8.2.12.2. security-internal-exploitation¶
Ce document spécifie la configuration (fichiers de config) pour lancer le services de security-internal
.
8.2.12.2.1. Fichier security-internal.conf
¶
Ce fichier permet de définir la configuration du serveur MongoDB, du serveur jetty, les tenants, ainsi que la configuration de l’authentification personae pour les permissions des endpoints externes de VITAM.
# Configuration MongoDB
mongoDbNodes:
{% for host in groups['hosts_mongos_data'] %}
- dbHost: {{ hostvars[host]['ip_service'] }}
dbPort: {{ mongodb.mongos_port }}
{% endfor %}
dbName: identity
dbAuthentication: {{ mongodb.mongo_authentication }}
dbUserName: {{ mongodb['mongo-data'].securityInternal.user }}
dbPassword: {{ mongodb['mongo-data'].securityInternal.password }}
jettyConfig: jetty-config.xml
personalCertificatePermissionConfig: personal-certificate-permissions.conf
#Basic Authentication
adminBasicAuth:
- userName: {{ admin_basic_auth_user }}
password: {{ admin_basic_auth_password }}
8.2.12.2.2. Fichier personal-certificate-permissions.conf
¶
Configuration des permissions nécessitant une authentification personae ou ne nécessitant pas d’authentification personae.
# Personal certification configuration for endpoint permissions
permissionsRequiringPersonalCertificate:
permissionsWithoutPersonalCertificate:
- 'dipexport:create'
- 'dipexportv2:create'
- 'dipexport:id:dip:read'
- 'transfers:create'
- 'transfers:reply'
- 'transfers:id:sip:read'
- 'logbookobjectslifecycles:id:read'
- 'logbookoperations:read'
- 'logbookoperations:id:read'
- 'logbookunitlifecycles:id:read'
- 'units:read'
- 'units:unitsbypersistentidentifier:id:read'
- 'objects:unitsbypersistentidentifier:id:objects:read:binary'
- 'objects:objectsbypersistentidentifier:id:read'
- 'objects:objectsbypersistentidentifier:id:read:binary'
- 'units:stream'
- 'objects:stream'
- 'units:id:read:json'
- 'units:id:update'
- 'units:id:objects:read:json'
- 'units:id:objects:read:binary'
- 'units:id:objects:accessrequests:create'
- 'accessrequests:check'
- 'accessrequests:remove'
- 'units:update'
- 'units:update:revert'
- 'unitsWithInheritedRules:read'
- 'units:rules:update'
- 'units:bulk:update'
- 'accesscontracts:create:json'
- 'accesscontracts:read'
- 'accesscontracts:id:read'
- 'accesscontracts:id:update'
- 'accessionregisters:read'
- 'accessionregisters:id:accessionregisterdetails:read'
- 'agencies:create'
- 'agencies:read'
- 'agencies:id:read'
- 'agenciesfile:check'
- 'agenciesreferential:id:read'
- 'audits:create'
- 'contexts:create:json'
- 'contexts:read'
- 'contexts:id:read'
- 'contexts:id:update'
- 'distributionreport:id:read'
- 'formats:read'
- 'formats:create'
- 'formats:id:read'
- 'formatsfile:check'
- 'ingestcontracts:create:json'
- 'ingestcontracts:read'
- 'ingestcontracts:id:read'
- 'ingestcontracts:id:update'
- 'operations:read'
- 'operations:id:read:status'
- 'operations:id:read'
- 'operations:id:update'
- 'operations:id:delete'
- 'profiles:create:binary'
- 'profiles:create:json'
- 'profiles:read'
- 'profiles:id:read:json'
- 'profiles:id:update:binaire'
- 'profiles:id:read:binary'
- 'profiles:id:update:json'
- 'rules:read'
- 'rules:create'
- 'rules:id:read'
- 'rulesfile:check'
- 'rulesreport:id:read'
- 'rulesreferential:id:read'
- 'securityprofiles:create:json'
- 'securityprofiles:read'
- 'securityprofiles:id:read'
- 'securityprofiles:id:update'
- 'traceability:id:read'
- 'traceabilitychecks:create'
- 'traceabilitylinkedchecks:create'
- 'workflows:read'
- 'ingests:create'
- 'ingests:local:create'
- 'ingests:id:archivetransfertreply:read'
- 'ingests:id:manifests:read'
- 'switchindex:create'
- 'reindex:create'
- 'evidenceaudit:check'
- 'referentialaudit:check'
- 'archiveunitprofiles:create:binary'
- 'archiveunitprofiles:create:json'
- 'archiveunitprofiles:read'
- 'archiveunitprofiles:id:read:json'
- 'archiveunitprofiles:id:update:json'
- 'ontologies:create:binary'
- 'ontologies:create:json'
- 'ontologies:read'
- 'ontologies:id:read:json'
- 'ontologies:id:read:binary'
- 'ontologies:id:update:json'
- 'reclassification:update'
- 'rectificationaudit:check'
- 'storageaccesslog:read:binary'
- 'objects:read'
- 'elimination:analysis'
- 'elimination:action'
- 'forcepause:check'
- 'removeforcepause:check'
- 'probativevalue:check'
- 'probativevalue:create'
- 'accessionregisterssymbolic:read'
- 'griffins:create'
- 'preservationScenarios:create'
- 'griffins:read'
- 'griffin:read'
- 'preservationScenarios:read'
- 'preservationScenario:read'
- 'preservation:update'
- 'batchreport:id:read'
- 'preservationreport:id:read'
- 'logbookoperations:create'
- 'computeInheritedRules:action'
- 'computeInheritedRules:delete'
- 'managementcontracts:create:json'
- 'managementcontracts:read'
- 'managementcontracts:id:read'
- 'managementcontracts:id:update'
- 'audit:data:consistency'
- 'objects:deleteGotVersions'
- 'accessionregisterdetails:read'
- 'transaction:read'
- 'transaction:create'
- 'transaction:close'
- 'transaction:reopen'
- 'transaction:abort'
- 'transaction:send'
- 'transaction:id:units'
- 'transaction:id:units:update'
- 'transaction:unit:create'
- 'transaction:zip:create'
- 'transaction:unitsWithInheritedRules:read'
- 'transaction:update'
- 'transaction:unit:read'
- 'transaction:unit:id:read'
- 'transaction:object:upsert'
- 'transaction:object:read'
- 'transaction:binary:upsert'
- 'transaction:binary:read'
- 'project:create'
- 'project:read'
- 'project:update'
- 'project:id:read'
- 'project:query:read'
- 'project:id:binary'
- 'project:id:units'
- 'project:id:delete'
- 'project:id:transactions'
- 'transaction:id:delete'
- 'transaction:id:read'
- 'job:read'