Skip to content

Authentication and Authorization in Martini

Securing your Martini applications involves implementing robust authentication and authorization mechanisms. This document outlines the methods for authenticating users and authorizing access within the Martini environment.

Use the principle of least privilege to limit access to sensitive data and functionality. Typically, this means that the development team will have access to Development environments, while only the DevOps/CloudOps team has access to the Production environment. In some cases, it may be desirable to grant access to the Production environment to the development team to help troubleshoot issues. In such instances, it is recommended to export the log files to a separate log analysis tool.

Authentication

Martini supports two primary methods of user authentication:

  1. Martini Users: These are users assigned to the internal Martini user directory. They can authenticate using a username and password or via an OAuth token.

  2. Lonti Account Users: Users with a Lonti account can access the Martini subscriptions using a single sign-on (SSO) approach.

Martini Users

Configuring OAuth for Martini Users

Martini provides a straightforward way to configure OAuth through application properties. To create Martini users, you must specify the following property in your override.properties file:

OAuth Properties

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
# Client ID that OAuth clients must use when authenticating to Martini Runtime.
# The OAuth authentication supports different encoder types by adding the prefix '{encoderType}'.
# List of supported encoder prefixes:
# - bcrypt
# - ldap
# - MD4
# - MD5
# - noop
# - pbkdf2
# - scrypt
# - SHA-1
# - SHA-256
# - sha256
# - argon2
# If unprovided, defaults to '{bcrypt}$2a$10$2lzUe7sVsRRhShjt4zIWFezg24BMR3/J.o/g3VAu1cq0ZPDnn16Bm'.
oauth.client-secret=YourUniqueSecret

Note: Martini Server Runtime v2.3 and later will automatically create a unique value for oauth.client-secret in the override.properties file for each instance of Martini if one has not already been set. If you are load balancing multiple instances of Martini Server Runtime that will be reading and writing encrypted values, ensure that the same secret is used across all instances.

Additional optional properties:

1
2
3
4
5
6
7
# The access token validity period for the OAuth client in seconds.
# If unprovided, defaults to '3600'.
oauth.access-token-validity=3600

# Client ID that OAuth clients must use when authenticating to Martini Runtime.
# If unprovided, defaults to 'TOROMartini'.
oauth.client-id=TOROMartini

Creating Martini Users

To create Martini users, navigate to the Users & Groups icon in the main navigation bar of Martini Designer. Click "Add User" and complete the required fields: Username, Email Address, Display Name, and Password. Once saved, the UI will provide the Access Token and Refresh Token for the user.

Important: For a Martini user to access a Martini instance via the REST API (including the API Explorer), they must be assigned to the group ESBAPIAdminGroup.

Note: Security for the Martini Server Runtime REST API is disabled for the embedded Martini Runtime instance. Security measures apply only to Martini Server Runtime instances.

Setting Up a Lonti User Account

Lonti user accounts are configured in the Settings of the Lonti Console and can be assigned to each subscription via the associated Users tab.

Authorization

Martini Users

Martini users must be assigned to the group ESBAPIAdminGroup to access the Martini Server Runtime REST API.

Martini users can also be granted access to the APIs that you publish using Martini. To grant a Martini user access to an API that you have created, click on the Security tab for that API and add the user and/or group that should be granted access.

Lonti User Accounts

Lonti user accounts can be assigned to groups by clicking on the cog icon in the Lonti Console. Users and Groups can be assigned to specific subscriptions to grant access through the subscriptions Users tab.

User Roles

  • Account Owners: Have overall access to the organization, including billing management, subscription management (desktop, server, and cloud), team management, and team workspace extensions. They can enable/disable two-step authentication for logins and are notified of subscription transfers and membership requests.

  • Administrators: Act as officers in charge for Account Owners and have access to billing management, subscription management, team management, and team workspace extensions. Notifications are based on user actions.

  • Power Users: Have access to subscription management, including generating licenses, modifying plans, and provisioning cloud instances. They can add/remove users and have limited access to market items under team workspace.

  • Standard Users: Have access limited to their subscribed subscriptions, allowing them to add and remove subscribed extensions. They have limited access to market items under team workspace.

  • Billing Users: Have access limited to organization settings, allowing them to update billing contacts, manage credit cards, and view all organization activities.