You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Geode is introducing additional security features which allow finer grained control for JMX operations as well as GFSH commands and Pulse. Additional information can be found here: Security changes for authentication and authorization.

To quickly get started using permissions for JMX and GFSH a sample implementation of com.gemstone.gemfire.security.Authenticator and com.gemstone.gemfire.security.AccessControl is provided by the class com.gemstone.gemfire.security.templates.SampleJsonAuthorization. This implementation requires a JSON file which defines the allowed users and their corresponding permissions. For example:

{
  "roles": [
    {
      "name": "cluster",
      "operationsAllowed": [
        "CLUSTER:MANAGE",
        "CLUSTER:WRITE",
        "CLUSTER:READ"
      ]
    },
    {
      "name": "data",
      "operationsAllowed": [
        "DATA:MANAGE",
        "DATA:WRITE",
        "DATA:READ"
      ],
      "regions": ["region1", "region2"]
    }
  ]
  "users": [
    {
      "name": "super-user",
      "password": "1234567",
      "roles": [
        "cluster",
        "data"
      ]
    },
    {
      "name": "joebloggs",
      "password": "1234567",
      "roles": [
        "data"
      ]
    }
  ]
}

In this example we have two roles defined: cluster and data. The data role only has access to two regions: region1 and region2.

To start using this sample perform the following steps:

  1. Using gfsh, start a locator with security activated.

    gfsh> start locator --name=locator1 \
    --J=-Dgemfire.security-client-authenticator=com.gemstone.gemfire.security.templates.SampleJsonAuthorization.create \
    --J=-Dgemfire.security-client-accessor=com.gemstone.gemfire.security.templates.SampleJsonAuthorization.create

  2. Similarly, start a server

    gfsh> start server --name=server1 --locators=localhost[10334]

  3. Start a new instance of gfsh and connect with one of the users defined in your JSON file. The super-user should be allowed to do everything in gfsh.

    gfsh> connect --locators=localhost[10334] --user=super-user --password=1234567

  4. Disconnect and reconnect with a user with lesser privileges:

    gfsh> disconnect
gfsh> connect --locators=localhost[10334] --user=joebloggs --password=1234567
gfsh> stop server --name=server1
An error occurred while attempting to stop a Cache Server: Subject does not have permission [CLUSTER:READ]
 
  5. Currently, changes to the security.json file require the locator to be restarted.

 

  • No labels