In our current security model, a user with DATA:MANAGE can create regions, create disk stores, WAN gateways etc. This is a very wide scope, because an administrator may want to give create region privilege to a developer, but not necessarily give them the ability to create disk stores or send the data in that region over WAN. I propose that we refine the security model to make it finer grained.
I propose that only Region should belong to the DATA resource, everything else (i.e Disk, GATEWAYS, DEPLOY, Queries etc) be treated as CLUSTER resources in the security framework. As with any other resource, admins will be able to grant READ, WRITE and MANAGE permissions to these resources. In terms of shiro, this will take the form: CLUSTER:READ/WRITE/MANAGE:DISK,WAN,ASYNCQUEUE.
brief description of resources:
DISK: ability to manage diskstores/create regions that will write to disk stores
GATEWAY: ability to manage gateway senders and receivers and create regions that use gateways
DEPLOY: ability to deploy server side code
QUERY: ability to manage indices (only OQL), and manage Continuous queries
LUCENE: ability to manage lucene indices
Examples:
Here is how it will work out for DISK resource:
1. CLUSTER:MANAGE:DISK - allows users to create/manage disk stores
2. CLUSTER:WRITE:DISK - allows users to create regions that write/overflow to disk stores
3. CLUSTER:READ:DISK - should be covered by DATA:READ, does not make sense here
Here is a revised list of permission strings. The ones that will change are highlighted below:
Client-Server Operations
Client Operations | Old Permission String | New Permission String |
---|---|---|
get function attribute | CLUSTER:READ | |
create region | DATA:MANAGE | |
destroy region | DATA:MANAGE | |
get keyset | DATA:READ:regionName | |
query | DATA:READ:regionName | |
region.getAll | DATA:READ:regionName | |
region.getEntry | DATA:READ:regionName | |
getAll (list of keys) | DATA:READ:regionName:key | |
region.containsKeyOnServer(key) | DATA:READ:regionName:key | |
region.get(key) | DATA:READ:regionName:key | |
registerInterest | DATA:READ:regionName:key if key is specified, otherwise DATA:READ:regionName | |
unregister interest | DATA:READ:regionName:key if key is specified, otherwise DATA:READ:regionName | |
execute function | DATA:WRITE | Controlled by Function Author |
clear region | DATA:WRITE:regionName | |
putAll | DATA:WRITE:regionName | |
region.clear | DATA:WRITE:regionName | |
region.removeAll | DATA:WRITE:regionName | |
destroy key | DATA:WRITE:regionName:key | |
invalidate key | DATA:WRITE:regionName:key | |
region.destroy(key) | DATA:WRITE:regionName:key | |
region.invalidate(key) | DATA:WRITE:regionName:key | |
region.put(key, value) | DATA:WRITE:regionName:key | |
region.replace | DATA:WRITE:regionName:key | |
queryService.newCq | DATA:READ:regionName | |
cq.stop() | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
GFSH and JMX operations
Operations | Old Permission String | New Permission String |
---|---|---|
alter runtime | CLUSTER:MANAGE | CLUSTER:MANAGE |
DistributedSystemMXBean.shutdownAllMembers | CLUSTER:MANAGE | CLUSTER:MANAGE |
gc | CLUSTER:MANAGE | CLUSTER:MANAGE |
ManagerMXBean.createManager | CLUSTER:MANAGE | CLUSTER:MANAGE |
ManagerMXBean.shutDownMember | CLUSTER:MANAGE | CLUSTER:MANAGE |
ManagerMXBean.start | CLUSTER:MANAGE | CLUSTER:MANAGE |
ManagerMXBean.stop | CLUSTER:MANAGE | CLUSTER:MANAGE |
shutdown | CLUSTER:MANAGE | CLUSTER:MANAGE |
start server | CLUSTER:MANAGE | CLUSTER:MANAGE |
stop locator | CLUSTER:MANAGE | CLUSTER:MANAGE |
stop server | CLUSTER:MANAGE | CLUSTER:MANAGE |
describe client | CLUSTER:READ | CLUSTER:READ |
describe config | CLUSTER:READ | CLUSTER:READ |
describe disk-store | CLUSTER:READ | CLUSTER:READ |
describe member | CLUSTER:READ | CLUSTER:READ |
describe offline-disk-store | CLUSTER:READ | CLUSTER:READ |
describe region | CLUSTER:READ | CLUSTER:READ |
export cluster-configuration | CLUSTER:READ | CLUSTER:READ |
export config | CLUSTER:READ | CLUSTER:READ |
export data | CLUSTER:READ | CLUSTER:READ |
export logs | CLUSTER:READ | CLUSTER:READ |
export offline-disk-store | CLUSTER:READ | CLUSTER:READ |
export stack-traces | CLUSTER:READ | CLUSTER:READ |
get function attribute | CLUSTER:READ | CLUSTER:READ |
list async-event-queues | CLUSTER:READ | CLUSTER:READ |
list clients | CLUSTER:READ | CLUSTER:READ |
list deployed | CLUSTER:READ | CLUSTER:READ |
list disk-stores | CLUSTER:READ | CLUSTER:READ |
list durable-cqs | CLUSTER:READ | CLUSTER:READ |
list functions | CLUSTER:READ | CLUSTER:READ |
