8.2.12.2. security-internal-exploitation

Ce document spécifie la configuration (fichiers de config) pour lancer le services de security-internal.

8.2.12.2.1. Fichier security-internal.conf

Ce fichier permet de définir la configuration du serveur MongoDB, du serveur jetty, les tenants, ainsi que la configuration de l’authentification personae pour les permissions des endpoints externes de VITAM.

# Configuration MongoDB
mongoDbNodes:
{% for host in groups['hosts_mongos_data'] %}
- dbHost: {{ hostvars[host]['ip_service'] }}
  dbPort: {{ mongodb.mongos_port }}
{% endfor %}
dbName: identity
dbAuthentication: {{ mongodb.mongo_authentication }}
dbUserName: {{ mongodb['mongo-data'].securityInternal.user }}
dbPassword: {{ mongodb['mongo-data'].securityInternal.password }}

jettyConfig: jetty-config.xml

personalCertificatePermissionConfig: personal-certificate-permissions.conf

#Basic Authentication
adminBasicAuth:
- userName: {{ admin_basic_auth_user }}
  password: {{ admin_basic_auth_password }}

8.2.12.2.2. Fichier personal-certificate-permissions.conf

Configuration des permissions nécessitant une authentification personae ou ne nécessitant pas d’authentification personae.

# Personal certification configuration for endpoint permissions

permissionsRequiringPersonalCertificate:



permissionsWithoutPersonalCertificate:
  - 'dipexport:create'
  - 'dipexportv2:create'
  - 'dipexport:id:dip:read'
  - 'transfers:create'
  - 'transfers:reply'
  - 'transfers:id:sip:read'
  - 'logbookobjectslifecycles:id:read'
  - 'logbookoperations:read'
  - 'logbookoperations:id:read'
  - 'logbookunitlifecycles:id:read'
  - 'units:read'
  - 'units:unitsbypersistentidentifier:id:read'
  - 'objects:unitsbypersistentidentifier:id:objects:read:binary'
  - 'objects:objectsbypersistentidentifier:id:read'
  - 'objects:objectsbypersistentidentifier:id:read:binary'
  - 'units:stream'
  - 'objects:stream'
  - 'units:id:read:json'
  - 'units:id:update'
  - 'units:id:objects:read:json'
  - 'units:id:objects:read:binary'
  - 'units:id:objects:accessrequests:create'
  - 'accessrequests:check'
  - 'accessrequests:remove'
  - 'units:update'
  - 'units:update:revert'
  - 'unitsWithInheritedRules:read'
  - 'units:rules:update'
  - 'units:bulk:update'
  - 'accesscontracts:create:json'
  - 'accesscontracts:read'
  - 'accesscontracts:id:read'
  - 'accesscontracts:id:update'
  - 'accessionregisters:read'
  - 'accessionregisters:id:accessionregisterdetails:read'
  - 'agencies:create'
  - 'agencies:read'
  - 'agencies:id:read'
  - 'agenciesfile:check'
  - 'agenciesreferential:id:read'
  - 'audits:create'
  - 'contexts:create:json'
  - 'contexts:read'
  - 'contexts:id:read'
  - 'contexts:id:update'
  - 'distributionreport:id:read'
  - 'formats:read'
  - 'formats:create'
  - 'formats:id:read'
  - 'formatsfile:check'
  - 'ingestcontracts:create:json'
  - 'ingestcontracts:read'
  - 'ingestcontracts:id:read'
  - 'ingestcontracts:id:update'
  - 'operations:read'
  - 'operations:id:read:status'
  - 'operations:id:read'
  - 'operations:id:update'
  - 'operations:id:delete'
  - 'profiles:create:binary'
  - 'profiles:create:json'
  - 'profiles:read'
  - 'profiles:id:read:json'
  - 'profiles:id:update:binaire'
  - 'profiles:id:read:binary'
  - 'profiles:id:update:json'
  - 'rules:read'
  - 'rules:create'
  - 'rules:id:read'
  - 'rulesfile:check'
  - 'rulesreport:id:read'
  - 'rulesreferential:id:read'
  - 'securityprofiles:create:json'
  - 'securityprofiles:read'
  - 'securityprofiles:id:read'
  - 'securityprofiles:id:update'
  - 'traceability:id:read'
  - 'traceabilitychecks:create'
  - 'traceabilitylinkedchecks:create'
  - 'workflows:read'
  - 'ingests:create'
  - 'ingests:local:create'
  - 'ingests:id:archivetransfertreply:read'
  - 'ingests:id:manifests:read'
  - 'switchindex:create'
  - 'reindex:create'
  - 'evidenceaudit:check'
  - 'referentialaudit:check'
  - 'archiveunitprofiles:create:binary'
  - 'archiveunitprofiles:create:json'
  - 'archiveunitprofiles:read'
  - 'archiveunitprofiles:id:read:json'
  - 'archiveunitprofiles:id:update:json'
  - 'ontologies:create:binary'
  - 'ontologies:create:json'
  - 'ontologies:read'
  - 'ontologies:id:read:json'
  - 'ontologies:id:read:binary'
  - 'ontologies:id:update:json'
  - 'reclassification:update'
  - 'rectificationaudit:check'
  - 'storageaccesslog:read:binary'
  - 'objects:read'
  - 'elimination:analysis'
  - 'elimination:action'
  - 'forcepause:check'
  - 'removeforcepause:check'
  - 'probativevalue:check'
  - 'probativevalue:create'
  - 'accessionregisterssymbolic:read'
  - 'griffins:create'
  - 'preservationScenarios:create'
  - 'griffins:read'
  - 'griffin:read'
  - 'preservationScenarios:read'
  - 'preservationScenario:read'
  - 'preservation:update'
  - 'batchreport:id:read'
  - 'preservationreport:id:read'
  - 'logbookoperations:create'
  - 'computeInheritedRules:action'
  - 'computeInheritedRules:delete'
  - 'managementcontracts:create:json'
  - 'managementcontracts:read'
  - 'managementcontracts:id:read'
  - 'managementcontracts:id:update'
  - 'audit:data:consistency'
  - 'objects:deleteGotVersions'
  - 'accessionregisterdetails:read'
  - 'transaction:read'
  - 'transaction:create'
  - 'transaction:close'
  - 'transaction:reopen'
  - 'transaction:abort'
  - 'transaction:send'
  - 'transaction:id:units'
  - 'transaction:id:units:update'
  - 'transaction:unit:create'
  - 'transaction:zip:create'
  - 'transaction:unitsWithInheritedRules:read'
  - 'transaction:update'
  - 'transaction:unit:read'
  - 'transaction:unit:id:read'
  - 'transaction:object:upsert'
  - 'transaction:object:read'
  - 'transaction:binary:upsert'
  - 'transaction:binary:read'
  - 'project:create'
  - 'project:read'
  - 'project:update'
  - 'project:id:read'
  - 'project:query:read'
  - 'project:id:binary'
  - 'project:id:units'
  - 'project:id:delete'
  - 'project:id:transactions'
  - 'transaction:id:delete'
  - 'transaction:id:read'
  - 'job:read'