In our current security model, a user with DATA:MANAGE can create regions, create disk stores, WAN gateways etc. This is a very wide scope, because an administrator may want to give create region privilege to a developer, but not necessarily give them the ability to create disk stores or send the data in that region over WAN. I propose that we refine the security model to make it finer grained.
I propose that only Region should belong to the DATA resource, everything else (i.e Disk, WAN, functions, AsyncQueue etc) be treated as CLUSTER resources in the security framework. As with any other resource, admins will be able to grant READ, WRITE and MANAGE permissions to these resources. In terms of shiro, this will take the form: CLUSTER:READ/WRITE/MANAGE:DISK,WAN,ASYNCQUEUE.
Here is a revised list of permission strings. The ones that will change are highlighted below:
Operations | Old Permission String | New Permission String |
---|---|---|
alter runtime | CLUSTER:MANAGE | CLUSTER:MANAGE |
DistributedSystemMXBean.shutdownAllMembers | CLUSTER:MANAGE | CLUSTER:MANAGE |
gc | CLUSTER:MANAGE | CLUSTER:MANAGE |
ManagerMXBean.createManager | CLUSTER:MANAGE | CLUSTER:MANAGE |
ManagerMXBean.shutDownMember | CLUSTER:MANAGE | CLUSTER:MANAGE |
ManagerMXBean.start | CLUSTER:MANAGE | CLUSTER:MANAGE |
ManagerMXBean.stop | CLUSTER:MANAGE | CLUSTER:MANAGE |
shutdown | CLUSTER:MANAGE | CLUSTER:MANAGE |
start server | CLUSTER:MANAGE | CLUSTER:MANAGE |
stop locator | CLUSTER:MANAGE | CLUSTER:MANAGE |
stop server | CLUSTER:MANAGE | CLUSTER:MANAGE |
describe client | CLUSTER:READ | CLUSTER:READ |
describe config | CLUSTER:READ | CLUSTER:READ |
describe disk-store | CLUSTER:READ | CLUSTER:READ |
describe member | CLUSTER:READ | CLUSTER:READ |
describe offline-disk-store | CLUSTER:READ | CLUSTER:READ |
describe region | CLUSTER:READ | CLUSTER:READ |
export cluster-configuration | CLUSTER:READ | CLUSTER:READ |
export config | CLUSTER:READ | CLUSTER:READ |
export data | CLUSTER:READ | CLUSTER:READ |
export logs | CLUSTER:READ | CLUSTER:READ |
export offline-disk-store | CLUSTER:READ | CLUSTER:READ |
export stack-traces | CLUSTER:READ | CLUSTER:READ |
get function attribute | CLUSTER:READ | CLUSTER:READ |
list async-event-queues | CLUSTER:READ | CLUSTER:READ |
list clients | CLUSTER:READ | CLUSTER:READ |
list deployed | CLUSTER:READ | CLUSTER:READ |
list disk-stores | CLUSTER:READ | CLUSTER:READ |
list durable-cqs | CLUSTER:READ | CLUSTER:READ |
list functions | CLUSTER:READ | CLUSTER:READ |
list gateways | CLUSTER:READ | CLUSTER:READ |
list indexes | CLUSTER:READ | CLUSTER:READ |
list members | CLUSTER:READ | CLUSTER:READ |
Mbeans get attributes | CLUSTER:READ | CLUSTER:READ |
MemberMXBean.showLog | CLUSTER:READ | CLUSTER:READ |
netstat | CLUSTER:READ | CLUSTER:READ |
show dead-locks | CLUSTER:READ | CLUSTER:READ |
show log | CLUSTER:READ | CLUSTER:READ |
show metrics | CLUSTER:READ | CLUSTER:READ |
show missing-disk-stores | CLUSTER:READ | CLUSTER:READ |
show subscription-queue-size | CLUSTER:READ | CLUSTER:READ |
status cluster-config-service | CLUSTER:READ | CLUSTER:READ |
status gateway-receiver | CLUSTER:READ | CLUSTER:READ |
status gateway-sender | CLUSTER:READ | CLUSTER:READ |
status locator | CLUSTER:READ | CLUSTER:READ |
status server | CLUSTER:READ | CLUSTER:READ |
change loglevel | CLUSTER:WRITE | CLUSTER:WRITE |
DistributedSystemMXBean.changerAlertLevel | CLUSTER:WRITE | CLUSTER:WRITE |
ManagerMXBean.setPulseURL | CLUSTER:WRITE | CLUSTER:WRITE |
ManagerMXBean.setStatusMessage | CLUSTER:WRITE | CLUSTER:WRITE |
alter disk-store | DATA:MANAGE | CLUSTER:MANAGE:DISK |
CacheServerMXBean.closeAllContinuousQuery | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
CacheServerMXBean.closeContinuousQuery | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
clear defined indexes | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
close durable-client | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
close durable-cq | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
compact disk-store | DATA:MANAGE | CLUSTER:MANAGE:DISK |
compact offline-disk-store | N/A | |
configure pdx | DATA:MANAGE | CLUSTER:MANAGE |
create async-event-queue | DATA:MANAGE | CLUSTER:MANAGE:JAR AND CLUSTER:MANAGE:DISK if persistent |
create defined indexes | DATA:MANAGE | DATA:MANAGE |
create disk-store | DATA:MANAGE | CLUSTER:MANAGE:DISK |
create gateway-receiver | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
create gateway-sender | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
create region | DATA:MANAGE | DATA:MANAGE AND CLUSTER:MANAGE:DISK if persistent |
create region | DATA:MANAGE | DATA:MANAGE AND CLUSTER:MANAGE:DISK if persistent |
destroy disk-store | DATA:MANAGE | CLUSTER:MANAGE:DISK |
destroy function | DATA:MANAGE | CLUSTER:MANAGE:JAR |
destroy region | DATA:MANAGE | DATA:MANAGE |
destroy region | DATA:MANAGE | DATA:MANAGE |
disconnect | DATA:MANAGE | N/A |
DiskStoreMXBean.flush | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DiskStoreMXBean.forceCompaction | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DiskStoreMXBean.forceRoll | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DiskStoreMXBean.setDiskUsageCriticalPercentage | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DiskStoreMXBean.setDiskUsageWarningPercentage | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DistributedSystemMXBean.revokeMissingDiskStores | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DistributedSystemMXBean.setQueryCollectionsDepth | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