list gateways | CLUSTER:READ | CLUSTER:READ |
list indexes | CLUSTER:READ | CLUSTER:READ:QUERY |
list members | CLUSTER:READ | CLUSTER:READ |
Mbeans get attributes | CLUSTER:READ | CLUSTER:READ |
MemberMXBean.showLog | CLUSTER:READ | CLUSTER:READ |
netstat | CLUSTER:READ | CLUSTER:READ |
show dead-locks | CLUSTER:READ | CLUSTER:READ |
show log | CLUSTER:READ | CLUSTER:READ |
show metrics | CLUSTER:READ | CLUSTER:READ |
show missing-disk-stores | CLUSTER:READ | CLUSTER:READ |
show subscription-queue-size | CLUSTER:READ | CLUSTER:READ |
status cluster-config-service | CLUSTER:READ | CLUSTER:READ |
status gateway-receiver | CLUSTER:READ | CLUSTER:READ |
status gateway-sender | CLUSTER:READ | CLUSTER:READ |
status locator | CLUSTER:READ | CLUSTER:READ |
status server | CLUSTER:READ | CLUSTER:READ |
change loglevel | CLUSTER:WRITE | CLUSTER:WRITE |
DistributedSystemMXBean.changerAlertLevel | CLUSTER:WRITE | CLUSTER:WRITE |
ManagerMXBean.setPulseURL | CLUSTER:WRITE | CLUSTER:WRITE |
ManagerMXBean.setStatusMessage | CLUSTER:WRITE | CLUSTER:WRITE |
alter disk-store | DATA:MANAGE (N/A) | CLUSTER:MANAGE:DISK (N/A), need documentation fix |
CacheServerMXBean.closeAllContinuousQuery | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
CacheServerMXBean.closeContinuousQuery | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
clear defined indexes | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
close durable-client | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
close durable-cq | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
compact disk-store | DATA:MANAGE | CLUSTER:MANAGE:DISK |
compact offline-disk-store | N/A | |
configure pdx | DATA:MANAGE | CLUSTER:MANAGE |
create async-event-queue | DATA:MANAGE | CLUSTER:MANAGE:DEPLOY AND CLUSTER:WRITE:DISK if persistent |
create defined indexes | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
create disk-store | DATA:MANAGE | CLUSTER:MANAGE:DISK |
create gateway-receiver | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
create gateway-sender | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
create region | DATA:MANAGE | DATA:MANAGE AND CLUSTER:WRITE:DISK if persistent |
destroy disk-store | DATA:MANAGE | CLUSTER:MANAGE:DISK |
destroy function | DATA:MANAGE | CLUSTER:MANAGE:DEPLOY |
destroy region | DATA:MANAGE | DATA:MANAGE |
destroy region | DATA:MANAGE | DATA:MANAGE |
disconnect | DATA:MANAGE | N/A |
DiskStoreMXBean.flush | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DiskStoreMXBean.forceCompaction | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DiskStoreMXBean.forceRoll | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DiskStoreMXBean.setDiskUsageCriticalPercentage | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DiskStoreMXBean.setDiskUsageWarningPercentage | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DistributedSystemMXBean.revokeMissingDiskStores | DATA:MANAGE | CLUSTER:MANAGE:DISK |
DistributedSystemMXBean.setQueryCollectionsDepth | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
DistributedSystemMXBean.setQueryResultSetLimit | DATA:MANAGE | CLUSTER:MANAGE:QUERY |
echo | DATA:MANAGE | N/A |
encrypt password | DATA:MANAGE | N/A |
execute function | DATA:MANAGE | determined by function api |
GatewayReceiverMXBean.pause | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewayReceiverMXBean.rebalance | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewayReceiverMXBean.resume | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewayReceiverMXBean.start | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewayReceiverMXBean.stop | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewaySenderMXBean.pause | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewaySenderMXBean.rebalance | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewaySenderMXBean.resume | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewaySenderMXBean.start | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
GatewaySenderMXBean.stop | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
import cluster-configuration | DATA:MANAGE | CLUSTER:MANAGE |
load-balance gateway-sender | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
LockServiceMXBean.becomeLockGrantor | DATA:MANAGE | CLUSTER:MANAGE |
MemberMXBean.compactAllDiskStores | DATA:MANAGE | CLUSTER:MANAGE:DISK |
pause gateway-sender | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
pdx rename | DATA:MANAGE | N/A |
rebalance | DATA:MANAGE | DATA:MANAGE |
resume gateway-sender | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
