosting Spectrum. The commands below mount a drive on a Microsoft Windows Server or network drive supporting CIFS. mkdir /mnt/ mount -t cifs /// /mnt/-o username=shareuser,password=sharepassword,domain=pbi 2. Set the image share to load at startup in /etc/fstab. ///share /path_to/mount cifs username=server_user,password=secret,_netdev 0 0
Modifying the Service Configurations To modify the service configurations for load balancing: In each service configuration file, change the to point to the load balance server repository URL. The RepositoryURL should change to point to the balancer from http:///RepositoryService/rmi to http:///RepositoryService/rmi.
Modifying Java Properties File To modify the java properties for Spectrum™ Technology Platform: 1. Modify the java.properties file, located in /server/modules/spatial/java.properties, to point to the load balance server.
Spectrum Spatial Administration Guide
63
Using Client Tools with a Cluster 2. Change the images.webapp.url and all of the service host and port numbers to point to the load balance server.
Configuring Ports for Multiple Spectrum Instances If you have multiple Spectrum™ Technology Platform instances on a single machine, you must change the port numbers. To change the port numbers for each Spectrum™ Technology Platform instance: 1. Change all ports in /server/app/conf/spectrum-container.properties to new port values that are not in use. The http port reflects the port number entered in the installer. 2. Update the rmi port in bootstrap.properties in the bin/jackrabbit folder (for example, 11099). The default is 1099.
Shared Spectrum Local Data If you are using TAB file data on the file system, this data needs to be in a shared location accessible by all instances of Spectrum in the load balanced environment. It is also important to note that all named resources in the repository accessing data on the file system should point to this shared location. Each VM or machine hosting Spectrum needs to have access to the mounted shared drive. Note: Using named resources that point to database tables do not require a shared drive, as the named resources in the repository do not access the data using a file path; rather they use a named connection to the data in the database.
Using Client Tools with a Cluster 1. Launch the client tool (Management Console, Enterprise Designer, or Interactive Driver). 2. In the Server name field, enter the server name of the load balancer. 3. In the Port field, enter the port that you have configured the load balancer to listen on. Note: Input files, output files and database resources must be on a shared drive, or file server, or some commonly-accessible location. Otherwise, all files must be loaded on each server that hosts a Spectrum™ Technology Platform server and must be located in the same path. Once you have logged in you can use the client tool as normal. The actions you take will apply to all Spectrum™ Technology Platform instances in the cluster where you are logged in.
Removing a Node from a Cluster To remove a node from a cluster, stop the Spectrum™ Technology Platform server. • On Unix or Linux, change the working directory to the Spectrum™ Technology Platform server's bin directory, source the setup file, then type the following command: ./server.stop . • On Windows, right-click the Spectrum™ Technology Platform icon in the system tray and select Stop Server. If you do not want the server to rejoin the cluster the next time it starts up, open the file server/app/conf/spectrum-container.properties in a text editor and set spectrum.cluster.enabled to false.
64
Spectrum™ Technology Platform 9.0 SP2
Chapter 6: Managing a Cluster For Location Intelligence Module users: If you want to keep the node standalone and able to run outside the cluster, copy back the original repository.xml file and remove the following folders from the /server/modules/spatial/jackrabbit directory for each instance of Spectrum™ Technology Platform: repository, version, workspaces. Restart the server and import the repository content.
Shutting Down a Cluster To shut down an entire cluster: • Shut down each Spectrum™ Technology Platform server in the cluster. • On Unix or Linux, change the working directory to the Spectrum™ Technology Platform server's bin directory, source the setup file, then type the following command: ./server.stop . • On Windows, right-click the Spectrum™ Technology Platform icon in the system tray and select Stop Server. • When restarting the cluster, you must first start the node that was shut down last. Important: You must start up the last node that was shut down before starting up the other nodes in order to prevent loss of data such as job history and configuration settings.
