You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Geode is introducing additional security features which allow finer grained control for JMX operations as well as GFSH commands. This functionality is automatically activated when the Geode properties security-client-authenticator and security-client-accessor are set.

Permissions are designed to be noun-verby and are in the form of RESOURCE:OPERATION[:REGION] tuples. The following values are valid:

Resource

  • CLUSTER
  • DATA

Operation

  • MANAGE
  • READ
  • WRITE

At the end of this document is a reference list of all JMX and GFSH operations with their corresponding permissions.

To quickly get started using permissions for JMX and GFSH a sample implementation of com.gemstone.gemfire.security.Authenticator and com.gemstone.gemfire.security.AccessControl is provided by the class blah.blah.ExampleJSONAuthorization. This implementation requires a JSON file which defines the allowed users and their corresponding permissions. For example:

{
  "roles": [
    {
      "name": "cluster",
      "operationsAllowed": [
        "CLUSTER:MANAGE",
        "CLUSTER:WRITE",
        "CLUSTER:READ"
   ]
    },
    {
      "name": "data",
      "operationsAllowed": [
        "DATA:MANAGE",
        "DATA:WRITE",
        "DATA:READ"
  ]
    }
  ]
 "users": [
    {
      "name": "super-user",
      "password": "1234567",
      "roles": [
        "cluster",
        "data"
 ]
    },
    {
      "name": "cluster-admin",
      "password": "1234567",
      "roles": [
        "cluster"
  ]
    }
  ]
}


Step-by-step guide

Reference

Following are lists for gfsh commands, (highlighted in green), and JMX operations with their corresponding permissions.

 

Cluster MANAGEment OperationsPermission
alter runtimeCLUSTER:MANAGE
gcCLUSTER:MANAGE
shutdownCLUSTER:MANAGE
startManagerCLUSTER:MANAGE
stop locator --name=locator1CLUSTER:MANAGE
stop server --name=server1CLUSTER:MANAGE
DistributedSystemMXBean.shutdownAllMembersCLUSTER:MANAGE
ManagerMXBean.startCLUSTER:MANAGE
ManagerMXBean.stopCLUSTER:MANAGE
MemberMXBean.createManager())CLUSTER:MANAGE
MemberMXBean.shutDownMemberCLUSTER:MANAGE
Cluster READ OperationsPermission
countDurableCqEventsCLUSTER:READ
describe client --clientID=172.16.196.144CLUSTER:READ
describe config --member=Member1CLUSTER:READ
describe disk-store --name=foo --member=bazCLUSTER:READ
describe member --name=server1CLUSTER:READ
describe offline-disk-store --name=foo --disk-dirs=barCLUSTER:READ
describe region --name=valueCLUSTER:READ
export cluster-configuration --zip-file-name=mySharedConfig.zipCLUSTER:READ
export config --member=member1CLUSTER:READ
export logs --dir=data/logsCLUSTER:READ
export stack-traces --file=stack.txtCLUSTER:READ
exportLogsCLUSTER:READ
exportStackTraceCLUSTER:READ
list async-event-queuesCLUSTER:READ
list clientsCLUSTER:READ
list deployedCLUSTER:READ
list disk-storesCLUSTER:READ
list durable-cqs --durable-client-id=client1CLUSTER:READ
list functionsCLUSTER:READ
list gatewaysCLUSTER:READ
list indexesCLUSTER:READ
list membersCLUSTER:READ
list regionsCLUSTER:READ
netstat --member=server1CLUSTER:READ
show dead-locks --file=deadlocks.txtCLUSTER:READ
show log --member=locator1 --lines=5CLUSTER:READ
show metricsCLUSTER:READ
show missing-disk-storesCLUSTER:READ
show subscription-queue-size --durable-client-id=client1CLUSTER:READ
showLogCLUSTER:READ
status cluster-config-serviceCLUSTER:READ
status gateway-receiverCLUSTER:READ
status gateway-senderCLUSTER:READ
Mbeans get attributesCLUSTER:READ
MemberMXBean.showLogCLUSTER:READ


 

