You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

Geode is introducing a security features which allow you to control authentication/authorization on all aspects of Geode in one implementation. When Integrated Security is turned on, all client/server communications, peer to peer, gateway authentication, jmx operations, gfsh commands and Pulse are all protected with this security mechanism.

1. No changes for existing implementations of Authentication/Authorization for client-server security

The API for Authenticator and AccessControl has not changed. Your implementation of those are still honored in client/server communication if you choose not to implement the new security interface. However, these two are deprecated now and will be removed in the future.

2. Introduction of security-manager configuration and SecurityManager interface for Integrated Security

To turn on integrated security, your will need to start your server/locator with this line in your gemfire.properties file:

security-manager = com.abc.security.MySecurityManager

It is a class implementing the SecurityManager interface. Make sure your class has a zero argument constructor so that we can call to create the object. SecurityManger is the new interface you will need to implement for both authentication and authorization. See SecurityManger javadoc for details. You can use SampleSecurityManager as an example to write your own implementation.

mention the gfsh commands to start locator/server with security

3. Introduction of GeodePermission

In SecurityManager, you will see a GeodePermission is passed in the authorization call. GeodePermission is an object that defines the nature of the operation the Principal is trying to perform.

GeodePermission is in one of those forms:

Resource:Operation
Resource:Operation:RegionName
Resource:Operation:RegionName:Key

All Resources are enumerated via the enum GeodePermission.Resource, which are "CLUSTER" and "DATA".

All Operations are enumerated via the enum GeodePermission.Operation, which are "MANAGE", "READ" and "WRITE". Note "MANAGE" does not imply "WRITE", nor "WRITE" implies "READ" either.

RegionName and Key are provided for region key access as well.

For example, you can see a GeodePermission defined as "CLUSTER:READ", "CLUSTER:MANAGE", "DATDA:READ", "DATA:READ:regionA", or "DATA:READ:regionA:key1".

Note GeodePermission is hierarchical. If you have permission for "DATA:READ", you automatically have data read permission on all regions and all keys, i.e. you have permission for "DATA:READ:regionA". If you have permission for "DATA:READ:regionA", you automatically have data read permission on all keys in regionA, i.e, you have permission for "DATA:READ:regionA:key1".

4. Operations and their corresponding GeodePermission

 

5. PostProcessor

 

Client-Server

Client OperationsRequired GeodePermission
region.containsKeyOnServer(key)DATA:READ:regionName:key
region.destroy(key)DATA:WRITE:regionName:key
region.invalidate(key)DATA:WRITE:regionName:key
region.put(key, value)DATA:WRITE:regionName:key
region.get(key)DATA:READ:regionName:key
region.replace 
region.putIfAbsent 
createRegionDATA:MANAGE
destroyRegionDATA:MANAGE
executeFunctionDATA:WRITE
executeRegionFunctionDATA:WRITE
region.getAllDATA:READ:regionName
region.getEntryDATA:READ:regionName
region.clearDATA:WRITE:regionName
region.registerInterestDATA:READ:regionName:key
region.registerInterestRegex
DATA:READ:regionName
region.registerInterestList

DATA:READ:regionName

region.removeAllDATA:WRITE:regionName
region.unRegisterInterestDATA:READ:regionName:key
region.unRegisterInterestRegex
DATA:READ:regionName
region.unRegisterInterestList
DATA:READ:regionName
queryDATA:READ:regionName
  
  
  
  

 

Pulse

Pulse access is divided into two main categories, namely access to the Data Browser page and everything else.

The Data Browser page requires the permissions CLUSTER:READ and DATA:READ. Access to all other pages requires only CLUSTER:READ permission.

GFSH and JMX

Following are lists for gfsh commands, (highlighted in green), and JMX operations with their corresponding permissions. Permissions appear as Resource:OperationCode tuples.

Entries with a green background are gfsh commands; the others are JMX operations.