Spectrum Spatial Administration Guide
65
Troubleshooting Your System
In this section: • Rebuilding a Corrupt Repository Index . . . . . . . . . . . . . .68 • Monitoring Memory Usage of a Non-Responsive Server .68
7
Rebuilding a Corrupt Repository Index
Rebuilding a Corrupt Repository Index Sometimes the repository can become corrupt if the server is shut down abruptly or the Java process is killed (manually or due to a power outage). As a result, you may be unable to get resources that were previously searchable, and there will be no errors or warnings in the logs. Once you verify that permission changes are not the cause, rebuild the index to fix this issue: 1. Shut down the server. 2. Delete the index directory at the following locations: • \server\modules\spatial\jackrabbit\workspaces\default • \server\modules\spatial\jackrabbit\workspaces\security • \server\modules\spatial\jackrabbit\repository 3. Restart the server. Jackrabbit re-creates the index at the above locations while booting. After rebuilding the index, the search works correctly again.
Monitoring Memory Usage of a Non-Responsive Server If your Spectrum server stops responding, you can follow the steps below to monitor its performance and resource consumption. This monitoring provides information you can use to adjust memory and threading usage. 1. Check whether a service other than the Mapping Service is working. For example, start the Feature Service on the demo page: http://:/Spatial/FeatureService//DemoPage.html. This determines whether the whole server is down or just the Mapping Service. 2. Verify you have enough disk space for both Mapping and MapTiling images to be stored by inspecting the configuration files: • Mapping: http://localhost:8080/RepositoryService/repository/default/Configuration/MappingConfiguration under " C:\Program Files\Pitney Bowes\Spectrum/server/modules/spatial/images " • MapTiling: "http://localhost:8080/RepositoryService/repository/default/Configuration/MapTilingConfiguration" under "" 3. Stop the Spectrum server. 4. In a text editor, open the java.vmargs files from \Pitney Bowes\Spectrum\server\modules\spatial\java.vmargs. 5. Change the vmargs from the default of -Xmx1024m -Djava.io.tmpdir=../app/tmp to -Xmx1536m -Djava.io.tmpdir=../app/tmp . This increases the memory of each spatial remote component to 1.5GB and enables remote components to connect via Jconsole for debugging. Note: You can increase memory to 2 GB if you have enough memory on the server (for example,-Xmx2048m). 6. Save the java.vmargs file. 7. Start the server wrapper: a) Open a command prompt as Administrator.
68
Spectrum™ Technology Platform 9.0 SP2
Chapter 7: Troubleshooting Your System b) Go to \Pitney Bowes\Spectrum\server\bin\wrapper directory and type wrapper.exe -c. This Spectrum server will start in a few minutes. 8. When the server is started, run the following requests from the demo pages: a) Open http://:/Spatial/MappingService/DemoPage.html and run the List Named Maps request. b) Open http://:/Spatial/FeatureService/DemoPage.html and run the List Table Names request. 9. Go to \Pitney Bowes\Spectrum\java64\bin and run jconsole.exe. 10. Under Local Process, select the wrapper process. 11. In Jconsole, add a new session and select the Feature Service process. 12. In Jconsole, add a new session and select the Mapping Service process. 13. Leave Jconsole running to monitor the memory, CPU, threads, and so on for the Spectrum Platform wrapper for Feature Service and Mapping Service.
Spectrum Spatial Administration Guide
69
Appendix - Managing Security with the User Management Service
In this section: • Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72 • Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 • Setting User Permissions . . . . . . . . . . . . . . . . . . . . . . . . .75
8
Introduction
Introduction This chapter provides a basic introduction to the User Management Service. It describes what the User Management Service is and rules for using it.
What Is the User Management Service? The User Management Service provides a simplified interface to manage security for the repository, focused on how to restrict who can access the resources in the repository. Setting security allows you to expose or restrict different resources (subsets of your data and resources) to different users or departments. To enforce this, security has been added to Spectrum™ Technology Platform that allows you to specify which users get to see what resources. The Spectrum™ Technology Platform repository security is managed using an internal ACL (Access Control List). This allows you to specify which users are granted access to resources, as well as what operations are allowed on given resources. The operations for repository user management are performed using the User Management SOAP interface.
