Skip to main content
Version: 1.14.0

Configuring the LiveData UI

Find details here for the configuration properties of LiveData Migrator UI. Properties are defined in the following file:

/etc/wandisco/ui/application-prod.properties

Restart the LiveData UI service when adding new properties or changing existing values:

service livedata-ui restart

General configuration#

Configure how the UI is run overall.

NameDetails
server.portSet the port on which the UI will be available. This is overridden by the server.ssl.port when TLS is enabled.

Default value: 8081
Allowed values: An integer value between 1024 and 65535

Logging#

Configure how the UI logs information about its state or user interactions.

NameDetails
logging.output.pathThe output path for all logging.

Default value: /var/log/wandisco/ui
Allowed values: The full path to a valid directory that is writable by the user running the UI (typically hdfs.)
logging.level.ROOTThe log level.

Default value: INFO
Allowed values: A valid log level: TRACE, DEBUG, INFO, WARN, ERROR, FATAL, or OFF
logging.audit.output.filenameThe output filename for the audit log. This will be suffixed with the date in yyyy-MM-dd format.

Default value: livedata_ui_audit
Allowed values: A valid string
logging.audit.days-keptThe amount of days that the audit log will be retained.

Default value: 90
Allowed values: An integer value representing the number of days

User management through LDAP#

Use LDAP to set up access privileges for LiveData UI users.

Configure LDAP Authentication in the UI#

You can configure the LDAP login credentials for LiveData Migrator users through the UI:

  1. Anywhere in the LiveData Migrator UI, open Settings by clicking on the gear icon in the bottom left.
  2. Select LDAP Authentication from the Settings panel that opens.
  3. Tick the box labelled Enable LDAP Authentication at the top of the page.
  4. Fill in the LDAP Server Configuration Details section with the authentication details for your LDAP Server.
  5. Click the Check Connection button to test your connection to the LDAP server.

Add users to LiveData Migrator through LDAP#

  1. Fill in the User Search Configuration section to select which users you wish to apply the LDAP Server Configuration details to.
  2. Confirm the user matches automatically returned by the form are as you intended.
  3. Click the Save button to save the configuration and log out all LiveData Migrator users currently in the UI.
  4. Click the confirmation dialogue option to restart the LiveData UI to apply the changes. Log back in to the UI afterwards.

The configuration form in the UI provides all that you need to know to acquire the necessary information.

note

After you save your configured LDAP login credentials, all users currently logged in to the LiveData Migrator UI will be logged out.

Manage LDAP user access control#

Use the Access Control tab in the Settings panel to manage LDAP user privileges, setting Read-Only or Admin privileges. You can also enable Default access to Read Only to set the default LiveData Migrator privileges for LDAP users to Read Only.

note

This process requires user groups to be set up in the LDAP server.

To manage user privileges by group, first configure LiveData Migrator to search for groups in the Access Control tab:

  1. Fill in the LDAP Group Filter with a query denoting the field in a group that will select the intended users. For example, (uniqueMember={0}) (the {0} will be automatically filled in with the full distinguished name of each user).
  2. Add the name attribute used by the groups in your LDAP server under Group Name Attribute, such as cn. LiveData Migrator will check this attribute in each group for any groups you name in the privilege assignment section below.
  3. Specify the search base for the LDAP group under LDAP Group Search Base and choose whether you want to search only the immediate base (One Level Search) or all subtrees within it (Subtree Search). Leaving the search base blank will search from the root of the hierarchy.

Once you have defined how to find groups in your LDAP server, add the groups you want to the corresponding privileges lists:

  • Add the group reference name to Read Only Groups to assign everyone in the group Read Only privileges.
  • Add the group reference name to Admin Groups to assign everyone in the group Admin privileges.

Add additional entries via the "Add" button indicated by a + in the UI.

note

Users in groups assigned to both roles (Read Only and Admin) will receive the most privileged role (in this case, Admin).

Click Apply to save any changes to settings made. Any changes to user privileges will take effect in their next login session.

note

Restart the UI server to immediately apply changes to all users:

service livedata-ui restart

Example#

Where you might have the following LDAP group:

cn=admins,ou=subgroups,ou=groups,dc=springframework,dc=org
Attributesobjectclass: topobjectclass: groupOfUniqueNamescn: adminsou: adminuniqueMember:uid=rob@test.com,ou=people,dc=springframework,dc=orguniqueMember:uid=joe,ou=otherpeople,dc=springframework,dc=org

Supply an LDAP Group Filter of (uniqueMember={0}), and a Group Name Attribute of cn. You may leave the LDAP Group Search Base empty and select Subtree Search to search the root level and all groups contained within. Finally, to give users in the group admin privileges, supply the cn value of the group (admins) to the Admin groups field below.

Admin Groupsadmins

Once you've finished making changes to group privileges, click Apply to save the new settings. Changes will be applied to each user at their next login.

Configure LDAP Authentication through the CLI#

note

You're advised to configure LDAP Authentication through the UI where possible, as the CLI will not provide diagnostic information if you supply incorrect configuration details.

