Add externalized user directory to secrets connector

application.properties

@@ -22,11 +22,13 @@ platform.configstore.endpoint=data/servers/{0}/config/{0}.config
 ### Set up the platform metadata security connector that provides authorization
 ### for platform administration, server operations and diagnostic calls.
 ### By default, there is no platform metadata security connector.
-### The values below are for a sample platform metadata security connector where the only userId
-### that is permitted to use the administration and platform services is `garygeeke`.
+### The values below are for a sample platform metadata security connector based off of Coco Pharmaceutical persona
 ###############################################
-platform.security.provider=org.odpi.openmetadata.metadatasecurity.samples.CocoPharmaPlatformSecurityProvider
+platform.security.provider=org.odpi.openmetadata.metadatasecurity.samples.CocoPharmaSecretsSecurityProvider
 platform.security.name=Coco Pharmaceuticals Platform
+platform.security.secrets.provider=org.odpi.openmetadata.adapters.connectors.secretsstore.yaml.YAMLSecretsStoreProvider
+platform.security.secrets.location=loading-bay/secrets/demo-user-directory.omsecrets
+platform.security.secrets.collection=userDirectory
 
 ###############################################
 ### Set up the default configuration document for any new OMAG Server configurations.
@@ -96,34 +98,11 @@ strict.ssl=false
 # User security
 ################################################
 
-# Authentication source (possible values: demo, ldap, ad)
-authentication.source=demo
-# Authentication mode (possible values: session,token,redis)
+# Authentication source
+authentication.source=platform
+# Authentication mode
 authentication.mode=token
 
-#token timeout in minutes
-token.timeout=15
-token.absolute.timeout=720
-token.secret=doNotTell
-
-#LDAP authentication
-
-ldap.domain=
-ldap.user.search.base=ou=people,dc=egeria,dc=com
-ldap.user.search.filter=uid={0}
-ldap.group.search.base=ou=Groups,dc=egeria,dc=com
-ldap.group.search.filter=member={0}
-ldap.url=ldap://localhost:389
-ldap.group.role.attribute=
-ldap.npa.dn=
-ldap.npa.password=
-#ldap.user.dn.patterns patterns is a list of values separated by ";" as comma is used in the ldap pattern
-ldap.user.dn.patterns=
-
-# Redis configuration
-#redis.host=localhost
-#redis.port=6379
-
 ################################################
 ### Additional demo users configuration for when authentication.source=demo
 ### This file is located in the resources folder of the user-authn module and built into its runtime jar
@@ -152,43 +131,6 @@ cors.allowed-origins=*
 app.description=Have a question? || Get in touch via our Slack community https://slack.lfai.foundation/ @@What is Open Metadata? || Find out more on our website https://egeria-project.org/ @@Have more cool ideas? || Feel free to let us know your ideas so we can make it better.
 app.title=Egeria Open Metadata | Find the right data with governance
 
-# ##############################################################
-# Component visibility for Role based access ###################
-# ##############################################################
-# How it works?
-#
-# The roles are defined in external authentication source (provider) configured with `authentication.source`.
-# For demo purposes, we are providing simple file based authentication provider. See demo-users.yml
-# The matrix controlling what components are allowed on the UI views for specific role is defined in the 'role.visibleComponents' prefixed properties as follows"
-#
-#   role.visibleComponents.{ROLE-1}={component-name-1}
-#   role.visibleComponents.{ROLE-2}={component-name-1},{component-name-2}
-#
-#   This will configure the application to show the component named 'component-name-1' for all uses assigned to 'ROLE-1'
-#   In the same way, users that have assigned 'ROLE-2' can see more 'component-name-1' and 'component-name-2'.
-#   It is also possible to use wildcard '*' to enable full visibility of all components to users in the given role.
-#
-#   Complete list of components names that can be used:
-#
-#       about
-#       asset-catalog
-#       asset-details
-#       asset-details-print
-#       glossary
-#       repository-explorer
-#       type-explorer
-#       asset-lineage
-#       asset-lineage-print
-#       end-to-end
-#       ultimate-source
-#       ultimate-destination
-#       vertical-lineage
-#
-# Below is the default configuration for the two COCO_PHARMA roles we use for demo:
-
-role.visibleComponents.COCO_PHARMA_USER=about,asset-catalog,asset-details,asset-details-print,asset-lineage,asset-lineage-print,end-to-end,ultimate-source,ultimate-destination,vertical-lineage,glossary,repository-explorer
-role.visibleComponents.COCO_PHARMA_ADMIN=*
-
 ################################################
 ### Which java packages should be scanned to locate the Spring resource definitions that define the REST APIs?
 ################################################