Service URL Formats The URL endpoint for the User Management SOAP service has the following general form:
http://localhost:8080/soap/UserManagementService
The URL for the User Management WSDL has the following general form:
http://localhost:8080/soap/UserManagementService?wsdl
The URL for the User Management service Demo page has the following general form:
http://localhost:8080/Spatial/UserManagementService/DemoPage.html
Creating and Managing Users For Spectrum™ Technology Platform Creating and managing users is a two step process: 1. Create the user using the Spectrum™ Technology Platform Management Console. This allows the user to authenticate with the Spectrum™ Technology Platform services. 2. Give the user permissions using the User Management Service SOAP interface. This allows the user to access resources in the repository. Note: You do not have to add the admin or guest users to Spectrum™ Technology Platform. These users have already been created.
72
Spectrum™ Technology Platform 9.0 SP2
Chapter 8: Appendix - Managing Security with the User Management Service
Rules Using the User Management Service SOAP Interface The following rules apply when setting permissions for users using the User Management SOAP Interface: 1. You must first have created users in the Spectrum™ Technology Platform Management Console (giving them access to the services). 2. There is a default 'everyone' user group that is applied to resources when you do not specify set permissions. This user group has READ permissions. So all users have READ permissions on a resource unless modified using the User Management SOAP Interface. 3. It is preferred that you set permissions on a repository node (folder) rather than a specific resource. This makes repository management easier to maintain. 4. You need to provide a user read, add, and modify permissions to allow them the ability to add Named Tables using the Management Console, modify any resources in the repository, add or modify any resources using the Named Resource Service, or perform a harvest operation using the CSW Service. 5. You do not have to add the admin or guest users. These users have already been created. The following permissions are required for performing the following actions, either directly using WebDAV or WebFolder, using the Resource Management service, or harvesting metadata using the CSW service: Action
Read
Access a subfolder
X
Add a subfolder
X
Remove a subfolder
X
Add files to a folder
X
Remove files from a folder
X
Update files in a folder
X
Add
Remove
Modify
All
X X X
X X
Modify permissions of a folder
X X X
Managing Users This section describes how to manage users in Spectrum™ Technology Platform, specifically create, modify, and delete users that access the management consoles and services. You must create all users using the Management Console, and set permissions to access the repository using the User Management Service.
Starting the Management Console Start the Spectrum™ Technology Platform Management Console by selecting Start > Programs > Pitney Bowes > Spectrum™ Technology Platform > Client Tools > Management Console from your desktop. To connect to the Spectrum™ Technology Platform Management Console: 1. Type in the server name or select it from the drop-down list. Note: If you have multiple instances of the Management Console accessing the same Spectrum™ Technology Platform server, it is possible for one user to overwrite another user's changes. Therefore, it is recommended that you do not run multiple instances of the Management Console against the same server. 2. Enter your user name, password, and the port number. 3. Click the Use secure connection box if you want communication between the client and the server to take place over an HTTPS connection.
Spectrum Spatial Administration Guide
73
Managing Users 4. Click Login. If this is your first time connecting, the user will default to "admin" and you must connect with a password. Note: The default port number is 8080 for HTTP connections. Use the port number appropriate for your environment. Once you have successfully connected, this value will default for the next connection attempt.
Enabling User Permissions For Consoles Spectrum™ Technology Platform can enforce permissions on user accounts when accessing the client consoles, providing you with additional control of the actions a user can take. 1. Open the Management Console. 2. Expand Security then click Options. 3. Click the Limit access according to user permissions checkbox to limit access to the permissions established for individual users. For instructions on defining permissions for each user, see Adding a New User on page 74, Modifying a User on page 74, or Deleting a User on page 74.
Managing User Accounts This section describes you how to create users and set user security privileges for Spectrum™ Technology Platform consoles.
Adding a New User 1. Open the Management Console. 2. Expand Security then click Users. 3. Click Add. The New User window appears. 4. Leave the Enable user box checked if you want this user account to be available for use. 5. Enter the user name in the User name field. Note: User names can only contain ASCII characters. 6. Enter the user's password in the Password field. 7. Reenter the user's password in the Confirm password field. 8. Enter the user's email address in the Email address field. 9. Enter a description of the user in the Description field. 10. Select the roles, if any, you want to assign to this user. 11. Click OK.
