XAP

Security Overview

For both Service Grid and Kubernetes Orchestration, Security is made up of Authentication and Authorization. Security provides comprehensive support for securing your data and services.

Authentication

Authentication is the process of establishing and confirming the authenticity of a principal. A principal in GigaSpaces terms, means a user (human or software) performing an action in your application. A principal in data grid terms means a user (human or software) performing an action in your application. Data grid Security is equipped with standard encryption algorithms (such as AES and MD5), which can be easily configured and replaced. The authentication layer is provided with a default implementation, which can be customized to integrate with other security standards. This layer is also known as the authentication manager. You can integrated the authentication layer through Spring Security to use LDAP or Database authentication.

Authorization

Authorization refers to the process of deciding whether a principal is allowed to perform a certain action. The authorization decision layer is totally independent from the authentication layer. The authorization decision manager is internal to data grid components and is used to intercept unauthorized access/operations to data and services. This layer uses roles that are made up of authorities which contain a set of permissions.

Role-Based Security

Data grid's authorization implementation is based on roles. A role is comprised of a collection of authorities where an authority has a set of permissions.

There are four categories of user authorities; System, Grid, Space and Monitoring.

There are two categories of user authorities: System for the entire system or Resource level (for example different authorities for the same user for different Spaces).

Authorities are related to monitoring, managing and performing operations on the various resources. Some authorities can be defined only in system level, and some can be configured per resource. If they are configured per resources, the permissions can only be added to the relevant system authority. For example, if the system authority allows read operations for a user, a read cannot be restricted on a specific space for this user, but write can be added for that space.

System Authority

The System Authority defines the distinction between a user who is allowed to define roles and a user which is only allowed to assign user's to predefined roles. In general, one can have both management capabilities, but in some organizations this separation may be required.:

Privilege Description Orchestration
Manage Roles Define roles (a set of privileges assigned to a logical role name). Service Grid, Kubernetes

Space Authority

The Space Authority consists of privileges for operations on space data.

Privilege Description Example V3 Driver Orchestration
Write Use to write or update operations.

Insert into Employee (id, name) value (1, 'First');

Service Grid,

Kubernetes

Create Write only (not update). In order to create, use a WRITE_ONLY modifier with the write operation.  

Service Grid,

Kubernetes

Read Use to read, count and notify operations.

select * from Employee;

Read + Write: update Employee set name = 'new name';

Read + Take: delete from Employee;

Service Grid,

Kubernetes

Take Delete from table. Use for take and clear operations. Take returns the objects that were deleted. Clear returns the number of objects deleted.  

Service Grid,

Kubernetes

Alter Register type descriptor, clean and drop class operations.

CREATE TABLE Employee (id INT4, name VARCHAR (32), primary key (id));

DROP TABLE Employee;

Service Grid,

Kubernetes

Execute Execute tasks. For more information refer to the task execution overview page.  

Service Grid,

Kubernetes

Grid Authority

The Grid Authority consists of privileges for managing the Grid and its Services (cluster components).

Privilege Description Orchestration
Provision PU Deploy, undeploy of processing units. Service Grid
Manage PU Scale up/down, relocate, restart PU instance, destroy PU instance. Service Grid
Manage Grid Start, terminate, restart of all cluster components. Service Grid

Monitoring Authority

The Monitor Authority consists of privileges for monitoring the Grid and its Processing Units. Note that the monitoring is secured only by the "tooling' (CLI/UI).

Privilege Description Orchestration
Monitor JVM Monitoring of JVM statistics. Capable of generating a dump of JVM. Service Grid, Kubernetes
Monitor PU Monitoring of PUs (classes, connections, statistics, etc.). Service Grid, Kubernetes

For more information about role-based security for XAP on Service Grid, refer to the Authorities and Privileges for XAP Service Grid page in the Security section of the Administration guide.