Skip to content

Authentication and Authorization in Martini

Securing your Martini applications involves implementing robust authentication and authorization mechanisms. This document outlines the methods for authenticating users and authorizing access within the Martini environment.

Use the principle of least privilege to limit access to sensitive data and functionality. Typically, this means that the development team will have access to Development environments, while only the DevOps/CloudOps team has access to the Production environment. In some cases, it may be desirable to grant access to the Production environment to the development team to help troubleshoot issues. In such instances, it is recommended to export the log files to a separate log analysis tool.

Authentication

Martini supports two primary methods of user authentication:

  1. Martini Users: These are users assigned to the internal Martini user directory. They can authenticate using a username and password or via an OAuth token.

  2. Lonti Account Users: Users with a Lonti account can access the Martini subscriptions using a single sign-on (SSO) approach.

Martini Users

Configuring OAuth for Martini Users

Martini provides a straightforward way to configure OAuth through application properties. To create Martini users, you must specify the following property in your override.properties file:

OAuth Properties

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
# Client ID that OAuth clients must use when authenticating to Martini Runtime.
# The OAuth authentication supports different encoder types by adding the prefix '{encoderType}'.
# List of supported encoder prefixes:
# - bcrypt
# - ldap
# - MD4
# - MD5
# - noop
# - pbkdf2
# - scrypt
# - SHA-1
# - SHA-256
# - sha256
# - argon2
# If unprovided, defaults to '{bcrypt}$2a$10$2lzUe7sVsRRhShjt4zIWFezg24BMR3/J.o/g3VAu1cq0ZPDnn16Bm'.
oauth.client-secret=YourUniqueSecret

Note: Martini Server Runtime v2.3 and later will automatically create a unique value for oauth.client-secret in the override.properties file for each instance of Martini if one has not already been set. If you are load balancing multiple instances of Martini Server Runtime that will be reading and writing encrypted values, ensure that the same secret is used across all instances.

Additional optional properties:

1
2
3
4
5
6
7
# The access token validity period for the OAuth client in seconds.
# If unprovided, defaults to '3600'.
oauth.access-token-validity=3600

# Client ID that OAuth clients must use when authenticating to Martini Runtime.
# If unprovided, defaults to 'TOROMartini'.
oauth.client-id=TOROMartini

Creating Martini Users

  1. Open Users & Groups:
    In Martini Designer, go to the main navigation bar and click on the Users & Groups icon.

  2. Add a New User:
    Click Add User to start creating a new user.

  3. Enter User Details:
    Fill in the required fields:

    • Username
    • Email Address
    • Display Name
    • Password
  4. Save the User:
    After entering all the necessary information, save the user.

  5. Retrieve Tokens:
    Once saved, the UI will display the Access Token and Refresh Token for the newly created user.

Important

For a Martini user to access a Martini instance via the REST API (including the API Explorer), they must be assigned to the group ESBAPIAdminGroup.

Note:

Security for the Martini Server Runtime REST API is disabled for the embedded Martini Runtime instance. Security measures apply only to Martini Server Runtime instances.

Setting Up a Lonti User Account

Lonti user accounts are configured in the Settings of the Lonti Console and can be assigned to each subscription via the associated Users tab. You can follow our knowledge base article about How to Manage User Accounts for more information about Lonti users and subscriptions.

Authorization

For details about user roles and permissions, refer to the knowledge base topic:
Understanding Roles and Permissions for User Accounts.