Modifying a User 1. Open the Management Console. 2. Expand Security then click Users. 3. Select the user whose permissions you want to modify and click Modify. The User Properties window appears in which can modify the user name, password, email address, description, and roles. 4. Click OK to save your changes.
Deleting a User 1. Open the Management Console. 2. Expand Security then click Users. 3. From the User Management screen, select the user you want to delete and click Delete.
74
Spectrum™ Technology Platform 9.0 SP2
Chapter 8: Appendix - Managing Security with the User Management Service 4. Click Yes to delete or No to cancel. Note: The admin user account cannot be deleted.
Setting User Permissions This section introduces the User Management SOAP Interface for managing users and permissions for resources in the repository. This interface allows you to get, set, add, or remove permissions for a user. Use the demo page for the User Management Service as a quick tool for managing user permissions. Simply modify the sample requests to meet your needs. The User Management Service demo page is located at http://localhost:8080/Spatial/UserManagementService/DemoPage.html The User Management Service provides the following operations:
GetPermissionsRequest Returns the permissions for a particular user for a specified repository node or resource. Parameters The following parameters are used: Parameter
Example
Description
action
GetPermissionsRequest Specifies the method name to get the permissions for a user.
UserName
user1
Specifies the user to return permissions.
ResourcePath /Samples/NamedTables/WorldTable Specifies the specific repository node (directory) or resource to return the permissions. The resources specified in resourcePath are listed from the top level of the repository http://localhost:8080/RepositoryService/repository/default/.
Example The following example returns the permissions on the WorldTable resource for the user user1.
user1 /Samples/NamedTables/WorldTable
Spectrum Spatial Administration Guide
75
Setting User Permissions
SetPermissionsRequest Defines the permissions for a particular user for a specified repository node or resource. When you set permissions, the basic read permissions are always kept for the user, however any additional permissions that were previously set or added are removed. For example if you set the modify permission for a user who currently had the all permission, that user will now have only read and modify permissions, and no longer have the all permission. Parameters The following parameters are used: Parameter
Example
Description
action
SetPermissionsRequest Specifies the method name to set permissions for a user.
UserName
user1
Specifies the user to set permissions.
ResourcePath /Samples/NamedTables/ Specifies the specific repository node (directory) or resource to set the permissions. The resources specified in resourcePath are listed from the top level of the repository http://localhost:8080/RepositoryService/repository/default/. Permissions add
Specifies the permissions. There are five valid permission types: read, all, add, modify, and remove.
Recursive
Specifies if this operation should be performed recursively on all child nodes of the given node in the repository. The default for recursive permission setting is false. If setting permissions on individual resources in the repository, the Recursive option will have no effect.
false
Example The following example sets the permissions for user1 on the NamedTables node (and all child nodes) to add and modify. After performing this operation the user1 will have read, add, and modify permissions on the NamedTables node and all of the child nodes.
user1 /Samples/NamedTables/ add modify true
76
Spectrum™ Technology Platform 9.0 SP2
Chapter 8: Appendix - Managing Security with the User Management Service
AddPermissionsRequest Adds new permissions to the users' set of permissions for a specified repository node or resource. When you add permissions, the existing permissions are always kept for the user, and the new permissions are appended. For example if you add a modify permission for a user that currently has read and remove permissions, that user will now have read, remove, and modify permissions. Parameters The following parameters are used: Parameter
Example
Description
action
AddPermissionsRequest Specifies the method name to add permissions for a user.
UserName
user1
Specifies the user to add permissions.
ResourcePath /Samples/NamedTables/ Specifies the specific repository node (directory) or resource to add the permissions. The resources specified in resourcePath are listed from the top level of the repository http://localhost:8080/RepositoryService/repository/default/. Permissions add
Specifies the permissions. There are five valid permission types: read, all, add, modify, and remove.
