Versions Compared

Old Version 8

changes.mady.by.user Jens Deppe

Saved on

compared with

New Version Current

changes.mady.by.user Jinmei Liao

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Geode is introducing additional security features which allow finer grained control for JMX operations as well as GFSH commands . This functionality is automatically activated when the Geode properties security-client-authenticator and security-client-accessor are set.

Permissions are designed to be noun-verby and are in the form of RESOURCE:OPERATION[:REGION] tuples. The following values are valid:

Resource

  • CLUSTER
  • DATA

Operation

  • MANAGE
  • READ
  • WRITE

At the end of this document is a reference list of all JMX and GFSH operations with their corresponding permissionsand Pulse. Additional information can be found here: Geode Integrated Security.

To quickly get started using permissions for JMX and GFSH a sample implementation of comof org.gemstoneapache.gemfiregeode.security.Authenticator and com.gemstone.gemfire.security.AccessControl is SecurityManager is provided by the class comorg.apache.gemstonegeode.gemfireexamples.security.examples.SampleJsonAuthorizationExampleSecurityManager. This implementation requires a JSON file which defines the allowed users and their corresponding permissions. For example:

Code Block
{
  "roles": [
    {
      "name": "cluster",
      "operationsAllowed": [
        "CLUSTER:MANAGE",
        "CLUSTER:WRITE",
        "CLUSTER:READ"
      ]
    },
    {
      "name": "data",
      "operationsAllowed": [
        "DATA:MANAGE",
        "DATA:WRITE",
        "DATA:READ"
      ]
    },
    {
      "name": "region1&2Reader",
      "operationsAllowed": [
        "DATA:READ"
      ],
	  "regions": ["region1", "region2"]
    }
  ],
  "users": [
    {
      "name": "super-user",
      "password": "1234567",
      "roles": [
        "cluster",
        "data"
      ]
    },
    {
      "name": "joebloggs",
      "password": "1234567",
      "roles": [
        "data"
      ]
    }
  ]
}

In this example sample "security.json" file, we have two roles defined: cluster and data. The cluster role can perform cluster level operations like list members, whereas the data role can access/store data in Regions. The data role only has access to two regions: region1 and region2.

To start using this sample perform the following steps:

...

  1. Copy the above "security.json" file into locator's and server's directory (locator1 and server1 in the example below).

  2. Using gfsh, start a locator with security activated. In the example below, we disable peer-to-peer security for simplicity of configuration

    Code Block
    languagebash
    gfsh> start locator --name=locator1 \
    --J=-Dgemfire.security-client-authenticatormanager=comorg.gemstoneapache.gemfiregeode.security.examples.SampleJsonAuthorizationsecurity.create \
    ExampleSecurityManager --J=-Dgemfire.security-client-accessor=com.gemstone.gemfire.security.examples.SampleJsonAuthorization.createclasspath=.

  3. Similarly, start a server (you will need to provide user/password in order to join the cluster. The user needs to have cluster:manage privilege). Notice server is started with a security-manager, but since locator's cluster configuration is enabled, the security-manager setting will be distributed to the server automatically. This ensures that the entire cluster is using the same security-manager.

    Similarly, start a server

    Code Block
    gfsh> start server --name=server1 --locators=localhost[10334] \
   --classpath=. \
   --user=super-user --password=1234567

  4. Start a new instance of gfsh and connect with one of the users defined in your JSON file. The super-user should be allowed to do everything in gfsh.

    Code Block
    gfsh> connect --locatorslocator=localhost[10334] --user=super-user --password=1234567

  5. Disconnect and reconnect with a user with lesser privileges:

    Code Block
    gfsh> disconnect
gfsh> connect --locatorslocator=localhost[10334] --user=joebloggs --password=1234567
gfsh> stop server --name=server1
An error occurred while attempting to stop a Cache Server: Subject does not have permission [CLUSTER:READ]
 

 

Client-Server Security

You may notice that this new functionality is activated in the same way that the existing client-server authentication and authorization is activated. The intention is that eventually all means of accessing Geode will be secured with exactly the same callbacks.

If you already have an existing implementation of Authenticator and AccessControl no changes to existing code should be necessary. However, you should be aware of the following:

  • All Resources are enumerated via the enum OperationContext.Resource.
  • All OperationCodes are enumerated via the enum OperationContext.OperationCode.
  • All of the existing OperationContext.is* methods have been deprecated in favor of testing against the relevant enums.
  • The resource and operation code, for a given context, can be retrieved using OperationContext.getResource and OperationContext.getOperationCode respectively.

  • Existing code, implementing AccessControl, would have needed to check the type of the OperationContext as passed into the authorizeOperation method. This is still possible, however it will now be easier to achieve the same functionality by simply checking the Resource and OperationCode of the context. For example, existing code might have looked like this:

    Code Block
    languagejava
      @Override
  public boolean authorizeOperation(String regionName, OperationContext context) {
    if (context instanceof PutOperationContext) {
      // cast to PutOperationContext
    } else if (context instanceof QueryOperationContext) {
      // cast to QueryOperationContext
    } else {
      // Must be JMX or CLI
    }
    return false;
  }

    Can now be changed to:

    Code Block
    languagejava
    @Override
public boolean authorizeOperation(String regionName, OperationContext context) {
  switch (context.getOperationCode()) {
    case PUT:
      // cast to PutOperationContext
      break;
    case QUERY:
      // cast to QueryOperationContext
      break;
    default:
      // Must be JMX or CLI
  }
  return false;
}

    Note that any JMX or CLI contexts are not associated with a specific type of OperationContext and are handled as 'default' cases.

  • All client-server operations are associated with a Resource of DATA.

Reference

Client-Server

Client-server permissions are associated with their respective OperationContexts as follows. Permissions appear as Resource:OperationCode tuples.

OperationContextPermission
CloseCQOperationContextDATA:CLOSE_CQ
ContainsKeyOperationContextDATA:CONTAINS_KEY
DestroyOperationContextDATA:DESTROY
ExecuteCQOperationContextDATA:EXECUTE_CQ
ExecuteFunctionOperationContextDATA:EXECUTE_FUNCTION
GetDurableCQsOperationContextDATA:GET_DURABLE_CQS
GetOperationContextDATA:GET
InvalidateOperationContextDATA:INVALIDATE
KeySetOperationContextDATA:KEY_SET
PutAllOperationContextDATA:PUTALL
PutOperationContextDATA:PUT
QueryOperationContextDATA:QUERY
RegionClearOperationContextDATA:REGION_CLEAR
RegionCreateOperationContextDATA:REGION_CREATE
RegionDestroyOperationContextDATA:REGION_DESTROY
RegisterInterestOperationContextDATA:REGISTER_INTEREST
RemoveAllOperationContext

DATA:REMOVEALL

StopCQOperationContextDATA:STOP_CQ
UnregisterInterestOperationContextDATA:UNREGISTER_INTEREST

 

GFSH and JMX

Following are lists for gfsh commands, (highlighted in green), and JMX operations with their corresponding permissions. Permissions appear as Resource:OperationCode tuples.

 

...

  1. Currently, changes to the security.json file require the locator to be restarted.

 

Content by Label
showLabelsfalse
max5
spacesGEODE
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ("security","kb-how-to-article") and type = "page" and space = "GEODE"
labelskb-how-to-article security

...