Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Snow Owl is provided in the following package formats:
Package
Description
zip/tar.gz
The zip
and tar.gz
packages are suitable for installation on any system and are the easiest choice for getting started with Snow Owl on most systems.
Install Snow Owl with tar.gz
or zip
rpm
The rpm
package is suitable for installation on Red Hat, Centos, SLES, OpenSuSE and other RPM-based systems. RPMs may be downloaded from the Downloads section.
Install Snow Owl with RPM
deb
The deb
package is suitable for Debian, Ubuntu, and other Debian-based systems. Debian packages may be downloaded from the Downloads section.
Install Snow Owl with Debian Package
docker
Images are available for running Snow Owl as Docker containers. They may be downloaded from the official Docker Hub Registry. Install Snow Owl with Docker
This section includes information on how to setup Snow Owl and get it running, including:
Downloading
Installing
Starting
Configuring
Snow Owl is built using Java, and requires at least Java 11 in order to run. Only Oracle’s Java and the OpenJDK are supported. The same JVM version should be used on all Snow Owl nodes and clients.
We recommend installing Java version 11.0.x or a later version in the Java 11 release series. We recommend using a supported LTS version of Java.
The version of Java that Snow Owl will use can be configured by setting the JAVA_HOME environment variable.
The RPM for Snow Owl can be downloaded from the Downloads section. It can be used to install Snow Owl on any RPM-based system such as OpenSuSE, SLES, Centos, Red Hat, and Oracle Enterprise.
RPM install is not supported on distributions with old versions of RPM, such as SLES 11 and CentOS 5. Please see Install Snow Owl with .zip or .tar.gz instead.
On systemd-based distributions, the installation scripts will attempt to set kernel parameters (e.g., vm.max_map_count
); you can skip this by masking the systemd-sysctl.service unit.
Use the chkconfig command to configure Snow Owl to start automatically when the system boots up:
Snow Owl can be started and stopped using the service command:
If Snow Owl fails to start for any reason, it will print the reason for failure to STDOUT. Log files can be found in /var/log/snowowl/
.
To configure Snow Owl to start automatically when the system boots up, run the following commands:
Snow Owl can be started and stopped as follows:
These commands provide no feedback as to whether Snow Owl was started successfully or not. Instead, this information will be written in the log files located in /var/log/snowowl/
.
You can test that your Snow Owl instance is running by sending an HTTP request to:
which should give you a response something like this:
Snow Owl defaults to using /etc/snowowl
for runtime configuration. The ownership of this directory and all files in this directory are set to root:snowowl
on package installation and the directory has the setgid
flag set so that any files and subdirectories created under /etc/snowowl
are created with this ownership as well (e.g., if a keystore is created using the keystore tool). It is expected that this be maintained so that the Snow Owl process can read the files under this directory via the group permissions.
Snow Owl loads its configuration from the /etc/snowowl/snowowl.yml
file by default. The format of this config file is explained in Configuring Snow Owl.
The RPM places config files, logs, and the data directory in the appropriate locations for an RPM-based system:
You now have a test Snow Owl environment set up. Before you start serious development or go into production with Snow Owl, you must do some additional setup:
Learn how to configure Snow Owl.
Configure important Snow Owl settings.
Configure important system settings.
The Debian package for Snow Owl can be downloaded from the Downloads section. It can be used to install Snow Owl on any Debian-based system such as Debian and Ubuntu.
Use the update-rc.d command to configure Snow Owl to start automatically when the system boots up:
Snow Owl can be started and stopped using the service command:
If Snow Owl fails to start for any reason, it will print the reason for failure to STDOUT. Log files can be found in /var/log/snowowl/
.
To configure Snow Owl to start automatically when the system boots up, run the following commands:
Snow Owl can be started and stopped as follows:
These commands provide no feedback as to whether Snow Owl was started successfully or not. Instead, this information will be written in the log files located in /var/log/snowowl/
.
You can test that your Snow Owl instance is running by sending an HTTP request to:
which should give you a response something like this:
Snow Owl defaults to using /etc/snowowl
for runtime configuration. The ownership of this directory and all files in this directory are set to root:snowowl
on package installation and the directory has the setgid
flag set so that any files and subdirectories created under /etc/snowowl
are created with this ownership as well (e.g., if a keystore is created using the keystore tool). It is expected that this be maintained so that the Snow Owl process can read the files under this directory via the group permissions.
