Security Settings
We have carefully selected the security configuration of the RapidMiner Platform deployment to ensure high security standards are met. In most cases, some adjustment to these defaults will be needed to ensure compliance with the (enterprise) deployment environment, or finding a good balance between ease of use and security.
Below you can find guides to carry out common tasks related to the security of the deployment.
Pre-requisites
执行等内容ement tasks described below, you need to be logged in with a user that has the appropriate role assigned. In our default configuration, this role is covered by theplatform-admin
realm role, which is assigned to the pre-provisionedadmin
user.
After logging in, navigate toIdentity and Securityon your deployment'slanding pageto access the admin interface. All instructions below assume that you are already logged in and navigated to this page.
Managing password security
This feature will allow you to set password complexity requirements, password hashing configuration, and password expiration policies.
By default, we have configured a basic set of password policies to ensure a good baseline level of password security. Passwords will require to be 6 characters long, cannot be the same as the username, and cannot be on a configured blacklist of common passwords.
To add a new policy, go toAuthentication, and click on thePassword Policytab.
From theAdd Policydropdown, select the policy you wish to configure, then set the desired value. As an example, to set a one month password expiration policy, addExpire Passwordwith a value of30.
You can add multiple policies, each of them will be enforced when setting passwords.
Note: password policies only apply to users managed by RapidMiner Identity and Security. In case offederated identity or a federated user database, you need to set the password policies in these respective systems.
Configuring two-factor authentication
Two-factor authentication (using Google Authenticator or FreeOTP) are supported. By default, it's an optionally configurable security measure available for all users. As a user, you can configure it on your Account page.
Two-factor authentication can also be configured to be mandatory, in which case it will be a requirement of a successful first login.
To make two-factor authentication mandatory, go toAuthentication, and click on theRequired Actionstab.
CheckDefault Actionin the row ofConfigure OTP.
The setting takes effect immediately, all new users will be required to configure two-factor authentication.
Configuring transport security (HTTPS)
When performing initial deployment based on a template, the services will start up and work using unencrypted HTTP communication. This path was chosen to simplify the initial hurdles of deployment, but for long-running development/testing and production deployments westronglyrecommend configuring encryption over the wire.
As a prerequisite, the administrator needs to procure a secure certificate from a trusted Certificate Authority, which is out of scope for this document. The certificate must be issued for the public URL where the deployment will be accessible, and the certificate file (containing thefull certificate chain) and the private key file need to be at hand.
Using a self-signed or company-internal certificate (i.e. one not signed by a trusted Certificate Authority) is not supported out of the box. If the used certificate is not trusted by a Certificate Authority, the individual components of the platform will not be able to use this, unless each components adds the certificate to their trusted certificate stores.
If you need to secure the RapidMiner Platform using a self-signed or company internal certificate, contact our support team to help get it done.
To install a certificate to be used in the RapidMiner Platform:
- On the host machine where the deployment is running, copy the
.crt
and.key
files to thessl
folder that exists beside yourdocker-compose.yml
. Create the folder if it doesn't exist yet. The files should be namedcertificate.crt
andprivate.key
, respectively. Make sure the certificate file contains the full certificate chain. - Generate your dhparam file by running
openssl dhparam -out ssl/dhparam.pem 2048
. Depending on your machine, this might take several minutes. - Using your favorite text editor, edit the
.env
file and replacehttp://
withhttps://
in yourPUBLIC_URL
andPUBLIC_SSO_URL
variables - Run
docker-compose up -d
to update your deployment.
After this procedure is done, you will no longer be able to access the deployment on plain HTTP. Trying to connect on port 80 will get you redirected automatically to port 443, where HTTPS based communication will be done.
Configuring email
RapidMiner平台的集成KeyCloak component can be configured to use an SMTP server to send emails. This is needed in certain user management related use cases. Here are some examples:
- allowing self-signup, which requires verification emails to be sent
- sending password reset emails
To configure email, go toRealm Settings, and click on theEmailtab.
Add the details of your SMTP server which will be used by KeyCloak to send emails.
If you want to enable some of the above examples to ease self service user management, go to theLogintab and enable the desired features.
检查审计日志
We can log and display two sets of events: login events and admin events. In the RapidMiner Platform deployment, both are configured to be saved to the database and queried/filtered on the Identity and Security interface.
Login events are various types of events related to user login, authentication and authorization and their related errors.
Admin events are changes made in the KeyCloak configuration.
To query and filter these events, go toSessionsand click on theLogin EventsorAdmin Eventstab, depending on the set of information you would like to review.
To configure what events are saved, and for how long (only in case of Login events), go to theConfigtab.
You can customize what types of login events are saved (some of them might be superfluous and fill up your database too quickly). To do this, add or remove items from theSaved Typesbox.
You can customize how long the events are kept for. To do this, set the desired values in theExpirationfield.
For a more detailed description, check out the relevant section of theKeyCloak administration guide.
Checking active sessions and revoking tokens
It is prudent to check in on what components are used in the deployment and by whom.
In the case when a breach is suspected (e.g. a user's credentials are suspected stolen), it might be prudent to invalidate current logins and tokens.
To check ongoing sessions, go toSessions. TheRealm Sessionstab will show all realm clients (i.e. deployment components) which have active sessions. Clicking on one of the clients will give you a detailed list of which users have active sessions and their source IP address.
You have the option to end all sessions by going toSessionsand clicking theLogout allbutton.
To invalidate possibly stolen tokens, go toSessionsand click on theRevocationtab. By clicking theSet to nowbutton, you can invalidate all tokens issued before the current time.