container.application.properties

@@ -22,11 +22,13 @@ platform.configstore.endpoint=data/servers/{0}/config/{0}.config
 ### Set up the platform metadata security connector that provides authorization
 ### for platform administration, server operations and diagnostic calls.
 ### By default, there is no platform metadata security connector.
-### The values below are for a sample platform metadata security connector where the only userId
-### that is permitted to use the administration and platform services is `garygeeke`.
+### The values below are for a sample platform metadata security connector based off of Coco Pharmaceutical persona
 ###############################################
-platform.security.provider=org.odpi.openmetadata.metadatasecurity.samples.CocoPharmaPlatformSecurityProvider
+platform.security.provider=org.odpi.openmetadata.metadatasecurity.samples.CocoPharmaSecretsSecurityProvider
 platform.security.name=Coco Pharmaceuticals Platform
+platform.security.secrets.provider=org.odpi.openmetadata.adapters.connectors.secretsstore.yaml.YAMLSecretsStoreProvider
+platform.security.secrets.location=loading-bay/secrets/demo-user-directory.omsecrets
+platform.security.secrets.collection=userDirectory
 
 ###############################################
 ### Set up the default configuration document for any new OMAG Server configurations.
@@ -96,34 +98,11 @@ strict.ssl=false
 # User security
 ################################################
 
-# Authentication source (possible values: demo, ldap, ad)
-authentication.source=demo
-# Authentication mode (possible values: session,token,redis)
+# Authentication source
+authentication.source=platform
+# Authentication mode
 authentication.mode=token
 
-#token timeout in minutes
-token.timeout=15
-token.absolute.timeout=720
-token.secret=doNotTell
-
-#LDAP authentication
-
-ldap.domain=
-ldap.user.search.base=ou=people,dc=egeria,dc=com
-ldap.user.search.filter=uid={0}
-ldap.group.search.base=ou=Groups,dc=egeria,dc=com
-ldap.group.search.filter=member={0}
-ldap.url=ldap://localhost:389
-ldap.group.role.attribute=
-ldap.npa.dn=
-ldap.npa.password=
-#ldap.user.dn.patterns patterns is a list of values separated by ";" as comma is used in the ldap pattern
-ldap.user.dn.patterns=
-
-# Redis configuration
-#redis.host=localhost
-#redis.port=6379
-
 ################################################
 ### Additional demo users configuration for when authentication.source=demo
 ### This file is located in the resources folder of the user-authn module and built into its runtime jar
@@ -152,43 +131,6 @@ cors.allowed-origins=*
 app.description=Have a question? || Get in touch via our Slack community https://slack.lfai.foundation/ @@What is Open Metadata? || Find out more on our website https://egeria-project.org/ @@Have more cool ideas? || Feel free to let us know your ideas so we can make it better.
 app.title=Egeria Open Metadata | Find the right data with governance
 
-# ##############################################################
-# Component visibility for Role based access ###################
-# ##############################################################
-# How it works?
-#
-# The roles are defined in external authentication source (provider) configured with `authentication.source`.
-# For demo purposes, we are providing simple file based authentication provider. See demo-users.yml
-# The matrix controlling what components are allowed on the UI views for specific role is defined in the 'role.visibleComponents' prefixed properties as follows"
-#
-#   role.visibleComponents.{ROLE-1}={component-name-1}
-#   role.visibleComponents.{ROLE-2}={component-name-1},{component-name-2}
-#
-#   This will configure the application to show the component named 'component-name-1' for all uses assigned to 'ROLE-1'
-#   In the same way, users that have assigned 'ROLE-2' can see more 'component-name-1' and 'component-name-2'.
-#   It is also possible to use wildcard '*' to enable full visibility of all components to users in the given role.
-#
-#   Complete list of components names that can be used:
-#
-#       about
-#       asset-catalog
-#       asset-details
-#       asset-details-print
-#       glossary
-#       repository-explorer
-#       type-explorer
-#       asset-lineage
-#       asset-lineage-print
-#       end-to-end
-#       ultimate-source
-#       ultimate-destination
-#       vertical-lineage
-#
-# Below is the default configuration for the two COCO_PHARMA roles we use for demo:
-
-role.visibleComponents.COCO_PHARMA_USER=about,asset-catalog,asset-details,asset-details-print,asset-lineage,asset-lineage-print,end-to-end,ultimate-source,ultimate-destination,vertical-lineage,glossary,repository-explorer
-role.visibleComponents.COCO_PHARMA_ADMIN=*
-
 ################################################
 ### Which java packages should be scanned to locate the Spring resource definitions that define the REST APIs?
 ################################################

