Security Concepts

GridSecurity Facade

GridGain supports authenticating and authorizing grid nodes and remote nodes trying to join the grid. The GridSecurity API contains information about authenticated subjects currently logged into grid with their permission sets. You can obtain a GridSecurity instance from the GridGain plugin interface using:

GridSecurity security = grid.security();

Authentication and Authorization

When security is enabled, grid nodes must be authenticated prior to joining the grid. To enable grid security, security credentials and authenticator should be configured in GridGainConfiguration. Nodes can be authorized with permissions for specified caches to perform put, get, and remove operations, as well as permissions for specified tasks to perform execute operations.

Security Credentials

For grid nodes, security credentials are specified in the grid configuration via the GridGainConfiguration.setSecurityCredentialsProvider(…) method. Here is an example of how this can be done programmatically:

GridGainConfiguration cfg = new GridGainConfiguration();

SecurityCredentials creds = new SecurityCredentials("username", "password");

// Create basic security provider.
SecurityCredentialsBasicProvider provider = new SecurityCredentialsBasicProvider(creds);

// Specify security provider in GridGain Configuration.
cfg.setSecurityCredentialsProvider(provider);

or via Spring XML configuration file:

<!-- Security credentials. -->
<bean id="securityCredentials" class="org.apache.ignite.plugin.security.SecurityCredentials">
    <constructor-arg value="YOUR_USERNAME"/>
    <constructor-arg value="YOUR_PASSWORD"/>
</bean>

<!-- GridGain plugin configuration. -->
<bean class="org.gridgain.grid.configuration.GridGainConfiguration">
    ...
    <property name="securityCredentialsProvider">
        <bean class="org.apache.ignite.plugin.security.SecurityCredentialsBasicProvider">
            <constructor-arg ref="securityCredentials"/>
        </bean>
    </property>
    ...
</bean>

Authenticator

Grid node authentication happens via the Authenticator. GridGain provides two ways to authenticate and authorize a subject (node or client):

JAAS Authenticator
Passcode Authenticator

Security permissions are assigned to a node during the join process and never change during the node’s lifespan.

Authenticator Configuration Validation

The following checks of the authenticator configuration are performed whenever a new node tries to join to the cluster:

GridGain always checks that all server nodes are configured with the same authenticator implementation class.
GridGain also supports authentication validation by a custom token. To enable this validation, an authenticator implementation class should also implement the AuthenticationValidator interface. GridGain will check that all nodes in the cluster have equal validation tokens. Note that JAAS Authenticator and Passcode Authenticator implement the interface as well.

Global Node Authentication

GridGain supports two modes of subject authentication regulated by the Authenticator.isGlobalNodeAuthentication() method.

isGlobalNodeAuthentication Description

isGlobalNodeAuthentication	Description
false	In cases when `isGlobalNodeAuthentication()` returns `false`, only the oldest server node in the grid will authenticate and assign security permissions to joining nodes. If the oldest server node leaves the grid, the next oldest node takes over and will use its `Authenticator` instance to authenticate and assign security permissions to new nodes. This mode of operation is useful when working with a centralized authentication system, such as LDAP, because it supports dynamically changing security permissions for a subject without restarting the whole cluster. It is enough to restart a single cluster member for which security permissions have changed.
true	In cases when `isGlobalNodeAuthentication()` returns `true`, all existing members of the cluster will authenticate a subject and must agree on the security permissions assigned to the subject in order for authentication to succeed. This mode of operation is used with `PasscodeAuthenticator` in order to minimize the possibility of misconfiguration since permissions are defined on each node independently.

false

In cases when isGlobalNodeAuthentication() returns false, only the oldest server node in the grid will authenticate and assign security permissions to joining nodes. If the oldest server node leaves the grid, the next oldest node takes over and will use its Authenticator instance to authenticate and assign security permissions to new nodes.

This mode of operation is useful when working with a centralized authentication system, such as LDAP, because it supports dynamically changing security permissions for a subject without restarting the whole cluster. It is enough to restart a single cluster member for which security permissions have changed.

true

In cases when isGlobalNodeAuthentication() returns true, all existing members of the cluster will authenticate a subject and must agree on the security permissions assigned to the subject in order for authentication to succeed.

This mode of operation is used with PasscodeAuthenticator in order to minimize the possibility of misconfiguration since permissions are defined on each node independently.