...
To quickly get started using permissions for JMX and GFSH a sample implementation of com.gemstone.gemfire.security.Authenticator
and com.gemstone.gemfire.security.AccessControl
is provided by the class blah.blah.ExampleJSONAuthorization
com.gemstone.gemfire.security.examples.SampleJsonAuthorization
. This implementation requires a JSON file which defines the allowed users and their corresponding permissions. For example:
...
In this example we have two roles defined: cluster and data. The data role only has access to two regions: region1 and region2.
...
Using gfsh, start a locator with security activated.
Code Block language bash gfsh> start locator --name=locator1 \ --J=-Dgemfire.security-client-authenticator=blah.blah.ExampleJSONAuthorizationcom.gemstone.gemfire.security.examples.SampleJsonAuthorization.create \ --J=-Dgemfire.security-client-accessor=blah.blah.ExampleJSONAuthorizationcom.gemstone.gemfire.security.examples.SampleJsonAuthorization.create
Similarly, start a server
Code Block gfsh> start server --name=server1 --locators=localhost[10334]
Start a new instance of gfsh and connect with one of the users defined in your JSON file. The super-user should be allowed to do everything in gfsh.
Code Block gfsh> connect --locators=localhost[10334] --user=super-user --password=1234567
Disconnect and reconnect with a user with lesser privileges:
Code Block gfsh> disconnect gfsh> connect --locators=localhost[10334] --user=joebloggs --password=1234567 gfsh> stop server --name=server1 An error occurred while attempting to stop a Cache Server: Subject does not have permission [CLUSTER:READ]
Client-Server Security
You may notice that this new functionality is activated in the same way that the existing client-server authentication and authorization is activated. The intention is that eventually all means of accessing Geode will be secured with exactly the same callbacks.
If you already have an existing implementation of Authenticator and AccessControl no changes to existing code should be necessary. However, you should be aware of the following:
- All Resources are enumerated via the enum
OperationContext.Resource.
- All OperationCodes are enumerated via the enum
OperationContext.OperationCode.
- All of the existing
OperationContext.is*
methods have been deprecated in favor of testing against the relevant enums. - The resource and operation code, for a given context, can be retrieved using
OperationContext.getResource
andOperationContext.getOperationCode
respectively.
This means that Resources and Operation(Codes) extend to client-server security too. For client-server the only resource is DATA.sdfdsfsdg
Reference
Following are lists for gfsh commands, (highlighted in green), and JMX operations with their corresponding permissions.
...