Reverting from External to Internal Security

This document describes the procedure necessary to revert to Internal security configuration following accidental mis-configuration of External security in Matillion ETL.

External security misconfiguration can result in being locked out of Matillion, with no way to regain access other than by editing the configuration files on the Matillion server.
 

The following files need to be edited or checked:

  • /usr/share/emerald/WEB-INF/classes/Emerald.properties

  • /usr/share/emerald/WEB-INF/security.fragment

  • /etc/tomcat8/server.xml

    /etc/tomcat/server.xml

  • /etc/tomcat8/tomcat-users.xml

    /etc/tomcat/tomcat-users.xml

 

To begin the restore, SSH into the Matillion instance and sudo to root:

sudo -i
 

Stop Matillion

First of all, stop the Matillion service:

service tomcat8 stop
service tomcat stop

Wait a couple of seconds for the OK box confirming that the service has been stopped.

 

Emerald.properties

The file /usr/share/emerald/WEB-INF/classes/Emerald.properties is Matillion-specific and contains a number of authorization parameters.

The file format is UTF-8 text, containing lines with pairs of

KEY=value

The following parameter must be present:

API_SECURITY_GROUP=API

The following parameter should be present:

ADMIN_ROLE_NAME=Admin
 

security.fragment

The file /usr/share/emerald/WEB-INF/security.fragment is used by Tomcat to control access to parts of the Matillion application.

The format is XML.

Ensure that all <role-name> elements have the value Emerald, as shown here:

 
<security-constraint>
    <web-resource-collection>
       <web-resource-name>Emerald Controller</web-resource-name>
       <url-pattern>/Controller</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>Emerald</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
       <web-resource-name>Matillion Emerald</web-resource-name>
       <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>Emerald</role-name>
    </auth-constraint>
</security-constraint>
 
<security-role>
    <role-name>Emerald</role-name>
</security-role>
 

server.xml

The file /etc/tomcat8/server.xml/etc/tomcat/server.xml is the main Tomcat configuration file. Security is controlled by means of a Realm, and this needs to be replaced.

Look for the <Realm className="org.apache.catalina.realm.JNDIRealm" …> element and delete it.

Inside the <Engine name="Catalina" defaultHost="localhost"> add a new Realm referencing the user database:

 <Realm className="org.apache.catalina.realm.LockOutRealm">
   <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
 </Realm>
 

tomcat-users.xml

The file /etc/tomcat8/tomcat-users.xml is the “user database” referred to in the above server.xml Realm.

The file /etc/tomcat/tomcat-users.xml is the “user database” referred to in the above server.xml Realm.

Ensure that the file has mode 644, and is owned by the tomcat user and group.

The contents should be as follows:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
             version="1.0">
 <role rolename="Emerald"/>
 <role rolename="API"/>
 <role rolename="Admin"/>
 <user username="ec2-user" password="YourPassword" roles="Emerald,API,Admin"/>
</tomcat-users>

You will use the username and password to connect to the Matillion web user interface once the service has been restarted.

 

Service restart

There are occasional problems with file and directory permissions caused by YUM updates. Matillion have written a shell script to correct them.

Before restarting the service please run:

/usr/share/emerald/WEB-INF/classes/scripts/matillion_ensure.sh

Now that the configuration files have been repaired, you can restart the Matillion service:

service tomcat8 start
service tomcat start

Wait for a couple of seconds until the OK confirmation box appears. Note that this box means the service is starting but has not yet started.

Monitor the startup progress with the following command:

tail -f /usr/share/tomcat8/logs/catalina.out
tail -f /usr/share/tomcat/logs/catalina.out

After anywhere between 20 seconds and 2 minutes, you should find a message like this:

org.apache.catalina.startup.Catalina.start Server startup in ? ms
 

You are now ready to reconnect to the Matillion web user interface. Ensure there is no j_security_check suffix in the URL:

You should now be able to log in successfully with your credentials from tomcat-users.xml.