LATEST VERSION: 8.2.7 - CHANGELOG
Pivotal GemFire® v8.2

Authorization Example

Authorization Example

This topic discusses the authorization example provided in the product under templates/security using XmlAuthorization.java, XmlErrorHandler.java, and authz6_0.dtd.

Note: Disclaimer: The security samples serve only as example implementations. The implementation and its source code is provided on an "as-is" basis, without warranties or conditions of any kind, either express or implied. You can modify these samples to suit your specific requirements and security providers. Pivotal takes no responsibility and accepts no liability for any damage to computer equipment, companies or personnel that might arise from the use of these samples.

XmlAuthorization provides authorization for each region at the operation level by using the permissions specified in an XML file. The sample implementation also shows the post-authorization implementation for the function execution operation. For pre-operation, all the required values are available.

You can configure authorization for all server region operations on a per-region and per-operation basis by using a role-based mechanism. A role can be provided with permissions to execute operations for each region. Each principal name can be associated with a set of roles.

Information such as the region reference, arguments, the operation being invoked, and a reference to the cache instance can be made available to the XmlAuthorization callback. If an authenticated client is not authorized to perform an operation, the operation fails with a NotAuthorizedException.

Server Settings

These are the gemfire.properties file (or gfsecurity.properties file if you are creating a special restricted access file for security configuration) settings for each server:
security-client-accessor=templates.security.XmlAuthorization.create
security-authz-xml-uri=<URI of XML file> 

XML File Sample Settings

The XmlAuthorization sample is configured through an XML file, which is described in the authz6_0.dtd in the security templates directory. See the dtd for documentation about the elements and attributes you use to configure XmlAuthorization. To run the example, create an XML file following the dtd specifications.

The user names you use should be the strings returned by the Principal.getName method of the Authenticator configured on the server

This topic lists an example XML file for the dtd. The example defines five roles:
  1. reader
  2. writer
  3. cacheOps
  4. queryRegions
  5. onRegionFunctionExecutor
The listing below is a sample XML file:
  • The permissions for each of the roles are described in the permission tags.
  • The reader, writer, and cacheOps roles have no regions mentioned, so they apply to all regions.
  • The queryRegions role has permissions on Portfolios and Positions regions.
  • The role of onRegionFunctionExecutor can only operate on regions secureRegion and Positions, and only with functions with ids SecureFunction or OptimizationFunction. On the functions, optimizeForWrite must be false and keySet must be KEY-0 and KEY-1.
<!DOCTYPE acl PUBLIC
"-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN"
"http://www.gemstone.com/dtd/authz6_0.dtd">
 
<acl>
<role name="reader">
  <user>reader</user>
  <user>admin</user>
</role>
<role name="writer">
  <user>writer</user>
  <user>admin</user>
</role>
<role name="cacheOps">
  <user>admin</user>
</role>
<role name="queryRegions">
  <user>query</user>
</role>
<role name="onRegionFunctionExecutor">
  <user>admin</user>
</role>
<permission role="cacheOps">
  <operation>QUERY</operation>
  <operation>EXECUTE_CQ</operation>
  <operation>STOP_CQ</operation>
  <operation>CLOSE_CQ</operation>
  <operation>REGION_CREATE</operation>
  <operation>REGION_DESTROY</operation>
</permission>
<permission role="reader">
  <operation>GET</operation>
  <operation>REGISTER_INTEREST</operation>
  <operation>UNREGISTER_INTEREST</operation>
  <operation>KEY_SET</operation>
  <operation>CONTAINS_KEY</operation>
</permission>
<permission role="writer">
  <operation>PUT</operation>
  <operation>DESTROY</operation>
  <operation>REGION_CLEAR</operation>
</permission>
<permission role="queryRegions" regions="/Portfolios,Positions">
  <operation>QUERY</operation>
  <operation>EXECUTE_CQ</operation>
  <operation>STOP_CQ</operation>
  <operation>CLOSE_CQ</operation>
</permission>
<permission role="onRegionFunctionExecutor" regions="secureRegion,Positions">
  <operation functionIds="SecureFunction,OptimizationFunction" 
    optimizeForWrite="false" keySet="KEY-0,KEY-1">EXECUTE_FUNCTION</operation>
</permission>
</acl>