open-metadata-implementation/adapters/open-connectors/rest-client-connectors/spring-rest-client-connector/src/main/java/org/odpi/openmetadata/adapters/connectors/restclients/spring/SpringRESTClientConnector.java

@@ -13,6 +13,7 @@
 import org.odpi.openmetadata.frameworks.connectors.controls.SecretsStorePurpose;
 import org.odpi.openmetadata.frameworks.connectors.ffdc.ConnectorCheckedException;
 import org.odpi.openmetadata.frameworks.connectors.properties.EndpointProperties;
+import org.odpi.openmetadata.frameworks.connectors.properties.users.UserAccount;
 import org.odpi.openmetadata.tokenmanager.http.HTTPHeadersThreadLocal;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -159,6 +160,19 @@ else if (SecretsStorePurpose.REST_BASIC_AUTHENTICATION.getName().equals(secretsS
                             break;
                         }
                     }
+                    else if (SecretsStorePurpose.USER_DIRECTORY.getName().equals(secretsStorePurpose))
+                    {
+                        if (userId != null)
+                        {
+                            UserAccount userAccount = secretsStoreConnector.getUser(userId);
+
+                            if ((userAccount != null) && (userAccount.getSecrets() != null) && (userAccount.getSecrets().get(SecretsStoreCollectionProperty.CLEAR_PASSWORD.getName()) != null))
+                            {
+                                authorizationHeader = this.createAuthorizationHeaders(userId, userAccount.getSecrets().get(SecretsStoreCollectionProperty.CLEAR_PASSWORD.getName()));
+                                break;
+                            }
+                        }
+                    }
                 }
             }
         }

open-metadata-implementation/adapters/open-connectors/secrets-store-connectors/env-variable-secrets-store-connector/src/main/java/org/odpi/openmetadata/adapters/connectors/secretsstore/envar/EnvVarSecretsStoreConnector.java

@@ -5,6 +5,9 @@
 
 import org.odpi.openmetadata.frameworks.connectors.SecretsStoreConnector;
 import org.odpi.openmetadata.frameworks.connectors.ffdc.ConnectorCheckedException;
+import org.odpi.openmetadata.frameworks.connectors.properties.users.UserAccount;
+
+import java.util.Map;
 
 /**
  * EnvVarSecretsStoreConnector retrieves secrets from environment variables.  Each secret is named for its environment variable.
@@ -33,6 +36,51 @@
     }
 
 
+    /**
+     * Retrieve a secret from the secrets store.
+     *
+     * @param secretsCollectionName name of collection
+     * @param secretName name of the secret.
+     * @return secret
+     */
+    @Override
+    public String getSecret(String secretsCollectionName,
+                            String secretName)
+
+    {
+        return System.getenv(this.secretsCollectionName + "_" + secretName);
+    }
+
+
+    /**
+     * Retrieve any user definitions stored in the secrets collection.
+     *
+     * @return map of userIds to user details
+     */
+    public Map<String, UserAccount> getUsers()
+    {
+        /*
+         * Not supported.
+         */
+        return null;
+    }
+
+
+    /**
+     * Retrieve the requested user definitions stored in the secrets collection.
+     *
+     * @param userId userId for the lookup
+     * @return associated user details or null
+     */
+    public UserAccount getUser(String userId)
+    {
+        /*
+         * Not supported.
+         */
+        return null;
+    }
+
+
     /**
      * Retrieve the refresh time from the secrets store.
      *