GridGain Developers Hub
GitHub logo GridGain iso GridGain.com
GridGain Software Documentation

Authorization and Permissions

Authorization occurs after successful authentication of subjects (remote nodes or clients). Once a subject is authenticated, it’s assigned a set of permissions, represented by the SecurityPermissionSet object. GridGain provides cache, task execution, service, and system permissions:

Cache permissions:

  • CACHE_READ - allows cache read operations

  • CACHE_PUT - allows cache put operations

  • CACHE_REMOVE - allows cache remove operations

Task permissions:

  • TASK_EXECUTE - allows task execution

  • TASK_CANCEL - allows task cancellation

Service permissions:

  • SERVICE_DEPLOY - allows service deployment

  • SERVICE_INVOKE - allows service invocation

  • SERVICE_CANCEL - allows service cancellation

System permissions:

  • JOIN_AS_SERVER - allows node to join topology as server

  • EVENTS_ENABLE - can enable events in runtime

  • EVENTS_DISABLE - can disable events in runtime

  • ADMIN_OPS - can perform various operations in Visor and Web Console

  • ADMIN_VIEW - can view grid statistics (metrics, graphs, cache sizes, etc.) in Visor and Web Console

  • ADMIN_QUERY - can execute SQL queries from Visor and Web Console

  • ADMIN_CACHE - can perform cache operations from Visor and Web Console (data loading, manual rebalancing, etc.)

  • CACHE_CREATE - can create new caches (including ones specified in node configuration)

  • CACHE_DESTROY - can destroy existing caches

Cache, service, and task execution permissions are assigned on a per-cache, per-service, and per-task basis. Note that wildcard notation is supported, so you can define the same set of permissions for several caches, tasks, or services.

If you use out-of-the-box JAAS or Passcode authentication to enable security, you should use JSON format to configure permissions. Here is an example of how multiple caches and tasks can be authorized for different set of permissions.

{
    {
        "cache":"mycache",
        "permissions":["CACHE_READ", "CACHE_PUT", "CACHE_REMOVE"]
    },
    {
        "cache":"*",
        "permissions":["CACHE_READ"]
    },
    {
        "task":"org.mytasks.*",
        "permissions":["TASK_EXECUTE"]
    },
    {
        "service":"*",
        "permissions":["SERVICE_INVOKE"]
    },
    {
        "system":["ADMIN_VIEW", "CACHE_CREATE", "JOIN_AS_SERVER"]
    },
    "defaultAllow":"false"
}

In the above example:

  • mycache cache has READ, PUT, and REMOVE permissions.

  • All other caches only have READ permission.

  • Tasks located in package org.mytasks have EXECUTE permission.

  • All services have EXECUTE permission.

  • The Web Console management tool has only view permissions (SQL queries and data loading are not allowed).

  • defaultAllow flag is set to false to deny any cache or task operations that are not explicitly specified (e.g., it’s not allowed to execute tasks located outside of the org.mytasks package).