NOTE: Distributions that use systemd
require that system resource limits be configured via systemd
rather than via the /etc/sysconfig/snowowl
file.
The Debian package places config files, logs, and the data directory in the appropriate locations for a Debian-based system:
You now have a test Snow Owl environment set up. Before you start serious development or go into production with Snow Owl, you must do some additional setup:
Snow Owl is also available as Docker images. The images use as the base image.
A list of all published Docker images and tags is available at .
These images are free to use under the Apache 2.0 license. They contain open source features only.
Obtaining Snow Owl for Docker is as simple as issuing a docker pull
command against the Docker Hub registry.
Snow Owl can be quickly started for development or testing use with the following command:
The vm.max_map_count
kernel setting needs to be set to at least 262144
permanently in /etc/sysctl.conf
for production use. To apply the setting on a live system type: sysctl -w vm.max_map_count=262144
The following example brings up Snow Owl instance with its dedicated Elasticsearch node. To bring up the cluster, use the and just type:
The node snowowl
listens on localhost:8080
while it talks to the elasticsearch
node over a Docker network.
To stop the cluster, type docker-compose down
. Data volumes/mounts will persist, so it's possible to start the stack again with the same data using docker-compose up`.
The image offers several methods for configuring Snow Owl settings with the conventional approach being to provide customized files, that is to say, snowowl.yml
. It's also possible to use environment variables to set options:
A. Bind-mounted configuration
Create your custom config file and mount this over the image's corresponding file.
For example, bind-mounting a custom_snowowl.yml
with docker run
can be
accomplished with the parameter:
The container runs Snow Owl as user snowowl
using uid:gid 1000:1000
. Bind mounted host directories and files, such as custom_snowowl.yml
above, need to be accessible by this user. For the mounted data and log dirs, such as /usr/share/snowowl/resources
, write access is required as well.
B. Customized image
In some environments, it may make more sense to prepare a custom image containing
your configuration. A Dockerfile
to achieve this may be as simple as:
You could then build and try the image with something like:
We have collected a number of best practices for production use. Any Docker parameters mentioned below assume the use of docker run
.
By default, Snow Owl runs inside the container as user snowowl
using uid:gid 1000:1000
.
If you are bind-mounting a local directory or file, ensure it is readable by
this user, while the <> additionally require
write access. A good strategy is to grant group access to gid 1000
or 0
for
the local directory. As an example, to prepare a local directory for storing
data through a bind-mount:
It is important to ensure increased ulimits for nofile
and nproc
are available for the Snow Owl containers.
for the Docker daemon is already setting those to acceptable values and, if
needed, adjust them in the Daemon, or override them per container, for example
using docker run
:
NOTE: One way of checking the Docker daemon defaults for the aforementioned ulimits is by running:
Use the SO_JAVA_OPTS
environment variable to set heap size. For example, to use 16GB use SO_JAVA_OPTS="-Xms16g -Xmx16g"
with docker run
.
Pin your deployments to a specific version of the Snow Owl OSS Docker image. For example, snow-owl-oss:7.2.0
.
Snow Owl is provided as a .zip
and as a .tar.gz
package. These packages can be used to install Snow Owl on any system and are the easiest package format to use when trying out Snow Owl.
The latest stable version of Snow Owl can be found on the page.
Snow Owl requires Java 11 or newer version. Use the official Oracle distribution or an open-source distribution such as OpenJDK.
zip
packageThe .zip
archive for Snow Owl can be downloaded and installed as follows:
.tar.gz
packageThe .tar.gz
archive for Snow Owl can be downloaded and installed as follows:
Snow Owl can be started from the command line as follows:
By default, Snow Owl runs in the foreground, prints its logs to the standard output (stdout), and can be stopped by pressing Ctrl-C.
All scripts packaged with Snow Owl assume that Bash is available at /bin/bash. As such, Bash should be available at this path either directly or via a symbolic link.