Configure a single LDAP user to log in to the UI by using the encryptor tool:

  1. On the LiveData UI host, run the following command:

    livedata-ui encryptor
  2. Encrypt your LDAP Manager password if you have one and save the encrypted string for step 4.

    1. Select the Encrypt a string option when the menu appears.

    2. When the Please enter a string prompt appears, enter the password in plain text that you want to encrypt.

      The encrypted password string is then returned, for example: LvglJEyAySUQBuyUcEeRcYhzrJX6NMl0.

  3. Select the Setup Livedata UI LDAP authentication option when the menu appears.

  4. Provide your LDAP configuration.

    See the LDAP configuration properties for descriptions and examples of each property mentioned below.

    Values needed
    LDAP base url, (e.g. ldap://localhost): "application.ldap.baseUrl"LDAP port: "application.ldap.port"LDAP base dn: "application.ldap.baseDn"LDAP Manager dn:  (Optional, enter to skip) "application.ldap.managerDn"LDAP manager password: "application.ldap.managerPassword"Use LDAP bind auth? (y/n) "application.ldap.bindAuth"Password attribute. (Optional, enter to skip) "application.ldap.passwordAttribute"User dn patterns (Optional, enter to skip) "application.ldap.userDnPatterns"User search base (Optional, enter to skip) "application.ldap.userSearchBase"User search filter. (Optional, enter to skip) "application.ldap.userSearchFilter"Group search base. (Optional, enter to skip) "application.ldap.groupSearchBase"Group search filter. (Optional, enter to skip) "application.ldap.groupSearchFilter"

    Here are two examples of LDAP configuration:

    Example with LDAP bind auth and no Manager
    LDAP base url, (e.g. ldap://localhost): ldap://localhostLDAP port: 389LDAP base dn: dc=springframework,dc=orgLDAP Manager dn:  (Optional, enter to skip)Use LDAP bind auth? (y/n) yUser dn patterns (Optional, enter to skip) {0},ou=peopleUser search base (Optional, enter to skip)User search filter. (Optional, enter to skip)Group search base. (Optional, enter to skip)Group search filter. (Optional, enter to skip)
    Example with password attribute and Manager
    LDAP base url, (e.g. ldap://localhost): ldap://localhostLDAP port: 389LDAP base dn: dc=springframework,dc=orgLDAP Manager dn:  (Optional, enter to skip) CN=manager,OU=city,DC=example,DC=comLDAP manager password: LvglJEyAySUQBuyUcEeRcYhzrJX6NMl0Use LDAP bind auth? (y/n) nPassword attribute. (Optional, enter to skip) userPasswordUser dn patterns (Optional, enter to skip)User search base (Optional, enter to skip) ou=peopleUser search filter. (Optional, enter to skip) (uid={0})Group search base. (Optional, enter to skip)Group search filter. (Optional, enter to skip)
  5. Select the Exit option once complete.

  6. Restart the LiveData UI to make the changes active:

    service livedata-ui restart

LDAP configuration properties#

The following properties will be written to the application-prod.properties file once LDAP has been configured. Use the descriptions and examples to help complete setup through the livedata-ui encryptor tool.

note

Don't configure these properties manually as the encryptor tool will handle special characters.

NameDetails
application.ldap.enabledEnable LDAP login for the UI. If set to false, the default will be regular authentication (defined when logging in to the UI for the first time).

Default value: false
Allowed values: true, false
application.ldap.baseUrlThe LDAP server base URL that includes the LDAP scheme, for example: ldap://myldapserver.

Default value: (none)
Allowed values: Any valid LDAP server base URL.
application.ldap.portThe LDAP server port, for example: 389.

Default value: (none)
Allowed values: An integer value between 1024 and 65535.
application.ldap.baseDnThe BaseDN for the LDAP search criteria, for example: dc=example,dc=com.

Default value: (none)
Allowed values: A comma-separated list of valid LDAP sub-tree entries.

Manager credentials#

The manager credentials, used if the LDAP server has authentication enabled for read access.

NameDetails
application.ldap.managerDnThe distinguished name (DN) for the LDAP manager, for example: CN=manager,OU=city,DC=example,DC=com.

Default value: (none)
Allowed values: A comma-separated list of valid LDAP sub-tree entries.
application.ldap.managerPasswordThe password of the LDAP manager. Encrypt the manager password using the encryptor tool before adding this value.

Default value: (none)
Allowed values: An encrypted password.

User authentication#

Choose one of the following to use for user authentication with the LDAP server.

NameDetails
application.ldap.bindAuthEnable the Bind Authenticator to match a specific user for authentication. If set to false, the passwordAttribute method is used by default.

Default value: (none)
Allowed values: true, false
OR
application.ldap.passwordAttributeThe LDAP attribute for the LDAP user password, for example: userPassword.

The value for the user password on the LDAP server must be in encrypted in BCrypt format.

Default value: (none)
Allowed values: Any valid LDAP attribute.

User match configuration#

Choose between a user pattern or a search filter to match a valid LDAP user in the database.

NameDetails
application.ldap.userDnPatternsThe pattern to match the distinguished name (DN) for the user, for example: uid={0},ou=people. The {0} is used instead of the login name that would normally exist here. Use this method if all of your users are stored under a single node in the directory.

