Security Concepts
GridSecurity Facade
GridGain supports authenticating and authorizing grid nodes and remote nodes trying to join the grid. The GridSecurity API contains information about authenticated subjects currently logged into grid with their permission sets. You can obtain a GridSecurity instance from the GridGain plugin interface using:
GridSecurity security = grid.security();Authentication and Authorization
When security is enabled, grid nodes must be authenticated prior to joining the grid. To enable grid security, security credentials and authenticator should be configured in GridGainConfiguration. Nodes can be authorized with permissions for specified caches to perform put, get, and remove operations, as well as permissions for specified tasks to perform execute operations.
Security Credentials
For grid nodes, security credentials are specified in the grid configuration via the GridGainConfiguration.setSecurityCredentialsProvider(…) method. Here is an example of how this can be done programmatically:
GridGainConfiguration cfg = new GridGainConfiguration();
SecurityCredentials creds = new SecurityCredentials("username", "password");
// Create basic security provider.
SecurityCredentialsBasicProvider provider = new SecurityCredentialsBasicProvider(creds);
// Specify security provider in GridGain Configuration.
cfg.setSecurityCredentialsProvider(provider);or via Spring XML configuration file:
<!-- Security credentials. -->
<bean id="securityCredentials" class="org.apache.ignite.plugin.security.SecurityCredentials">
<constructor-arg value="YOUR_USERNAME"/>
<constructor-arg value="YOUR_PASSWORD"/>
</bean>
<!-- GridGain plugin configuration. -->
<bean class="org.gridgain.grid.configuration.GridGainConfiguration">
...
<property name="securityCredentialsProvider">
<bean class="org.apache.ignite.plugin.security.SecurityCredentialsBasicProvider">
<constructor-arg ref="securityCredentials"/>
</bean>
</property>
...
</bean>Authenticator
Grid node authentication happens via the Authenticator. GridGain provides two ways to authenticate and authorize a subject (node or client):
-
JAAS Authenticator
-
Passcode Authenticator
Security permissions are assigned to a node during the join process and never change during the node’s lifespan.
Authenticator Configuration Validation
The following checks of the authenticator configuration are performed whenever a new node tries to join to the cluster:
-
GridGain always checks that all server nodes are configured with the same authenticator implementation class.
-
GridGain also supports authentication validation by a custom token. To enable this validation, an authenticator implementation class should also implement the
AuthenticationValidatorinterface. GridGain will check that all nodes in the cluster have equal validation tokens. Note that JAAS Authenticator and Passcode Authenticator implement the interface as well.
Global Node Authentication
GridGain supports two modes of subject authentication regulated by the Authenticator.isGlobalNodeAuthentication() method.
| isGlobalNodeAuthentication | Description |
|---|---|
false |
In cases when This mode of operation is useful when working with a centralized authentication system, such as LDAP, because it supports dynamically changing security permissions for a subject without restarting the whole cluster. It is enough to restart a single cluster member for which security permissions have changed. |
true |
In cases when This mode of operation is used with |
© 2020 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.