XAP

Security Overview

For both Service GridClosed A built-in orchestration tool which contains a set of Grid Service Containers (GSCs) managed by a Grid Service Manager. The containers host various deployments of Processing Units and data grids. Each container can be run on a separate physical machine. This orchestration is available for XAP only. and KubernetesClosed An open-source container orchestration system for automating software deployment, scaling, and management of containerized applications. OrchestrationClosed This is the automated configuration, management, and coordination of computer systems, applications, and services. Orchestration strings together multiple tasks in order to execute and easily manage a larger workflow or process. These processes can consist of multiple complex tasks that are automated and can involve multiple systems. Kubernetes, used by GigaSpaces, is a popular open source platform for container orchestration., Security is made up of Authentication and Authorization. Security provides comprehensive support for securing your data and services.

Authentication

Authentication is the process of establishing and confirming the authenticity of a principal. A principal in GigaSpaces terms, means a user (human or software) performing an action in your application. A principal in data grid terms means a user (human or software) performing an action in your application. Data grid Security is equipped with standard encryption algorithms (such as AES and MD5), which can be easily configured and replaced. The authentication layer is provided with a default implementation, which can be customized to integrate with other security standards. This layer is also known as the authentication manager. You can integrated the authentication layer through Spring Security to use LDAPClosed Lightweight Directory Access Protocol. An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. or Database authentication.

Authorization

Authorization refers to the process of deciding whether a principal is allowed to perform a certain action. The authorization decision layer is totally independent from the authentication layer. The authorization decision manager is internal to data grid components and is used to intercept unauthorized access/operations to data and services. This layer uses roles that are made up of authorities which contain a set of permissions.

Role-Based Security

Data grid's authorization implementation is based on roles. A role is comprised of a collection of authorities where an authority has a set of permissions.

There are two categories of user authorities: System for the entire system or Resource level (for example different authorities for the same user for different Spaces).

Authorities are related to monitoring, managing and performing operations on the various resources. Some authorities can be defined only in system level, and some can be configured per resource. If they are configured per resources, the permissions can only be added to the relevant system authority. For example, if the system authority allows read operations for a user, a read cannot be restricted on a specific space for this user, but write can be added for that space.

Level Authorities
System

Monitor

Grid

System

Resources Spaces

Pipelines

Services

System Authority

The System Authority defines the distinction between a user who is allowed to define roles and a user which is only allowed to assign user's to predefined roles. In general, one can have both management capabilities, but in some organizations this separation may be required.:

Privilege Description Orchestration
Manage Roles Define roles (a set of privileges assigned to a logical role name). Service Grid, Kubernetes
Manage Identity Providers Allows users to create Identity Provider (IDPClosed An identity provider, or IDP, stores and manages users' digital identities. IDP and SSO can work together to authenticate users.) settings and to view the current as well as historical IDP settings. Kubernetes
Manage Root User Details Manages root user details. Kubernetes
Manager Service Accounts Service Account privilege that allows to configure different service account configurations, e.g. add/read/update/delete Kubernetes

Space Authority

The SpaceClosed Where GigaSpaces data is stored. It is the logical cache that holds data objects in memory and might also hold them in layered in tiering. Data is hosted from multiple SoRs, consolidated as a unified data model. Authority consists of privileges for operations on space data.

Privilege Description Example V3 Driver Orchestration
Write Use to write or update operations.

Insert into Employee (id, name) value (1, 'First');

Service Grid,

Kubernetes

Create Write only (not update). In order to create, use a WRITE_ONLY modifier with the write operation.  

Service Grid,

Kubernetes

Read Use to read, count and notify operations.

select * from Employee;

Read + Write: update Employee set name = 'new name';

Read + Take: delete from Employee;

Service Grid,

Kubernetes

Take Delete from table. Use for take and clear operations. Take returns the objects that were deleted. Clear returns the number of objects deleted.  

Service Grid,

Kubernetes

Alter Register type descriptor, clean and drop class operations.

CREATE TABLE Employee (id INT4, name VARCHAR (32), primary key (id));

DROP TABLE Employee;

Service Grid,

Kubernetes

Execute Execute tasks. For more information refer to the task execution overview page.  

Service Grid,

Kubernetes

Grid Authority

The Grid Authority consists of privileges for managing the Grid and its Services (cluster components).

Privilege Description Orchestration
Provision PUClosed This is the unit of packaging and deployment in the GigaSpaces Data Grid, and is essentially the main GigaSpaces service. The Processing Unit (PU) itself is typically deployed onto the Service Grid. When a Processing Unit is deployed, a Processing Unit instance is the actual runtime entity. Deploy, undeploy of processing unitsClosed This is the unit of packaging and deployment in the GigaSpaces Data Grid, and is essentially the main GigaSpaces service. The Processing Unit (PU) itself is typically deployed onto the Service Grid. When a Processing Unit is deployed, a Processing Unit instance is the actual runtime entity.. Service Grid
Manage PU Scale up/down, relocate, restart PU instance, destroy PU instance. Service Grid
Manage Grid Start, terminate, restart of all cluster components. Service Grid

Monitoring Authority

The Monitor Authority consists of privileges for monitoring the Grid and its Processing Units. Note that the monitoring is secured only by the "tooling' (CLI/UI).

Privilege Description Orchestration
Monitor JVMClosed Java Virtual Machine. A virtual machine that enables a computer to run Java programs as well as programs written in other languages that are also compiled to Java bytecode. Monitoring of JVM statistics. Capable of generating a dump of JVM. Service Grid, Kubernetes
Monitor PU Monitoring of PUs (classes, connections, statistics, etc.). Service Grid, Kubernetes

For more information about role-based security for XAPClosed GigaSpaces eXtreme Application Platform. Provides a powerful solution for data processing, launching, and running digital services on Service Grid, refer to the Authorities and Privileges for XAP Service Grid page in the Security section of the Administration guide.

Pipeline Authority

Privilege Description Orchestration
Create Allows the creation of a pipeline using a predefined data source. Smart DIH Kubernetes
Edit This is included as a mandatory extra for the Create privilege. It allows the management of data source tables when creating a pipeline. It can also be assigned independently in the case where it is required to enable table editing for the existing pipelines. Smart DIH Kubernetes
Start_Stop Allows the stopping or starting of any of the existing pipelines. Smart DIH Kubernetes
Delete Allows the deletion of any stopped pipelines. If a pipeline is in an active state it cannot be deleted unless it has first been stopped. Smart DIH Kubernetes

Low-Code Service Authority

Privilege Description Orchestration
Manage Service Deploy and undeploy of service operations. Smart DIH Kubernetes