GridGain supports authenticating and authorizing grid nodes and remote nodes trying to join the grid. The
GridSecurity API contains information about authenticated subjects currently logged into grid with their permission sets. You can obtain a
GridSecurity instance from the
GridGain plugin interface using:
GridSecurity security = grid.security();
Authentication and Authorization
When security is enabled, grid nodes must be authenticated prior to joining the grid. To enable grid security, security credentials and authenticator should be configured in
GridGainConfiguration. Nodes can be authorized with permissions for specified caches to perform
remove operations, as well as permissions for specified tasks to perform
For grid nodes, security credentials are specified in the grid configuration via the
GridGainConfiguration.setSecurityCredentialsProvider(…) method. Here is an example of how this can be done programmatically:
GridGainConfiguration cfg = new GridGainConfiguration(); SecurityCredentials creds = new SecurityCredentials("username", "password"); // Create basic security provider. SecurityCredentialsBasicProvider provider = new SecurityCredentialsBasicProvider(creds); // Specify security provider in GridGain Configuration. cfg.setSecurityCredentialsProvider(provider);
or via Spring XML configuration file:
<!-- Security credentials. --> <bean id="securityCredentials" class="org.apache.ignite.plugin.security.SecurityCredentials"> <constructor-arg value="YOUR_USERNAME"/> <constructor-arg value="YOUR_PASSWORD"/> </bean> <!-- GridGain plugin configuration. --> <bean class="org.gridgain.grid.configuration.GridGainConfiguration"> ... <property name="securityCredentialsProvider"> <bean class="org.apache.ignite.plugin.security.SecurityCredentialsBasicProvider"> <constructor-arg ref="securityCredentials"/> </bean> </property> ... </bean>
Grid node authentication happens via the
Authenticator. GridGain provides two ways to authenticate and authorize a subject (node or client):
Security permissions are assigned to a node during the join process and never change during the node’s lifespan.
Authenticator Configuration Validation
The following checks of the authenticator configuration are performed whenever a new node tries to join to the cluster:
GridGain always checks that all server nodes are configured with the same authenticator implementation class.
GridGain also supports authentication validation by a custom token. To enable this validation, an authenticator implementation class should also implement the
AuthenticationValidatorinterface. GridGain will check that all nodes in the cluster have equal validation tokens. Note that JAAS Authenticator and Passcode Authenticator implement the interface as well.
Global Node Authentication
GridGain supports two modes of subject authentication regulated by the
In cases when
This mode of operation is useful when working with a centralized authentication system, such as LDAP, because it supports dynamically changing security permissions for a subject without restarting the whole cluster. It is enough to restart a single cluster member for which security permissions have changed.
In cases when
This mode of operation is used with