 

Cluster MANAGEment OperationsPermission
alter runtimeCLUSTER:MANAGE
gcCLUSTER:MANAGE
shutdownCLUSTER:MANAGE
startManagerCLUSTER:MANAGE
stop locator --name=locator1CLUSTER:MANAGE
stop server --name=server1CLUSTER:MANAGE
DistributedSystemMXBean.shutdownAllMembersCLUSTER:MANAGE
ManagerMXBean.startCLUSTER:MANAGE
ManagerMXBean.stopCLUSTER:MANAGE
MemberMXBean.createManager())CLUSTER:MANAGE
MemberMXBean.shutDownMemberCLUSTER:MANAGE
Cluster READ OperationsPermission
countDurableCqEventsCLUSTER:READ
describe client --clientID=172.16.196.144CLUSTER:READ
describe config --member=Member1CLUSTER:READ
describe disk-store --name=foo --member=bazCLUSTER:READ
describe member --name=server1CLUSTER:READ
describe offline-disk-store --name=foo --disk-dirs=barCLUSTER:READ
describe region --name=valueCLUSTER:READ
export cluster-configuration --zip-file-name=mySharedConfig.zipCLUSTER:READ
export config --member=member1CLUSTER:READ
export logs --dir=data/logsCLUSTER:READ
export stack-traces --file=stack.txtCLUSTER:READ
exportLogsCLUSTER:READ
exportStackTraceCLUSTER:READ
list async-event-queuesCLUSTER:READ
list clientsCLUSTER:READ
list deployedCLUSTER:READ
list disk-storesCLUSTER:READ
list durable-cqs --durable-client-id=client1CLUSTER:READ
list functionsCLUSTER:READ
list gatewaysCLUSTER:READ
list indexesCLUSTER:READ
list membersCLUSTER:READ
list regionsCLUSTER:READ
netstat --member=server1CLUSTER:READ
show dead-locks --file=deadlocks.txtCLUSTER:READ
show log --member=locator1 --lines=5CLUSTER:READ
show metricsCLUSTER:READ
show missing-disk-storesCLUSTER:READ
show subscription-queue-size --durable-client-id=client1CLUSTER:READ
showLogCLUSTER:READ
status cluster-config-serviceCLUSTER:READ
status gateway-receiverCLUSTER:READ
status gateway-senderCLUSTER:READ
Mbeans get attributesCLUSTER:READ
MemberMXBean.showLogCLUSTER:READ
Cluster WRITE OperationsPermission
change loglevel --loglevel=severe --member=server1CLUSTER:WRITE
DistributedSystemMXBean.changeAlertLevelCLUSTER:WRITE
ManagerMXBean.setPulseURLCLUSTER:WRITE
ManagerMXBean.setStatusMessageCLUSTER:WRITE
Data MANAGE OperationsPermission
alter disk-store --name=foo --region=xyz --disk-dirs=barDATA:MANAGE
alter region --name=region1 --eviction-max=5000DATA:MANAGE:REGIONNAME
clear defined indexesDATA:MANAGE
close durable-client --durable-client-id=client1DATA:MANAGE
close durable-cq --durable-client-id=client1 --durable-cq-name=cq1DATA:MANAGE
compact disk-store --name=fooDATA:MANAGE
compact offline-disk-store --name=foo --disk-dirs=barDATA:MANAGE
configure pdx --read-serialized=trueDATA:MANAGE
create async-event-queue --id=myAEQ --listener=myApp.myListenerDATA:MANAGE
create defined indexesDATA:MANAGE
create disk-store --name=foo --dir=barDATA:MANAGE
create gateway-receiverDATA:MANAGE
create gateway-sender --id=sender1 --remote-distributed-system-id=2DATA:MANAGE
create index --name=myKeyIndex --expression=region1.Id --region=region1 --type=keyDATA:MANAGE:REGIONNAME
