Versions Compared

Old Version 19

changes.mady.by.user Grace Meilen

Saved on

compared with

New Version Current

changes.mady.by.user Jinmei Liao

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To quickly get started using permissions for JMX and GFSH a sample implementation of comof org.gemstoneapache.gemfiregeode.security.Authenticator and com.gemstone.gemfire.security.AccessControl is SecurityManager is provided by the class comorg.apache.gemstonegeode.gemfireexamples.security.templatesExampleSecurityManager. SampleJsonAuthorization. This implementation requires a JSON file which defines the allowed users and their corresponding permissions. For example:

Code Block
{
  "roles": [
    {
      "name": "cluster",
      "operationsAllowed": [
        "CLUSTER:MANAGE",
        "CLUSTER:WRITE",
        "CLUSTER:READ"
      ]
    },
    {
      "name": "data",
      "operationsAllowed": [
        "DATA:MANAGE",
        "DATA:WRITE",
        "DATA:READ"
      ]
    },
    {
      "name": "region1&2Reader",
      "operationsAllowed": [
        "DATA:READ"
      ],
	  "regions": ["region1", "region2"]
    }
  ],
  "users": [
    {
      "name": "super-user",
      "password": "1234567",
      "roles": [
        "cluster",
        "data"
      ]
    },
    {
      "name": "joebloggs",
      "password": "1234567",
      "roles": [
        "data"
      ]
    }
  ]
}

...

  1. Copy the above "security.json" file into locator's and server's directory (locator1 and server1 in the example below) or make it available on the classpath using the --classpath option while starting the locator.

  2. Using gfsh, start a locator with security activated. In the example below, we disable peer-to-peer security for simplicity of configuration

    Code Block
    languagebash
    gfsh> start locator --name=locator1 \
    --J=-Dgemfire.security-client-authenticator=com.gemstone.gemfiremanager=org.apache.geode.examples.security.templates.SampleJsonAuthorization.create \
    ExampleSecurityManager --J=-Dgemfire.security-client-accessor=com.gemstone.gemfire.security.templates.SampleJsonAuthorization.createclasspath=.

  3. Similarly, start a server (you will need to provide user/password in order to join the cluster. The user needs to have cluster:manage privilege). Notice server is started with a security-manager, but since locator's cluster configuration is enabled, the security-manager setting will be distributed to the server automatically. This ensures that the entire cluster is using the same security-manager.

    Similarly, start a server

    Code Block
    gfsh> start server --name=server1 --locators=localhost[10334] \
   --classpath=. \
   --user=super-user --password=1234567

  4. Start a new instance of gfsh and connect with one of the users defined in your JSON file. The super-user should be allowed to do everything in gfsh.

    Code Block
    gfsh> connect --locatorslocator=localhost[10334] --user=super-user --password=1234567

  5. Disconnect and reconnect with a user with lesser privileges:

    Code Block
    gfsh> disconnect
gfsh> connect --locatorslocator=localhost[10334] --user=joebloggs --password=1234567
gfsh> stop server --name=server1
An error occurred while attempting to stop a Cache Server: Subject does not have permission [CLUSTER:READ]
 
  6. Currently, changes to the security.json file require the locator to be restarted.

...