Default value: (none)
Allowed values: Any valid Java pattern format relative to the application.ldap.baseDn defined earlier.
OR
application.ldap.userSearchBaseThe distinguished name (DN) of the LDAP object from where to start the search for a user account, for example: ou=people. This field can be left blank if you want to start the search from the application.ldap.baseDn.

Default value: (none)
Allowed values: A valid LDAP DN relative to the application.ldap.baseDn defined earlier.
application.ldap.userSearchFilterThe LDAP query string to find the attribute representing the user account, for example (uid={0}). The value should be enclosed in brackets, and {0} is a required value as it is a token that represents the user account that will be validated.

Default value: (none)
Allowed values: A valid LDAP attribute to represent the user login name.

Group match configuration (not required)#

info

Group match configuration is not yet used by the LiveData UI as it applies to multiple user accounts (which is not yet supported).

Choose between a group pattern or a search filter to match a valid LDAP group in the database.

NameDetails
application.ldap.groupSearchBaseThe distinguished name (DN) from where to start the search for an LDAP group, for example: ou=groups. This field can be left blank if you want to start the search from the application.ldap.baseDn.

Default value: (none)
Allowed values: A valid LDAP DN relative to the application.ldap.baseDn defined earlier.
application.ldap.groupSearchFilterThe filter to use to search for group membership, for example uniqueMember={0}.

Default value: uniqueMember={0}
Allowed values: A valid LDAP attribute to represent the user group membership.

Reset LDAP admin user password#

Reset the admin user's password for LiveData Migrator by creating a file named reset.password in the UI configuration directory (/etc/wandisco/ui by default).

Provide details within the file as follows:

email=user@domain.compassword=newPassword

Restart the UI server after the file has been created.

The admin user's password will be updated to the value set in the file if the email provided matches that of the registered admin. The password file will then be automatically deleted.

note

This process cannot be used for LDAP users other than the admin.

Security#

Basic authentication compatibility#

If basic authentication is enabled on LiveData Migrator or HiveMigrator (or both), additional steps are required to maintain LiveData UI functionality.

LiveData Migrator#

Follow the steps below to configure the LiveData UI to work with LiveData Migrator basic authentication:

  1. On the LiveData UI host, run the following command:

    livedata-ui encryptor
  2. Select the Setup LDM Basic Auth option when the menu appears.

  3. Enter the username and password values in plain text that were defined for the security.basic.user and security.basic.password properties in the application.properties file.

  4. Select the Exit option once complete.

  5. Restart the LiveData UI to make the changes active:

    service livedata-ui restart

HiveMigrator#

Follow the steps below to configure the LiveData UI to work with HiveMigrator basic authentication:

  1. On the LiveData UI host, run the following command:

    livedata-ui encryptor
  2. Select the Setup HVM Basic Auth option when the menu appears.

  3. Enter the username and password values in plain text that were defined for the username and password key values in the application.yaml file.

  4. Select the Exit option once complete.

  5. Restart the LiveData UI to make the changes active:

    service livedata-ui restart

TLS#

Configure how the UI uses TLS, which is disabled by default.

NameDetails
server.ssl.enabledSet to true to enable TLS. If no other TLS values are set, this will use an internal keystore and a self-signed certificate to serve the UI.

Default value: false
Allowed values: true, false
server.ssl.portSet the port on which the UI should be available when TLS is enabled.

Default value: 8443
Allowed values: An integer value between 1024 and 65535
server.ssl.key-storeThe path to the key store which should be used instead of the internal default
server.ssl.key-store-passwordThe password to be used to access the key store
server.ssl.key-aliasThe alias of the certificate to be used
server.ssl.key-store-typeOptional: set the key store type. Defaults to PKCS12
application.liveMigratorV2.client.noCheckCertificateOptional: add this property and set the value to true if you want to implicitly trust certificates from remote LiveData Migrator instances.
Default value: false

Instead of using this property, we recommend that you import your server certificate into a truststore.
tip

The example command below will import a certificate named server_cert.key into an existing Java truststore named cacerts:

keytool -import -trustcacerts -alias wandisco-ui -file server_cert.key -keystore cacerts

For more information about parameters, see Oracle's documentation.

Configure a truststore#

View and update the truststore used by LiveData Migrator through the REST API.

View a truststore#

View the existing truststore parameters with a GET query sent to /config/ldm.

For example:

Example
curl http://localhost:18080/config/ldm/

Update a truststore#

Change the existing truststore parameters with a POST query sent to /config/ldm.

For example:

Example
curl -X POST http://localhost:18080/config/ldm -H 'Content-Type: application/json' -d '{ "port":911,"useSsl":"true","username":"name@host.domain","password":"examplepassword1532","trust-store":{"path":"/ssl/path","password":"keypassword","type":"JKS"}}'

Directory structure#

The following directories are used for the LiveData UI:

LocationContent
/var/log/wandisco/uiLogs
/etc/wandisco/uiConfiguration files
/opt/wandisco/uiOperation files
/var/run/livedata-uiRuntime files