XAP

Security Overview

For both Service GridClosed A built-in orchestration tool which contains a set of Grid Service Containers (GSCs) managed by a Grid Service Manager. The containers host various deployments of Processing Units and data grids. Each container can be run on a separate physical machine. This orchestration is available for XAP only. and KubernetesClosed An open-source container orchestration system for automating software deployment, scaling, and management of containerized applications. OrchestrationClosed This is the automated configuration, management, and coordination of computer systems, applications, and services. Orchestration strings together multiple tasks in order to execute and easily manage a larger workflow or process. These processes can consist of multiple complex tasks that are automated and can involve multiple systems. Kubernetes, used by GigaSpaces, is a popular open source platform for container orchestration., Security is made up of Authentication and Authorization. Security provides comprehensive support for securing your data and services.

Authentication

Authentication is the process of establishing and confirming the authenticity of a principal. A principal in GigaSpaces terms, means a user (human or software) performing an action in your application. A principal in data grid terms means a user (human or software) performing an action in your application. Data grid Security is equipped with standard encryption algorithms (such as AES and MD5), which can be easily configured and replaced. The authentication layer is provided with a default implementation, which can be customized to integrate with other security standards. This layer is also known as the authentication manager. You can integrated the authentication layer through Spring Security to use LDAPClosed Lightweight Directory Access Protocol. An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. or Database authentication.

Authorization

Authorization refers to the process of deciding whether a principal is allowed to perform a certain action. The authorization decision layer is totally independent from the authentication layer. The authorization decision manager is internal to data grid components and is used to intercept unauthorized access/operations to data and services. This layer uses roles that are made up of authorities which contain a set of permissions.

Role-Based Security

Data grid's authorization implementation is based on roles. A role is comprised of a collection of authorities where an authority has a set of permissions.

There are four categories of user authorities; System, Grid, SpaceClosed Where GigaSpaces data is stored. It is the logical cache that holds data objects in memory and might also hold them in layered in tiering. Data is hosted from multiple SoRs, consolidated as a unified data model. and Monitoring.

There are two categories of user authorities: System for the entire system or Resource level (for example different authorities for the same user for different Spaces).

Authorities are related to monitoring, managing and performing operations on the various resources. Some authorities can be defined only in system level, and some can be configured per resource. If they are configured per resources, the permissions can only be added to the relevant system authority. For example, if the system authority allows read operations for a user, a read cannot be restricted on a specific space for this user, but write can be added for that space.

System Authority

The System Authority defines the distinction between a user who is allowed to define roles and a user which is only allowed to assign user's to predefined roles. In general, one can have both management capabilities, but in some organizations this separation may be required.:

Privilege Description Orchestration
Manage Roles Define roles (a set of privileges assigned to a logical role name). Service Grid, Kubernetes

Space Authority

The Space Authority consists of privileges for operations on space data.

Privilege Description Example V3 Driver Orchestration
Write Use to write or update operations.

Insert into Employee (id, name) value (1, 'First');

Service Grid,

Kubernetes

Create Write only (not update). In order to create, use a WRITE_ONLY modifier with the write operation.  

Service Grid,

Kubernetes

Read Use to read, count and notify operations.

select * from Employee;

Read + Write: update Employee set name = 'new name';

Read + Take: delete from Employee;

Service Grid,

Kubernetes

Take Delete from table. Use for take and clear operations. Take returns the objects that were deleted. Clear returns the number of objects deleted.  

Service Grid,

Kubernetes

Alter Register type descriptor, clean and drop class operations.

CREATE TABLE Employee (id INT4, name VARCHAR (32), primary key (id));

DROP TABLE Employee;

Service Grid,

Kubernetes

Execute Execute tasks. For more information refer to the task execution overview page.  

Service Grid,

Kubernetes

Grid Authority

The Grid Authority consists of privileges for managing the Grid and its Services (cluster components).

Privilege Description Orchestration
Provision PUClosed This is the unit of packaging and deployment in the GigaSpaces Data Grid, and is essentially the main GigaSpaces service. The Processing Unit (PU) itself is typically deployed onto the Service Grid. When a Processing Unit is deployed, a Processing Unit instance is the actual runtime entity. Deploy, undeploy of processing unitsClosed This is the unit of packaging and deployment in the GigaSpaces Data Grid, and is essentially the main GigaSpaces service. The Processing Unit (PU) itself is typically deployed onto the Service Grid. When a Processing Unit is deployed, a Processing Unit instance is the actual runtime entity.. Service Grid
Manage PU Scale up/down, relocate, restart PU instance, destroy PU instance. Service Grid
Manage Grid Start, terminate, restart of all cluster components. Service Grid

Monitoring Authority

The Monitor Authority consists of privileges for monitoring the Grid and its Processing Units. Note that the monitoring is secured only by the "tooling' (CLI/UI).

Privilege Description Orchestration
Monitor JVMClosed Java Virtual Machine. A virtual machine that enables a computer to run Java programs as well as programs written in other languages that are also compiled to Java bytecode. Monitoring of JVM statistics. Capable of generating a dump of JVM. Service Grid, Kubernetes
Monitor PU Monitoring of PUs (classes, connections, statistics, etc.). Service Grid, Kubernetes

For more information about role-based security for XAPClosed GigaSpaces eXtreme Application Platform. Provides a powerful solution for data processing, launching, and running digital services on Service Grid, refer to the Authorities and Privileges for XAP Service Grid page in the Security section of the Administration guide.