revoke missing-disk-store | DATA:MANAGE | CLUSTER:MANAGE:DISK |
start gateway-receiver | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
start gateway-sender | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
stop gateway-receiver | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
stop gateway-receiver | DATA:MANAGE | CLUSTER:MANAGE:GATEWAY |
undeploy | DATA:MANAGE | CLUSTER:MANAGE:DEPLOY |
destroy index | DATA:MANAGE or DATA:MANAGE:RegionName | CLUSTER:MANAGE:QUERY |
deploy | DATA:MANAGE, DATA:WRITE, CLUSTER:MANAGE, and CLUSTER:WRITE | CLUSTER:MANAGE:DEPLOY |
alter region | DATA:MANAGE:RegionName | DATA:MANAGE:RegionName |
create index | DATA:MANAGE:RegionName | CLUSTER:MANAGE:QUERY |
define index | DATA:MANAGE:RegionName | CLUSTER:MANAGE:QUERY |
create lucene index | DATA:MANAGE:RegionName | CLUSTER:MANAGE:LUCENE |
describe lucene index | CLUSTER:READ | CLUSTER:READ:LUCENE |
destroy lucene index | DATA:MANAGE:RegionName | CLUSTER:MANAGE:LUCENE |
list lucene indexes | CLUSTER:READ | CLUSTER:READ:LUCENE |
search lucene | DATA:WRITE | DATA:READ:RegionName |
backup disk-store | DATA:READ | DATA:READ and CLUSTER:WRITE:DISK |
CacheServerMXBean.executeContinuousQuery | DATA:READ | DATA:READ |
DistributedSystemMXBean.backupAllMembers | DATA:READ | DATA:READ and CLUSTER:WRITE:DISK |
DistributedSystemMXBean.queryData | DATA:READ | DATA:READ |
DistributedSystemMXBean.queryDataForCompressedResult | DATA:READ | DATA:READ |
list regions | DATA:READ | CLUSTER:READ |
query | DATA:READ | DATA:READ:RegionName |
Region.getAll | DATA:READ:RegionName | DATA:READ:RegionName |
Region.getEntry | DATA:READ:RegionName | DATA:READ:RegionName |
Region.Keyset | DATA:READ:RegionName | DATA:READ:RegionName |
Region.query | DATA:READ:RegionName | DATA:READ:RegionName |
Region.registerInterest(regex) | DATA:READ:RegionName | DATA:READ:RegionName |
Region.unregisterInterest(regex) | DATA:READ:RegionName | DATA:READ:RegionName |
get ‑key=key1 ‑region=region1 | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
locate entry | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
Region.containsKeyOnServer(key) | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
Region.get(key) | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
Region.getAll with a list of keys | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
Region.registerInterest(key) | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
Region.unregisterInterest(key) | DATA:READ:RegionName:Key | DATA:READ:RegionName:Key |
execute function | DATA:WRITE | determined by funtion api |
clear region | DATA:WRITE:RegionName | DATA:WRITE:RegionName |
import data | DATA:WRITE:RegionName | DATA:WRITE:RegionName |
Region.clear | DATA:WRITE:RegionName | DATA:WRITE:RegionName |
Region.putAll | DATA:WRITE:RegionName | DATA:WRITE:RegionName |
Region.removeAll | DATA:WRITE:RegionName | DATA:WRITE:RegionName |
remove | DATA:WRITE:RegionName or DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName or DATA:WRITE:RegionName:Key |
destroy key (DIFFERENT?) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
invalidate key (DIFFERENT?) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
put –key=key1 –region=region1 | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
Region.destroy(key) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
Region.destroy(key) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
Region.invalidate(key) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
Region.put(key) | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
Region.replace | DATA:WRITE:RegionName:Key | DATA:WRITE:RegionName:Key |
CqQuery.execute | DATA:READ:regionName | CLUSTER:MANAGE:QUERY and DATA:READ:regionName |
CqQuery.executeWithInitialResult | DATA:READ:regionName | CLUSTER:MANAGE:QUERY and DATA:READ:regionName |
create jndi-binding | N/A | CLUSTER:MANAGE |
describe jndi-binding | N/A | CLUSTER:READ |
destroy jndi-binding | N/A | CLUSTER:MANAGE |
list jndi-binding | N/A | CLUSTER:READ |
Experimental gfsh Operations
Operations | Old Permission String | New Permission String |
alter jdbc-connection | N/A | CLUSTER:MANAGE |
alter jdbc-mapping | N/A | CLUSTER:MANAGE |
create jdbc-connection | N/A | CLUSTER:MANAGE |
create jdbc-mapping | N/A | CLUSTER:MANAGE |
describe jdbc-connection | N/A | CLUSTER:MANAGE |
describe jdbc-mapping | N/A | CLUSTER:MANAGE |
destroy jdbc-connection | N/A | CLUSTER:MANAGE |
destroy jdbc-mapping | N/A | CLUSTER:MANAGE |
list jdbc-connections | N/A | CLUSTER:MANAGE |
list jdbc-mappings | N/A | CLUSTER:MANAGE |