You can test that your instance is running by sending an HTTP request to Snow Owl's status endpoint:
which should give you a response like this:
You can send the Snow Owl process to the background using the combination of nohup
and the &
character:
Log messages can be found in the $SO_HOME/serviceability/logs/
directory.
To shut down Snow Owl, you can kill the process ID directly:
or using the provided shutdown script:
.zip
and .tar.gz
archives:The .zip
and .tar.gz
packages are entirely self-contained. All files and directories are, by default, contained within $SO_HOME
— the directory created when unpacking the archive.
This is very convenient because you don’t have to create any directories to start using Snow Owl, and uninstalling Snow Owl is as easy as removing the $SO_HOME
directory. However, it is advisable to change the default locations of the config directory, the data directory, and the logs directory so that you do not delete important data later on.
You now have a test Snow Owl environment set up. Before you start serious development or go into production with Snow Owl, you must do some additional setup:
You should rarely need to change Java Virtual Machine (JVM) options. If you do, the most likely change is setting the .
The preferred method of setting JVM options (including system properties and JVM flags) is via the the SO_JAVA_OPTS
environment variable. For instance:
When using the RPM or Debian packages, SO_JAVA_OPTS
can be specified in the system configuration file.
Some other Java programs support the JAVA_OPTS
environment variable. This is not a mechanism built into the JVM but instead a convention in the ecosystem. However, we do not support this environment variable, instead supporting setting JVM options via the environment variable SO_JAVA_OPTS
as above.
Snow Owl uses and for logging.
The logging configuration file (serviceability.xml
) can be used to configure Snow Owl logging. The logging configuration file location depends on your installation method, by default it is located in the ${SO_HOME}/configuration
folder.
Extensive information on how to customize logging and all the supported appenders can be found on the .
While Snow Owl requires very little configuration, there are a number of settings which need to be considered before going into production.
The following settings must be considered before going to production:
By default, Snow Owl includes the OSS version of Elasticsearch and runs it in embedded mode to store terminology data and make it available for search. This is convenient for single node environments (eg. for evaluation, testing and development), but it might not be sufficient when you go into production.
To configure Snow Owl to connect to an Elasticsearch cluster, change the clusterUrl
property in the snowowl.yml
configuration file:
The value for this setting should be a valid HTTP URL point to the HTTP API of your Elasticsearch cluster, which by default runs on port 9200
.
If you are using the .zip
or .tar.gz
archives, the data and logs directories are sub-folders of $SO_HOME
. If these important folders are left in their default locations, there is a high risk of them being deleted while upgrading Snow Owl to a new version.
In production use, you will almost certainly want to change the locations of the data and log folders.
The RPM and Debian distributions already use custom paths for data and logs.
To allow clients to connect to Snow Owl, make sure you open access to the following ports:
8080/TCP:: Used by Snow Owl Server's REST API for HTTP access
8443/TCP:: Used by Snow Owl Server's REST API for HTTPS access
2036/TCP:: Used by the Net4J binary protocol connecting Snow Owl clients to the server
By default, Snow Owl tells the JVM to use a heap with a minimum and maximum size of 2 GB. When moving to production, it is important to configure heap size to ensure that Snow Owl has enough heap available.
To configure the heap size settings, change the -Xms
and -Xmx
settings in the SO_JAVA_OPTS
environment variable.
The value for these setting depends on the amount of RAM available on your server and whether you are running Elasticsearch on the some node as Snow Owl (either embedded or as a service) or running it in its own cluster. Good rules of thumb are:
Set the minimum heap size (Xms
) and maximum heap size (Xmx
) to be equal to each other.
Too much heap can subject to long garbage collection pauses.
Set Xmx
to no more than 50% of your physical RAM, to ensure that there is enough physical RAM left for kernel file system caches.
Snow Owl connecting to a remote Elasticsearch cluster requires less memory, but make sure you still allocate enough for your use cases (classification, batch processing, etc.).
By default, Snow Owl is starting and connecting to an embedded Elasticsearch
cluster available on http://localhost:9200
. This cluster has only a single node and its discovery method is set to single-node
, which means it is not able to connect to other Elasticsearch clusters and will be used exclusively by Snow Owl.