Cluster WRITE OperationsPermission
change loglevel --loglevel=severe --member=server1CLUSTER:WRITE
DistributedSystemMXBean.changeAlertLevelCLUSTER:WRITE
ManagerMXBean.setPulseURLCLUSTER:WRITE
ManagerMXBean.setStatusMessageCLUSTER:WRITE
Data MANAGE OperationsPermission
alter disk-store --name=foo --region=xyz --disk-dirs=barDATA:MANAGE
alter region --name=region1 --eviction-max=5000DATA:MANAGE:REGIONNAME
clear defined indexesDATA:MANAGE
close durable-client --durable-client-id=client1DATA:MANAGE
close durable-cq --durable-client-id=client1 --durable-cq-name=cq1DATA:MANAGE
compact disk-store --name=fooDATA:MANAGE
compact offline-disk-store --name=foo --disk-dirs=barDATA:MANAGE
configure pdx --read-serialized=trueDATA:MANAGE
create async-event-queue --id=myAEQ --listener=myApp.myListenerDATA:MANAGE
create defined indexesDATA:MANAGE
create disk-store --name=foo --dir=barDATA:MANAGE
create gateway-receiverDATA:MANAGE
create gateway-sender --id=sender1 --remote-distributed-system-id=2DATA:MANAGE
create index --name=myKeyIndex --expression=region1.Id --region=region1 --type=keyDATA:MANAGE:REGIONNAME
create region --name=region12DATA:MANAGE
define index --name=myIndex1 --expression=exp1 --region=/exampleRegionDATA:MANAGE:REGIONNAME
deploy --jar=group1_functions.jar --group=Group1DATA:MANAGE
destroy disk-store --name=fooDATA:MANAGE
destroy function --id=InterestCalculationsDATA:MANAGE
destroy index --member=server2DATA:MANAGE:REGIONNAME
destroy region --name=valueDATA:MANAGE
import cluster-configuration --zip-file-name=valueDATA:MANAGE
load-balance gateway-sender --id=sender1DATA:MANAGE
pause gateway-sender --id=sender1DATA:MANAGE
pdx rename --old=com.gemstone --new=com.pivotal --disk-store=ds1 --disk-dirs=/diskDir1DATA:MANAGE
rebalance --include-region=region1DATA:MANAGE
remove --region=region1DATA:MANAGE
resume gateway-sender --id=sender1DATA:MANAGE
revoke missing-disk-store --id=fooDATA:MANAGE
start gateway-receiverDATA:MANAGE
start gateway-sender --id=sender1DATA:MANAGE
stop gateway-receiverDATA:MANAGE
stop gateway-sender --id=sender1DATA:MANAGE
undeploy --group=Group1DATA:MANAGE
CacheServerMXBean.closeAllContinuousQueryDATA:MANAGE
CacheServerMXBean.closeContinuousQueryDATA:MANAGE
CacheServerMXBean.removeIndex("foo"))DATA:MANAGE
CacheServerMXBean.stopContinuousQuery("bar"))DATA:MANAGE
DiskStoreMXBean.flush())DATA:MANAGE
DiskStoreMXBean.forceCompaction())DATA:MANAGE
DiskStoreMXBean.forceRoll())DATA:MANAGE
DiskStoreMXBean.setDiskUsageCriticalPercentage(0DATA:MANAGE
DiskStoreMXBean.setDiskUsageWarningPercentage(0DATA:MANAGE
DistributedSystemMXBean.revokeMissingDiskStoresDATA:MANAGE
DistributedSystemMXBean.setQueryCollectionsDepthDATA:MANAGE
DistributedSystemMXBean.setQueryResultSetLimitDATA:MANAGE
GatewayReceiverMXBean.pause())DATA:MANAGE
GatewayReceiverMXBean.rebalance())DATA:MANAGE
GatewayReceiverMXBean.resume())DATA:MANAGE
GatewayReceiverMXBean.startDATA:MANAGE
GatewayReceiverMXBean.stopDATA:MANAGE
GatewaySenderMXBean.pauseDATA:MANAGE
GatewaySenderMXBean.rebalanceDATA:MANAGE
GatewaySenderMXBean.resumeDATA:MANAGE
GatewaySenderMXBean.startDATA:MANAGE
GatewaySenderMXBean.stopDATA:MANAGE
LockServiceMBean.becomeLockGrantor())DATA:MANAGE
MemberMXBean.compactAllDiskStoresDATA:MANAGE


 

Data READ OperationsPermission
backup disk-store --dir=fooDATA:READ
export data --region=region1 --file=foo.txt --member=valueDATA:READ:REGIONNAME
get --key=key1 --region=region1DATA:READ:REGIONNAME
locateEntryDATA:READ:REGIONNAME
query --query='SELECT * FROM /region1'DATA:READ:REGIONNAME
CacheServerMXBean.executeContinuousQuery("bar"))DATA:READ
DistributedSystemMXBean.backupAllMembersDATA:READ
DistributedSystemMXBean.queryDataDATA:READ
DistributedSystemMXBean.queryDataForCompressedResultDATA:READ


 

Data WRITE OperationsPermission
execute function --id=InterestCalculations --group=Group1DATA:WRITE
import data --region=region1 --file=foo.txt --member=valueDATA:WRITE:REGIONNAME
put --key=key1 --value=value1 --region=region1DATA:WRITE:REGIONNAME

  • No labels