|
15 | 15 | <para>This article discusses eXist-db's security features and how to manage authentication, |
16 | 16 | users, groups, passwords, permissions and access controls. </para> |
17 | 17 | <para>eXist-db's security infrastructure is built on a Unix permissions model (see <xref |
18 | | - linkend="unix-model"/>), which we have extended with <xref linkend="ACLs"/>. The security |
19 | | - infrastructure is very flexible and extensible, which enables the more advanced user, to |
20 | | - provide custom <xref linkend="authentication-realms"/> to enable different authentication |
21 | | - models.</para> |
| 18 | + linkend="unix-model"/>), which we have extended with <xref linkend="ACLs"/>. As far as |
| 19 | + possible we try and adhere to the POSIX standard. The security infrastructure is very |
| 20 | + flexible and extensible, which enables the more advanced user, to provide custom <xref |
| 21 | + linkend="authentication-realms"/> to enable different authentication models.</para> |
22 | 22 | <para>As well as the mechanisms described in this article, you should also note the presence of |
23 | 23 | the <link |
24 | 24 | xlink:href="{${fundocs.pkg.abbrev}}/view.html?uri=http://exist-db.org/xquery/securitymanager" |
|
145 | 145 |
|
146 | 146 | </sect1> |
147 | 147 |
|
| 148 | + <!-- ================================================================== --> |
| 149 | + |
| 150 | + <sect1 xml:id="system-accounts-groups"> |
| 151 | + <title>System Accounts and Groups</title> |
| 152 | + <para>eXist-db has several built-in accounts which ensure the correct functioning of the system. These accounts and groups cannot be removed, however the <code>admin</code> and <code>guest</code> |
| 153 | + accounts can be disabled if required.</para> |
| 154 | + <sect2 xml:id="system-users"> |
| 155 | + <title>System Accounts</title> |
| 156 | + <informaltable> |
| 157 | + <tgroup cols="2"> |
| 158 | + <thead> |
| 159 | + <row> |
| 160 | + <entry><para>Name</para></entry> |
| 161 | + <entry><para>Description</para></entry> |
| 162 | + </row> |
| 163 | + </thead> |
| 164 | + <tbody> |
| 165 | + <row> |
| 166 | + <entry><para>SYSTEM</para></entry> |
| 167 | + <entry> |
| 168 | + <para>This is a DBA account under which the database executes internal privileged opertaions.</para> |
| 169 | + <para>This account is not exported during backups.</para> |
| 170 | + </entry> |
| 171 | + </row> |
| 172 | + <row> |
| 173 | + <entry><para>admin</para></entry> |
| 174 | + <entry><para>This is the default <code>DBA</code> account.</para></entry> |
| 175 | + </row> |
| 176 | + <row> |
| 177 | + <entry><para>guest</para></entry> |
| 178 | + <entry><para>This is the account under which operations by un-authenticated users will be executed, for example users connecting to the REST Server without authenticating.</para></entry> |
| 179 | + </row> |
| 180 | + <row> |
| 181 | + <entry><para>nobody</para></entry> |
| 182 | + <entry> |
| 183 | + <para>This is an internal account and should not be used directly.</para> |
| 184 | + <para>This account is not exported during backups.</para> |
| 185 | + </entry> |
| 186 | + </row> |
| 187 | + </tbody> |
| 188 | + </tgroup> |
| 189 | + </informaltable> |
| 190 | + </sect2> |
| 191 | + <sect2 xml:id="system-groups"> |
| 192 | + <title>System Groups</title> |
| 193 | + <informaltable> |
| 194 | + <tgroup cols="2"> |
| 195 | + <thead> |
| 196 | + <row> |
| 197 | + <entry><para>Name</para></entry> |
| 198 | + <entry><para>Description</para></entry> |
| 199 | + </row> |
| 200 | + </thead> |
| 201 | + <tbody> |
| 202 | + <row> |
| 203 | + <entry><para>DBA</para></entry> |
| 204 | + <entry> |
| 205 | + <para>This is the DBA group, all DBA users should be members of this group.</para> |
| 206 | + </entry> |
| 207 | + </row> |
| 208 | + <row> |
| 209 | + <entry><para>guest</para></entry> |
| 210 | + <entry><para>This is the <emphasis>primary group</emphasis> of the <code>guest</code>.</para></entry> |
| 211 | + </row> |
| 212 | + <row> |
| 213 | + <entry><para>nogroup</para></entry> |
| 214 | + <entry> |
| 215 | + <para>This is an internal group and should not be used directly. In the case that users without a |
| 216 | + <emphasis>primary group</emphasis> are imported from an older eXist-db backup, the users will be restored with this as their primary group.</para> |
| 217 | + <para>This group is not exported during backups.</para> |
| 218 | + </entry> |
| 219 | + </row> |
| 220 | + </tbody> |
| 221 | + </tgroup> |
| 222 | + </informaltable> |
| 223 | + </sect2> |
| 224 | + </sect1> |
| 225 | + |
148 | 226 | <!-- ================================================================== --> |
149 | 227 |
|
150 | 228 | <sect1 xml:id="permissions"> |
|
639 | 717 | <programlisting language="xml" xlink:href="listings/listing-4.xml"/> |
640 | 718 |
|
641 | 719 | <para>As you can see, eXist-db does not store passwords in the clear. It stores |
642 | | - hashed values of the passwords (in base64 encoding), using the |
643 | | - <emphasis>RIPEMD-160</emphasis> cryptographic hashing algorithm. </para> |
| 720 | + hashed values of the passwords (in Base64 encoding), using the |
| 721 | + <emphasis>RIPEMD-160</emphasis> cryptographic hashing algorithm. </para> |
644 | 722 | <para>Whenever a user supplies account credentials for authentication, the database |
645 | 723 | applies RIPEMD-160 hash to the password and compares it to the hash stored in |
646 | 724 | the user's account document. Storing hashes of passwords is a best practice in |
|
0 commit comments