Since Version 5.0 Airlock WAF comes with a default set of administration roles. This article explains how to add additional roles with different permissions.
Please be aware that future versions of Airlock may break backward compatibility due to format or semantic changes and make backups of all changes made by following this tutorial. Even minor Airlock 5.0 updates could overwrite them.
Custom roles for access control can be added by editing /opt/airlock/custom-settings/mgt-tomcat/acl.xml. After a new installation the xml configuration file (acl.xml) does not exist. So, create this file and set the permission properly.
Adding role to Airlock WAF GUI
After specifying the new roles in the file acl.xml, a small configuration is necessary that the Airlock WAF Configuration Center recognizes those roles.
For Airlock WAF 6.x:
Open the following file:
/opt/airlock/mgt-tomcat/webapps/airlock/WEB-INF/applicationContext-security.xml
search for "objectDefinitionSource" and add the role:
<property name="objectDefinitionSource">
<security:filter-invocation-definition-source ...>
<!-- more URL patterns here... -->
<security:intercept-url pattern="\A/.*" access="airlock-supervisor,airlock-administrator, ..., airlock-maintenance-page-admin"/>
</security:filter-invocation-definition-source>
</property>
If the role must be able to activate an Airlock configuration, it must be also added to the pattern "\A/configuration/ajax/invoke?.*activate.*". The example below shows how to do so:
<property name="objectDefinitionSource">
<security:filter-invocation-definition-source ...>
<!-- more URL patterns here... -->
<security:intercept-url pattern="\A/configuration/ajax/invoke?.*activate.*" access="airlock-supervisor,airlock-administrator,airlock-app-admin,airlock-maintenance-page-admin"/>
</security:filter-invocation-definition-source>
</property>
For Airlock WAF 7.0:
Open the following file:
/opt/airlock/mgt-tomcat/webapps/airlock/WEB-INF/classes/applicationContext-security.xml
search for "<sec:http pattern="/.*"" and add the role to the desired URLs:
<sec:http pattern="/.*"...>
<!-- Other settings here. Do not change them... -->
<sec:intercept-url pattern="\A(?i)/configuration/addonmodules/.*" access="airlock-supervisor,airlock-administrator,airlock-maintenance-page-admin"/>
<sec:intercept-url pattern="\A(?i)/configuration/ajax/invoke?.*activate.*" access="airlock-supervisor,airlock-administrator,airlock-app-admin,airlock-maintenance-page-admin"/>
<sec:intercept-url pattern="\A(?i)/rest/configuration/.*" access="airlock-supervisor,airlock-administrator,airlock-app-admin,airlock-maintenance-page-admin"/>
<sec:intercept-url pattern="\A(?i)/rest/status/block/[0-9]+/reject.*" access="airlock-supervisor,airlock-administrator,airlock-app-admin,airlock-maintenance-page-admin"/>
<sec:intercept-url pattern="\A(?i)/rest/status/backendgroup.*" access="airlock-supervisor,airlock-administrator,airlock-app-admin,airlock-maintenance-page-admin"/>
<sec:intercept-url pattern="\A(?i)/rest/status/session.*" access="airlock-supervisor,airlock-administrator,airlock-app-admin,airlock-maintenance-page-admin"/>
<sec:intercept-url pattern="\A/.*" access="airlock-supervisor,airlock-administrator,airlock-auditor,airlock-app-admin,airlock-maintenance-page-admin"/>
<!-- Other settings here. Do not change them... -->
</sec:http>
Note: The changes in the scripts /opt/airlock/mgt-tomcat/webapps/airlock/WEB-INF/applicationContext-security.xml and /opt/airlock/base/bin/airlock-user-manager are NOT update resistent. Make sure to backup those files and ensure that after installing a new Airlock Update/Hotfix those files are configured as expected.