This single node Elasticsearch cluster can easily serve Snow Owl in testing, evaluation and small authoring environments, but it is recommended to customize how Snow Owl connects to an Elasticsearch cluster in larger environments (especially when planning to scale with user demand).
You have two options to configure Elasticsearch used by Snow Owl.
The first option is to configure the underlying Elasticsearch instance by editing the configuration file elasticsearch.yml
, which depending on your installation is available in the configuration directory (you can create the file, if it is not available, Snow Owl will pick it up during the next startup).
The embedded Elasticsearch version is 6.3.2
. If you are configuring it to connect to an existing Elasticsearch cluster, then make sure that the cluster version matches with this version.
The second option is to configure Snow Owl to use a remote Elasticsearch cluster without the embedded instance. In order to use this feature you need to set the repository.index.clusterUrl
configuration parameter to the remote address of your Elasticsearch cluster. When Snow Owl is configured to connect to a remote Elasticsearch cluster, it won't boot up the embedded instance, which reduces the memory requirements of Snow Owl slightly.
You can connect to self-hosted clusters or hosted solutions provided by and for example.
Snow Owl ships with good defaults and requires very little configuration.
Snow Owl has three configuration files:
snowowl.yml
for configuring Snow Owl
serviceability.xml
for configuring Snow Owl logging
elasticsearch.yml
for configuring the underlying Elasticsearch instance in case of embedded deployments
These files are located in the config directory, whose default location depends on whether or not the installation is from an archive distribution (tar.gz
or zip
) or a package distribution (Debian or RPM packages).
For the archive distributions, the config directory location defaults to $SO_PATH_HOME/configuration
. The location of the config directory can be changed via the SO_PATH_CONF
environment variable as follows:
Alternatively, you can export the SO_PATH_CONF
environment variable via the command line or via your shell profile.
For the package distributions, the config directory location defaults to /etc/snowowl
. The location of the config directory can also be changed via the SO_PATH_CONF
environment variable, but note that setting this in your shell is not sufficient. Instead, this variable is sourced from /etc/default/snowowl
(for the Debian package) and /etc/sysconfig/snowowl
(for the RPM package). You will need to edit the SO_PATH_CONF=/etc/snowowl
entry in one of these files accordingly to change the config directory location.
The configuration format is . Here is an example of changing the path of the data directory:
Settings can also be flattened as follows:
Environment variables referenced with the ${...}
notation within the configuration file will be replaced with the value of the environment variable, for instance:
Snow Owl loads its configuration from the /etc/snowowl/snowowl.yml
file by default. The format of this config file is explained in .
Learn how to .
Configure .
Configure .
docker-compose
is not pre-installed with Docker on Linux. Instructions for installing it can be found on the .
Snow Owl loads its configuration from files under /usr/share/snowowl/config/
. These configuration files are documented in the pages.
Verify the
Swapping needs to be disabled for performance and stability. This can be achieved through any of the methods mentioned in the .
The image TCP ports 8080 and 2036.
Consider centralizing your logs by using a different driver]. Also note that the default json-file logging driver is not ideally suited for production use.
Learn how to .
Configure .
Configure .
Type
Description
Default Location
Setting
home
Snow Owl home directory or $SO_HOME
/usr/share/snowowl
bin
Binary scripts including startup/shutdown to start/stop the instance
/usr/share/snowowl/bin
conf
Configuration files including snowowl.yml
/etc/snowowl
data
The location of the data files and resources.
/var/lib/snowowl
path.data
logs
Log files location.
/var/log/snowowl
Snow Owl uses a number of thread pools for different types of operations. It is important that it is able to create new threads whenever needed. Make sure that the number of threads that the Snow Owl user can create is at least 4096
.
This can be done by setting ulimit -u 4096
as root before starting Snow Owl, or by setting nproc
to 4096
in /etc/security/limits.conf
.
The package distributions when run as services under systemd will configure the number of threads for the Snow Owl process automatically. No additional configuration is required.
This is only relevant if you are running Snow Owl with an embedded Elasticsearch and not connecting it to an existing cluster.
