Fundamentals
This article introduces the fundamental concepts of Identity and Access Management (IAM) for Coherent Spark, explaining its importance and how it functions. IAM ensures that the appropriate subjects - whether people, machines, or software components - gain access to the correct Spark resources at the right time.
First, a subject must prove their identity by demonstrating who or what they claim to be.
The subject is then either granted or denied access to specific Spark resources based on their permissions.
Authenticate, authorize, and access resources
The user (resource owner) initiates an authentication request from the client application (Spark SPA) to the identity provider/authorization server (Keycloak). Spark SPA generates a random string called the code verifier and derives a hashed version of it, known as the code challenge, using SHA-256. The code challenge and its S256 method are included in the authentication request.
Spark SPA redirects the user to Keycloak’s login page. The request includes the code challenge, redirect URI, and other required parameters.
The user enters their login details. If the credentials are valid, Keycloak authenticates the user. Once authorized, an authorization code is sent to Spark SPA through the redirect URI.
Spark SPA sends a token request to the identity provider/authorization server. The request includes the authorization code, the original code verifier, and the redirect URI.
Keycloak validates the code verifier against the previously sent code challenge. If the verification is successful, Keycloak issues an access token, an ID token and a Refresh token to Spark SPA.
Spark SPA attaches the access token to subsequent requests made to the protected resource server (Spark API). The resource server validates the access token and, if valid, grants access to the requested protected resources.
Spark SPA processes the server's response and presents the resource to the user.
What are authentication and authorization?
In simple terms, authentication is the process of verifying who an actor is, while authorization is the process of verifying what they have access to.
Determines whether users are who they claim to be.
Determines what users can and cannot access.
Challenges the user to validate credentials (for example, through passwords, answers to security questions, or facial recognition).
Verifies whether access is allowed through policies and rules.
Performed before authorization.
Performed after successful authentication.
Transmits info through an ID Token.
Transmits info through an Access Token.
Governed by the OpenID Connect (OIDC) protocol.
Governed by the OAuth 2.0 framework.
Users are required to enter their credentials (username and password) prior accessing Spark SPA Home page.
After a user successfully authenticates, Spark determines what product (folders) the users are allowed to access.
In short, access to a Spark resource is protected by both authentication and authorization. If you cannot prove your identity, you won't be allowed into a Spark resource. Even if you can prove your identity, if you are not authorized for that resource, you will still be denied access.
Spark Access Control List
Spark Access Control List (ACL) is a security mechanism used to define which users or systems (subjects) are authorized to access specific resources (objects) and what actions they are allowed to perform on those resources.
List of rules:
The list contains a set of rules that specify the permissions for users or groups.
Each rule consists of:
A subject (user or group).
An object (typically folder).
A set of actions (Create, Read, Update, Execute and Delete).
Granular permissions:
The Spark ACLs allow fine-grained control over who can access what and how, providing flexibility and detailed security policies.
Validate Access Control List rules
There are two means in which Spark can validate the ACL rules.
OAuth2: Validates actions based on the subject (sub claim) or group (groups claim) in the Access Token.
API Key: Validates actions based on the group assigned to the API Key.
Last updated