DistributedSystemMXBean.setQueryResultSetLimit | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
echo | DATA:MANAGE | N/A |
encrypt password | DATA:MANAGE | N/A |
execute function | DATA:MANAGE | determined by function api |
GatewayReceiverMXBean.pause | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewayReceiverMXBean.rebalance | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewayReceiverMXBean.resume | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewayReceiverMXBean.start | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewayReceiverMXBean.stop | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewaySenderMXBean.pause | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewaySenderMXBean.rebalance | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewaySenderMXBean.resume | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewaySenderMXBean.start | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewaySenderMXBean.stop | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
import cluster-configuration | DATA:MANAGE | CLUSTER:MANAGE |
load-balance gateway-sender | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
LockServiceMXBean.becomeLockGrantor | DATA:MANAGE | CLUSTER:MANAGE |
MemberMXBean.compactAllDiskStores | DATA:MANAGE | CLUSTER:MANAGE:DISK |
pause gateway-sender | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
pdx rename | DATA:MANAGE | N/A |
rebalance | DATA:MANAGE | DATA:MANAGE |
resume gateway-sender | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
revoke missing-disk-store | DATA:MANAGE | CLUSTER:MANAGE:DISK |
start gateway-receiver | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
start gateway-sender | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
stop gateway-receiver | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
stop gateway-receiver | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
undeploy | DATA:MANAGE | CLUSTER:MANAGE:JAR |
destroy index | DATA:MANAGE or DATA:MANAGE:RegionName | DATA:MANAGE or DATA:MANAGE:RegionName |
deploy | DATA:MANAGE, DATA:WRITE, CLUSTER:MANAGE, and CLUSTER:WRITE | CLUSTER:MANAGE:JAR |
alter region | DATA:MANAGE:RegionName | DATA:MANAGE:RegionName |
create index | DATA:MANAGE:RegionName | DATA:MANAGE:RegionName |
define index | DATA:MANAGE:RegionName | DATA:MANAGE:RegionName |
create lucene index | DATA:MANAGE:RegionName AND CLUSTER:MANAGE:DISK if persistent | |
describe lucene index | DATA:MANAGE:RegionName | |
destroy lucene index | DATA:MANAGE:RegionName | |
list lucene indexes | DATA:MANAGE | |
search lucene | DATA:READ:RegionName | |
backup disk-store | DATA:READ | DATA:READ and CLUSTER:MANAGE:DISK |
CacheServerMXBean.executeContinuousQuery | DATA:READ | DATA:READ |
DistributedSystemMXBean.backupAllMembers | DATA:READ | DATA:READ and CLUSTER:MANAGE:DISK |
DistributedSystemMXBean.queryData | DATA:READ | DATA:READ |
DistributedSystemMXBean.queryDataForCompressedResult | DATA:READ | DATA:READ |
list regions | DATA:READ | CLUSTER:READ |
query | DATA:READ | DATA:READ |
Region.getAll | DATA:READ:RegionName | DATA:READ:RegionName |
Region.getEntry | DATA:READ:RegionName | DATA:READ:RegionName |
Region.Keyset | DATA:READ:RegionName | DATA:READ:RegionName |
Region.query | DATA:READ:RegionName | DATA:READ:RegionName |
Region.registerInterest(regex) | DATA:READ:RegionName | DATA:READ:RegionName |
Region.unregisterInterest(regex) | DATA:READ:RegionName | DATA:READ:RegionName |
get ‑key=key1 ‑region=region1 | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
locate entry | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
Region.containsKeyOnServer(key) | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
Region.get(key) | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
Region.getAll with a list of keys | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
Region.registerInterest(key) | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
Region.unregisterInterest(key) | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
execute function | DATA:WRITE | determined by funtion api |
clear region | DATA:WRITE:RegionName | DATA:WRITE:RegionName |
import data | DATA:WRITE:RegionName | DATA:WRITE:RegionName |
Region.clear | DATA:WRITE:RegionName | DATA:WRITE:RegionName |
Region.putAll | DATA:WRITE:RegionName | DATA:WRITE:RegionName |
Region.removeAll | DATA:WRITE:RegionName | DATA:WRITE:RegionName |
remove | DATA:WRITE:RegionName or DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName or DATA:WRITE:RegionName:Key |
destroy key (DIFFERENT?) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
invalidate key (DIFFERENT?) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
put –key=key1 –region=region1 | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
Region.destroy(key) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
Region.destroy(key) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
Region.invalidate(key) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
Region.put(key) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
Region.replace | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
Here is how it will work out for each resource:
DISK
1. CLUSTER:MANAGE:DISK - allows users to create/manage disk stores
2. CLUSTER:WRITE:DISK - allows users to create regions that write/overflow to disk stores
3. CLUSTER:READ:DISK - should be covered by DATA:READ, does not make sense here
WAN:
1. CLUSTER:MANAGE:WAN - allows users to create gateway senders and receivers
2. CLUSTER:WRITE:WAN - allows users to create regions that write data to gateway senders
3. CLUSTER:READ:WAN - allows users to create regions that read data from gateway receivers