Snow Owl (with embedded Elasticsearch) uses a lot of file descriptors or file handles. Running out of file descriptors can be disastrous and will most probably lead to data loss. Make sure to increase the limit on the number of open files descriptors for the user running Snow Owl to 65,536 or higher.
For the .zip
and .tar.gz
packages, set ulimit -n 65536
as root before starting Snow Owl, or set nofile
to 65536
in /etc/security/limits.conf
.
RPM and Debian packages already default the maximum number of file descriptors to 65536
and do not require further configuration.
Snow Owl uses a mmapfs
directory by default to store its data. The default operating system limits on mmap counts is likely to be too low, which may result in out of memory exceptions.
On Linux, you can increase the limits by running the following command as root:
To set this value permanently, update the vm.max_map_count
setting in /etc/sysctl.conf
. To verify after rebooting, run sysctl vm.max_map_count
.
The RPM and Debian packages will configure this setting automatically. No further configuration is required.
Most operating systems try to use as much memory as possible for file system caches and eagerly swap out unused application memory. This can result in parts of the JVM heap or even its executable pages being swapped out to disk.
Swapping is very bad for performance, and should be avoided at all costs. It can cause garbage collections to last for minutes instead of milliseconds and can cause services to respond slowly or even time out.
There are two approaches to disabling swapping. The preferred option is to completely disable swap, but if this is not an option, you can minimize swappiness.
Usually Snow Owl is the only service running on a box, and its memory usage is controlled by the JVM options. There should be no need to have swap enabled.
On Linux systems, you can disable swap temporarily by running:
To disable it permanently, you will need to edit the /etc/fstab
file and comment out any lines that contain the word swap
.
Another option available on Linux systems is to ensure that the sysctl value vm.swappiness
is set to 1. This reduces the kernel’s tendency to swap and should not lead to swapping under normal circumstances, while still allowing the whole system to swap in emergency conditions.
Coming soon!
Type | Description | Default Location | Setting |
home | Snow Owl home directory or |
|
bin | Binary scripts including startup/shutdown to start/stop the instance |
|
conf | Configuration files including |
|
data | The location of the data files and resources. | /var/lib/snowowl | path.data |
logs | Log files location. | /var/log/snowowl |
Type | Description | Default Location | Setting |
home | Snow Owl home directory or | Directory created by unpacking the archive |
bin | Binary scripts including startup/shutdown to start/stop the instance | $SO_HOME/bin |
conf | Configuration files including | $SO_HOME/configuration |
data | The location of the data files and resources. | $SO_HOME/resources | path.data |
logs | Log files location. | $SO_HOME/serviceability/logs |
Ideally, Snow Owl should run alone on a server and use all of the resources available to it. In order to do so, you need to configure your operating system to allow the user running Snow Owl to access more resources than allowed by default.
The following settings must be considered before going to production:
Where to configure systems settings depends on which package you have used to install Snow Owl, and which operating system you are using.
When using the .zip
or .tar.gz
packages, system settings can be configured:
temporarily with ulimit, or
permanently in /etc/security/limits.conf.
When using the RPM or Debian packages, most system settings are set in the system configuration file. However, systems which use systemd require that system limits are specified in a systemd configuration file.
On Linux systems, ulimit
can be used to change resource limits on a temporary basis. Limits usually need to be set as root before switching to the user that will run Snow Owl. For example, to set the number of open file handles (ulimit -n
) to 65,536
, you can do the following:
The new limit is only applied during the current session.
You can consult all currently applied limits with ulimit -a
.
On Linux systems, persistent limits can be set for a particular user by editing the /etc/security/limits.conf
file. To set the maximum number of open files for the snowowl
user to 65,536
, add the following line to the limits.conf file:
This change will only take effect the next time the snowowl
user opens a new session.
When using the RPM or Debian packages, system settings and environment variables can be specified in the system configuration file, which is located in:
However, for systems which uses systemd, system limits need to be specified via systemd.
When using the RPM or Debian packages on systems that use systemd, system limits must be specified via systemd.
The systemd service file (/usr/lib/systemd/system/snowowl.service) contains the limits that are applied by default.