Recursive
Specifies if this operation should be performed recursively on all child nodes of the given node in the repository. The default for recursive permission setting is false. If setting permissions on individual resources in the repository, the Recursive option will have no effect.
false
Example The following example adds the modify permission for user1 on the NamedTables node in the repository.
user1 /Samples/NamedTables/ modify false
Spectrum Spatial Administration Guide
77
Setting User Permissions
RemovePermissionsRequest Removes permissions from the users' set of permissions for a specified repository node or resource. When you remove permissions, the specified permissions are removed from the existing set of permissions. This is the easiest way to restrict a user from accessing a particular resource. By removing the read permission for a user for a particular repository node or resource, they cannot be accessed by that user. Parameters The following parameters are used: Parameter
Example
Description
action
RemovePermissionsRequest Specifies the method name to remove permissions for a user.
UserName
user1
Specifies the user to remove permissions.
ResourcePath /Samples/NamedTables/WorldTable Specifies the specific repository node (directory) or resource to remove the permissions. The resources specified in resourcePath are listed from the top level of the repository http://localhost:8080/RepositoryService/repository/default/. Permissions read
Specifies the permissions. By removing the read permission, a user would no longer have access to a resource. There are five valid permission types: read, all, add, modify, and remove.
Recursive
Specifies if this operation should be performed recursively on all child nodes of the given node in the repository. The default for recursive permission setting is false. If setting permissions on individual resources in the repository, the Recursive option will have no effect.
false
Example The following example removes the read permission for user1 on the WorldTable resource.
user1 /Samples/NamedTables/WorldTable read false
78
Spectrum™ Technology Platform 9.0 SP2
Notices
©
2014 Pitney Bowes Software Inc. All rights reserved. MapInfo and Group 1 Software are trademarks of Pitney Bowes Software Inc. All other marks and trademarks are property of their respective holders. ®
USPS Notices ®
Pitney Bowes Inc. holds a non-exclusive license to publish and sell ZIP + 4 databases on optical and magnetic media. The following trademarks are owned by the United States Postal Service: CASS, CASS Link Link Certified, DPV, eLOT, FASTforward, First-Class Mail, Intelligent Mail, LACS , NCOA , PAVE, Link PLANET Code, Postal Service, POSTNET, Post Office, RDI, Suite , United States Postal Service, Standard Mail, United States Post Office, USPS, ZIP Code, and ZIP + 4. This list is not exhaustive of the trademarks belonging to the Postal Service. Link®
®
Pitney Bowes Inc. is a non-exclusive licensee of USPS for NCOA
processing.
Prices for Pitney Bowes Software's products, options, and services are not established, controlled, or ™ approved by USPS® or United States Government. When utilizing RDI data to determine parcel-shipping ® costs, the business decision on which parcel delivery company to use is not made by the USPS or United States Government. Data Provider and Related Notices Data Products contained on this media and used within Pitney Bowes Software applications are protected by various trademarks and by one or more of the following copyrights: ©
Copyright United States Postal Service. All rights reserved.
©
2014 TomTom. All rights reserved. TomTom and the TomTom logo are registered trademarks of TomTom N.V. ©
Copyright NAVTEQ. All rights reserved
Data © 2014 NAVTEQ North America, LLC Fuente: INEGI (Instituto Nacional de Estadística y Geografía) Based upon electronic data © National Land Survey Sweden. ©
Copyright United States Census Bureau
©
Copyright Nova Marketing Group, Inc.
Portions of this program are © Copyright 1993-2007 by Nova Marketing Group Inc. All Rights Reserved ©
Copyright Second Decimal, LLC
©
Copyright Canada Post Corporation
This CD-ROM contains data from a compilation in which Canada Post Corporation is the copyright owner. ©
2007 Claritas, Inc.
The Geocode Address World data set contains data licensed from the GeoNames Project (www.geonames.org) provided under the Creative Commons Attribution License ("Attribution License") located at http://creativecommons.org/licenses/by/3.0/legalcode. Your use of the GeoNames data (described in the Spectrum™ Technology Platform User Manual) is governed by the terms of the Attribution License, and any conflict between your agreement with Pitney Bowes Software, Inc. and the Attribution License will be resolved in favor of the Attribution License solely as it relates to your use of the GeoNames data. ICU Notices Copyright © 1995-2011 International Business Machines Corporation and others. All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the
80
Spectrum™ Technology Platform 9.0 SP2
Copyright Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.
Spectrum Spatial Administration Guide
81