Security Overview
For both Service Grid and Kubernetes Orchestration, Security is made up of Authentication and Authorization. Security provides comprehensive support for securing your data and services.
Authentication
Authentication is the process of establishing and confirming the authenticity of a principal. A principal in GigaSpaces terms, means a user (human or software) performing an action in your application. A principal in data grid terms means a user (human or software) performing an action in your application. Data grid Security is equipped with standard encryption algorithms (such as AES and MD5), which can be easily configured and replaced. The authentication layer is provided with a default implementation, which can be customized to integrate with other security standards. This layer is also known as the authentication manager. You can integrated the authentication layer through Spring Security to use LDAP or Database authentication.
Authorization
Authorization refers to the process of deciding whether a principal is allowed to perform a certain action. The authorization decision layer is totally independent from the authentication layer. The authorization decision manager is internal to data grid components and is used to intercept unauthorized access/operations to data and services. This layer uses roles that are made up of authorities which contain a set of permissions.
Role-Based Security
Data grid's authorization implementation is based on roles. A role is comprised of a collection of authorities where an authority has a set of permissions.
There are four categories of user authorities; System, Grid, Space and Monitoring.
There are two categories of user authorities: System for the entire system or Resource level (for example different authorities for the same user for different Spaces).
Authorities are related to monitoring, managing and performing operations on the various resources. Some authorities can be defined only in system level, and some can be configured per resource. If they are configured per resources, the permissions can only be added to the relevant system authority. For example, if the system authority allows read operations for a user, a read cannot be restricted on a specific space for this user, but write can be added for that space.
System Authority
The System Authority defines the distinction between a user who is allowed to define roles and a user which is only allowed to assign user's to predefined roles. In general, one can have both management capabilities, but in some organizations this separation may be required.:
| Privilege | Description | Orchestration |
|---|---|---|
| Manage Roles | Define roles (a set of privileges assigned to a logical role name). | Service Grid, Kubernetes |
Space Authority
The Space Authority consists of privileges for operations on space data.
| Privilege | Description | Example V3 Driver | Orchestration |
|---|---|---|---|
| Write | Use to write or update operations. |
Insert into Employee (id, name) value (1, 'First'); |
Service Grid, Kubernetes |
| Create | Write only (not update). In order to create, use a WRITE_ONLY modifier with the write operation. |
Service Grid, Kubernetes |
|
| Read | Use to read, count and notify operations. |
select * from Employee; Read + Write: update Employee set name = 'new name'; Read + Take: delete from Employee; |
Service Grid, Kubernetes |
| Take | Delete from table. Use for take and clear operations. Take returns the objects that were deleted. Clear returns the number of objects deleted. |
Service Grid, Kubernetes |
|
| Alter | Register type descriptor, clean and drop class operations. |
CREATE TABLE Employee (id INT4, name VARCHAR (32), primary key (id)); DROP TABLE Employee; |
Service Grid, Kubernetes |
| Execute | Execute tasks. For more information refer to the task execution overview page. |
Service Grid, Kubernetes |
Grid Authority
The Grid Authority consists of privileges for managing the Grid and its Services (cluster components).
| Privilege | Description | Orchestration |
|---|---|---|
| Provision PU | Deploy, undeploy of processing units. | Service Grid |
| Manage PU | Scale up/down, relocate, restart PU instance, destroy PU instance. | Service Grid |
| Manage Grid | Start, terminate, restart of all cluster components. | Service Grid |
Monitoring Authority
The Monitor Authority consists of privileges for monitoring the Grid and its Processing Units. Note that the monitoring is secured only by the "tooling' (CLI/UI).
| Privilege | Description | Orchestration |
|---|---|---|
| Monitor JVM | Monitoring of JVM statistics. Capable of generating a dump of JVM. | Service Grid, Kubernetes |
| Monitor PU | Monitoring of PUs (classes, connections, statistics, etc.). | Service Grid, Kubernetes |
For more information about role-based security for XAP on Service Grid, refer to the Authorities and Privileges for XAP Service Grid page in the Security section of the Administration guide.
