THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Geode is introducing a security features which allow you to control authentication/authorization on all aspects of Geode in one implementation. When Integrated Security is turned on, all client/server communications, peer to peer, gateway authentication, jmx operations, gfsh commands and Pulse are all protected with this security mechanism.
1. No changes for existing implementations
...
of Authentication/Authorization for client-server security
The API for authentication Authenticator and authorization AccessControl has not changed. Your implementation of Authenticator and AccessControll those are still honored in client/server communication if you choose not to implement the new security interface. However, these two are deprecated now and will be removed in the future.
2. Introduction of security-manager configuration and SecurityManager interface for
...
Integrated Security
To turn on integrated security, your will need to start your server/locator with this line in your gemfire.properties file:
| Code Block | ||
|---|---|---|
| ||
security-manager = com.abc.security.MySecurityManager.create |
It is a static creation method returning an SecurityManager class implementing the SecurityManager interface. Make sure your class has a zero argument constructor so that we can call to create the object. SecurityManger is the new interface you will need to impelement implement for both authentication and authorization. See SecurityManger javadoc for details.
...
All Resources are enumerated via the enum GeodePermission.Resource, which are "CLUSTER" and "DATA".
All OperationCodes Operations are enumerated via the enum GeodePermission.Operation, which are "MANAGE", "READ" and "WRITE". Note "MANAGE" does not imply "WRITE", nor "WRITE" implies "READ" either.
RegionName and Key are provided for region key access as well.
...
| Client Operations | Required GeodePermission | ||
|---|---|---|---|
| region.containsKeyOnServer(key) | DATA:READ:regionName:key | ||
| region.destroy(key) | DATA:WRITE:regionName:key | ||
| region.invalidate(key)DestroyOperationContext | DATA:DESTROYWRITE:regionName:key | ||
| region.put(key, value)ExecuteCQOperationContext | DATA:EXECUTE_CQ | ||
| ExecuteFunctionOperationContext | DATA:EXECUTE_FUNCTION | ||
| GetDurableCQsOperationContext | DATA:GET_DURABLE_CQS | ||
| GetOperationContext | DATA:GET | ||
| InvalidateOperationContext | DATA:INVALIDATE | ||
| KeySetOperationContext | DATA:KEY_SET | ||
| PutAllOperationContext | DATA:PUTALL | ||
| PutOperationContext | DATA:PUT | ||
| QueryOperationContext | DATA:QUERY | ||
| RegionClearOperationContext | DATA:REGION_CLEAR | ||
| RegionCreateOperationContext | DATA:REGION_CREATE | ||
| RegionDestroyOperationContext | DATA:REGION_DESTROY | ||
| RegisterInterestOperationContext | DATA:REGISTER_INTEREST | ||
| RemoveAllOperationContext | DATA:REMOVEALL | ||
| StopCQOperationContext | DATA:STOP_CQ | ||
| WRITE:regionName:key | |||
| region.get(key) | DATA:READ:regionName:key | ||
| region.replace | |||
| region.putIfAbsent | |||
| createRegion | DATA:MANAGE | ||
| destroyRegion | DATA:MANAGE | ||
| executeFunction | DATA:WRITE | ||
| executeRegionFunction | DATA:WRITE | ||
| region.getAll | DATA:READ:regionName | ||
| region.getEntry | DATA:READ:regionName | ||
| region.clear | DATA:WRITE:regionName | ||
| region.registerInterest | DATA:READ:regionName:key | ||
region.registerInterestRegex | DATA:READ:regionName | ||
| region.registerInterestList | DATA:READ:regionName | ||
| region.removeAll | DATA:WRITE:regionName | ||
| region.unRegisterInterest | DATA:READ:regionName:key | ||
region.unRegisterInterestRegex | DATA:READ:regionName | ||
region.unRegisterInterestList | DATA:READ:regionName | ||
| UnregisterInterestOperationContext | DATA:UNREGISTER_INTEREST |
Pulse
Pulse access is divided into two main categories, namely access to the Data Browser page and everything else.
...