create region --name=region12DATA:MANAGE
define index --name=myIndex1 --expression=exp1 --region=/exampleRegionDATA:MANAGE:REGIONNAME
deploy --jar=group1_functions.jar --group=Group1DATA:MANAGE
destroy disk-store --name=fooDATA:MANAGE
destroy function --id=InterestCalculationsDATA:MANAGE
destroy index --member=server2DATA:MANAGE:REGIONNAME
destroy region --name=valueDATA:MANAGE
import cluster-configuration --zip-file-name=valueDATA:MANAGE
load-balance gateway-sender --id=sender1DATA:MANAGE
pause gateway-sender --id=sender1DATA:MANAGE
pdx rename --old=com.gemstone --new=com.pivotal --disk-store=ds1 --disk-dirs=/diskDir1DATA:MANAGE
rebalance --include-region=region1DATA:MANAGE
remove --region=region1DATA:MANAGE, if key is specified......
resume gateway-sender --id=sender1DATA:MANAGE
revoke missing-disk-store --id=fooDATA:MANAGE
start gateway-receiverDATA:MANAGE
start gateway-sender --id=sender1DATA:MANAGE
stop gateway-receiverDATA:MANAGE
stop gateway-sender --id=sender1DATA:MANAGE
undeploy --group=Group1DATA:MANAGE
CacheServerMXBean.closeAllContinuousQueryDATA:MANAGE
CacheServerMXBean.closeContinuousQueryDATA:MANAGE
CacheServerMXBean.removeIndex("foo"))DATA:MANAGE
CacheServerMXBean.stopContinuousQuery("bar"))DATA:MANAGE
DiskStoreMXBean.flush())DATA:MANAGE
DiskStoreMXBean.forceCompaction())DATA:MANAGE
DiskStoreMXBean.forceRoll())DATA:MANAGE
DiskStoreMXBean.setDiskUsageCriticalPercentage(0DATA:MANAGE
DiskStoreMXBean.setDiskUsageWarningPercentage(0DATA:MANAGE
DistributedSystemMXBean.revokeMissingDiskStoresDATA:MANAGE
DistributedSystemMXBean.setQueryCollectionsDepthDATA:MANAGE
DistributedSystemMXBean.setQueryResultSetLimitDATA:MANAGE
GatewayReceiverMXBean.pause())DATA:MANAGE
GatewayReceiverMXBean.rebalance())DATA:MANAGE
GatewayReceiverMXBean.resume())DATA:MANAGE
GatewayReceiverMXBean.startDATA:MANAGE
GatewayReceiverMXBean.stopDATA:MANAGE
GatewaySenderMXBean.pauseDATA:MANAGE
GatewaySenderMXBean.rebalanceDATA:MANAGE
GatewaySenderMXBean.resumeDATA:MANAGE
GatewaySenderMXBean.startDATA:MANAGE
GatewaySenderMXBean.stopDATA:MANAGE
LockServiceMBean.becomeLockGrantor())DATA:MANAGE
MemberMXBean.compactAllDiskStoresDATA:MANAGE
Data READ OperationsPermission
backup disk-store --dir=fooDATA:READ
export data --region=region1 --file=foo.txt --member=valueDATA:READ:REGIONNAME
get --key=key1 --region=region1DATA:READ:regionName:key
locateEntryDATA:READ:regionName:key
query --query='SELECT * FROM /region1'DATA:READ:REGIONNAME
CacheServerMXBean.executeContinuousQuery("bar"))DATA:READ
DistributedSystemMXBean.backupAllMembersDATA:READ
DistributedSystemMXBean.queryDataDATA:READ
DistributedSystemMXBean.queryDataForCompressedResultDATA:READ
Data WRITE OperationsPermission
execute function --id=InterestCalculations --group=Group1DATA:WRITE
import data --region=region1 --file=foo.txt --member=valueDATA:WRITE:REGIONNAME
put --key=key1 --value=value1 --region=region1DATA:WRITE:REGIONNAME:key

 

  • No labels