To override them, add a file called /etc/systemd/system/snowowl.service.d/override.conf (alternatively, you may run sudo systemctl edit snowowl
which opens the file automatically inside your default editor). Set any changes in this file, such as:
Once finished, run the following command to reload units:
An orderly shutdown of Snow Owl ensures that Snow Owl has a chance to cleanup and close outstanding resources. For example, an instance that is shutdown in an orderly fashion will initiate an orderly shutdown of the embedded Elasticsearch instance, gracefully close and disconnect connections and perform other related cleanup activities. You can help ensure an orderly shutdown by properly stopping Snow Owl.
If you’re running Snow Owl as a service, you can stop Snow Owl via the service management functionality provided by your installation.
If you’re running Snow Owl directly, you can stop Snow Owl by sending Ctrl-C
if you’re running Snow Owl in the console, or by invoking the provided shutdown
script as follows:
You can manage and authenticate users with the built-in file realm. All the data about the users for the file realm is stored in the users
file. The file is located in SO_PATH_CONF
and is read on startup.
You need to explicitly select the file realm in the snowowl.yml
configuration file in order to use it for authentication.
In the above configuration the file realm is using the users
file to read your users from. Each row in the file represents a username and password delimited by :
character. The passwords are BCrypt encrypted hashes. The default users
file comes with a default snowowl
user with the default snowowl
password.
To simplify file realm configuration, the Snow Owl CLI comes with a command to add a user to the file realm (snowowl users add
). See the command help manual (-h
option) for further details.
The file security realm does NOT support the Authorization formats at the moment. If you are interested in configuring role-based access control for your users, it is recommended to switch to the .
The method for starting Snow Owl varies depending on how you installed it.
If you installed Snow Owl with a .tar.gz
or zip
package, you can start Snow Owl from the command line.
Snow Owl can be started from the command line as follows:
By default, Snow Owl runs in the foreground, prints some of its logs to the standard output (stdout
), and can be stopped by pressing Ctrl-C
.
All scripts packaged with Snow Owl assume that Bash is available at /bin/bash. As such, Bash should be available at this path either directly or via a symbolic link.
To run Snow Owl as a daemon, use the following command:
Log messages can be found in the $SO_HOME/serviceability/logs/
directory.
The startup scripts provided in the RPM and Debian packages take care of starting and stopping the Snow Owl process for you.
Snow Owl is not started automatically after installation. How to start and stop Snow Owl depends on whether your system uses SysV init
or systemd
(used by newer distributions). You can tell which is being used by running this command:
Use the chkconfig
command to configure Snow Owl to start automatically when the system boots up:
Snow Owl can be started and stopped using the service command:
If Snow Owl fails to start for any reason, it will print the reason for failure to STDOUT. Log files can be found in /var/log/snowowl/
.
To configure Snow Owl to start automatically when the system boots up, run the following commands:
Snow Owl can be started and stopped as follows:
These commands provide no feedback as to whether Snow Owl was started successfully or not. Instead, this information will be written in the log files located in /var/log/snowowl/
.
Snow Owl security features enable you to easily secure your terminology server. You can password-protect your data as well as implement more advanced security measures such as role-based access control and auditing.
By default Snow Owl comes without any security features enabled and all read and write operations are unprotected. To configure a security realm, you can choose from the following built-in identity providers:
After configuring at least one security realm, Snow Owl will authenticate all incoming requests to ensure that the sender of the request is allowed to access the terminology server and its contents. To authenticate a request, the client must send an HTTP Basic
or Bearer
Authorization header with the request. The value should be a user/pass pair in case of using Basic
authentication or a token generated by Snow Owl if using the Bearer
method.
NOTE: It is recommended in production environments that all communication between a client and Snow Owl is performed through a secure connection.
Snow Owl sends an HTTP 401 Unauthorized
response if a request needs to be authenticated.
If supported by the security realm, Snow Owl will also check whether an authenticated user is permitted to perform the requested action on a given resource.
Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members, staff or other system users are assigned particular roles, and through those role assignments acquire the permissions needed to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department.
Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role.
Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role.
With rules 1 and 2, it is ensured that users can exercise only permissions for which they are authorized.
S = Subject = A person or automated agent R = Role = Job function or title which defines an authority level P = Permissions = An approval of a mode of access to a resource
In Snow Owl a permission is a single value that represents both the operation the user would like to perform and the resource that is being accessed. The format is the following: <operation>:<resource>
Currently there are 7
operations supported by Snow Owl:
browse
- read the contents of a resource
edit
- write the contents of the resource, delete the resource
import
- import from external content and formats
export
- export to external content and formats
version
- create a version in a Code System, create a release
promote
- merge content from isolated branch environments to a Code System's development version
classify
- run classifiers and save their results
Resources represent the content that is being accessed by a client. A resource can be anything that can be resolved to a database entry. Currently, the following resource formats are allowed to be used in a permission:
<repositoryId>
- access the entire content available in a terminology repository
<repositoryId>/<branch>
- access the content available on a branch in a terminology repository
<codeSystemId>
- access all content of a Code System, including both the latest development and all previous releases
<codeSystemId>/<versionId>
- access a specific release of a Code System
There is a special *
wild card character that can be used for both the operation and resource parts in a permission value to allow any operation to be performed on any or selected resources, or to allow certain operations to be performed on any available resources.
Examples:
browse:snomedStore
- browse all SNOMED CT Code Systems and their content
edit:SNOMEDCT-UK-CL
- edit the SNOMEDCT-UK-CL
Code System
export:SNOMEDCT-US/2019-03-01
- export the 2019-03-01
US Extension release
*:SNOMEDCT
- allow any operations to be performed on the SNOMEDCT
Code System
browse:*
- allow read operations on all available resources
*:*
- administrator permission, the user can do anything with any of the available resources
To configure authorization, please consult the security realm specific documentation:
You can configure security to communicate with a Lightweight Directory Access Protocol (LDAP) server to authenticate and authorize users.
To integrate with LDAP, you configure an ldap
realm in the snowowl.yml
configuration file.
The following configuration settings are supported:
The default configuration values are selected to support both OpenLDAP and Active Directory without needing to customize the default schema that comes with their default installation.
When users send their username and password with their request in the Authorization header, the LDAP security realm performs the following steps to authenticate the user: 1. Searches for a user entry in the configured baseDn
to get the DN
2. Authenticates with the LDAP instance using the received DN
and the provided password
If any of the above-mentioned steps fails for any reason, the user is not allowed to access the terminology server's content and the server will respond with HTTP 401 Unauthorized
.
To configure authentication, you need to configure the uri
, baseDn
, bindDn
, bindDnPassword
, userObjectClass
and userIdProperty
configuration settings.
To add a user in the LDAP realm, create an entry under the specified baseDn
using the configured userObjectClass
as class and the userIdProperty
as the property where the user's username/e-mail address is configured.
Example user entry:
On top of the authentication part, the LDAP realm provides configuration values to support full role-based access control and authorization.
When a user's request is successfully authenticated with the LDAP realm, Snow Owl authorizes the request using the user's currently set roles and permissions in the configured LDAP instance.
To add a role in the LDAP realm, create an entry under the specified baseDn
using the configured roleObjectClass
as class and the configured permissionProperty
and memberProperty
properties for permission and user mappings, respectively.
Example read-only role:
Package
Location
RPM
/etc/sysconfig/snowowl
Debian
/etc/default/snowowl
Configuration | Description |
uri | The LDAP URI that points to the LDAP/AD server to connect to. |
bindDn | The user's DN who has access to the entire |
bindDnPassword | The password of the |
baseDn | The base directory where all entries in the entire subtree will be considered as potential matches for all searches. |
roleBaseDn | Alternative base directory where all role entries in the entire subtree will be considered. Defaults to the |
userFilter | The search filter to search for user entries under the configured |
roleFilter | The search filter to search for role entries under the configured |
userObjectClass | The user object's class to look for when searching for user entries. Defaults to |
roleObjectClass | The role object's class to look for when searching for role entries. Defaults to |
userIdProperty | The userId property to access and read for the user's unique identifier. Usually their username or email address. Defaults to |
permissionProperty | A multi-valued property that is used to store permission information on a role. Defaults to the |
memberProperty | A multi-valued property that is used to store and retrieve user |