Securing the Data Layer
Secured Space
A secured embedded Space Where GigaSpaces data is stored. It is the logical cache that holds data objects in memory and might also hold them in layered in tiering. Data is hosted from multiple SoRs, consolidated as a unified data model. protects access (to data), which is granted only to users with sufficient privileges. When a remote Space proxy connects to a secured Space, it must provide security credentials (usually the username and password, as explained in Custom Security regarding extensions).
<os-core:space-proxy id="space" space-name="space">
<os-core:security username="sa" password="adaw@##$" />
</os-core:space-proxy>
<bean id="space" class="org.openspaces.core.space.SpaceProxyFactoryBean">
<property name="name" value="space" />
<property name="securityConfig">
<bean class="org.openspaces.core.space.SecurityConfig">
<property name="username" value="sa" />
<property name="password" value="adaw@##$" />
</bean>
</property>
</bean>
SpaceProxyConfigurer spaceProxyConfigurer = new SpaceProxyConfigurer("space").credentials("sa", "adaw@##$");
GigaSpace gigaSpace = new GigaSpaceConfigurer(spaceProxyConfigurer).gigaSpace();
An embedded Space can be configured with internal services (Space filters, Notify/Polling containers, etc.), which must have privileges to operate on the embedded Space. These privileges are propagated by the security credentials provided when creating a Space.
<os-core:embedded-space id="space" space-name="space">
<os-core:security username="sa" password="adaw@##$" />
</os-core:embedded-space>
<bean id="space" class="org.openspaces.core.space.EmbeddedSpaceFactoryBean">
<property name="name" value="space" />
<property name="securityConfig">
<bean class="org.openspaces.core.space.SecurityConfig">
<property name="username" value="sa" />
<property name="password" value="adaw@##$" />
</bean>
</property>
</bean>
The security credentials can be either be supplied as a UserDetails
object, or in its simpler form of two Strings (username and password).
These are used to implicitly create a secured Space, with security privileges being propagated to internal services.
EmbeddedSpaceConfigurer urlSpaceConfigurer = new EmbeddedSpaceConfigurer("space").userDetails("user", "password");
GigaSpace gigaSpace = new GigaSpaceConfigurer(urlSpaceConfigurer).gigaSpace();
An embedded Space with no internal services can be simply configured as secured.
<os-core:embedded-space id="space" space-name="space">
<os-core:security secured="true" />
</os-core:embedded-space>
<bean id="space" class="org.openspaces.core.space.EmbeddedSpaceFactoryBean">
<property name="name" value="space" />
<property name="secured" value="true" />
</bean>
The secured
Space URL property indicates that the Space being created should be secured.
EmbeddedSpaceConfigurer urlSpaceConfigurer = new EmbeddedSpaceConfigurer("space?secured");
GigaSpace gigaSpace = new GigaSpaceConfigurer(urlSpaceConfigurer).gigaSpace();
The secured
URL property is also exposed as a convenient .secured(true)
method call.
EmbeddedSpaceConfigurer urlSpaceConfigurer = new EmbeddedSpaceConfigurer("space").secured(true);
GigaSpace gigaSpace = new GigaSpaceConfigurer(urlSpaceConfigurer).gigaSpace();
For security reasons, you may not want to expose the security credentials in your Processing Unit This is the unit of packaging and deployment in the GigaSpaces Data Grid, and is essentially the main GigaSpaces service. The Processing Unit (PU) itself is typically deployed onto the Service Grid. When a Processing Unit is deployed, a Processing Unit instance is the actual runtime entity. XML (pu This is the unit of packaging and deployment in the GigaSpaces Data Grid, and is essentially the main GigaSpaces service. The Processing Unit (PU) itself is typically deployed onto the Service Grid. When a Processing Unit is deployed, a Processing Unit instance is the actual runtime entity..xml
). These properties can be supplied as deploy-time properties (bean-level properties).
Processing Unit
A Processing Unit by itself is not secured. It inherits its security from the managing GSM Grid Service Manager. This is is a service grid component that manages a set of Grid Service Containers (GSCs). A GSM has an API for deploying/undeploying Processing Units. When a GSM is instructed to deploy a Processing Unit, it finds an appropriate, available GSC and tells that GSC to run an instance of that Processing Unit. It then continuously monitors that Processing Unit instance to verify that it is alive, and that the SLA is not breached. and GSC Grid Service Container. This provides an isolated runtime for one (or more) processing unit (PU) instance and exposes its state to the GSM.. These protect the Processing Unit from being restarted, relocated, destroyed, and undeployed.
A Processing Unit (for example, a feeder application) may access a secured Space using a remote Space proxy.
<os-core:space-proxy id="mySpace" space-name="mySpace">
<os-core:security username="sa" password="adaw@##$" />
</os-core:space-proxy>
The username
and password
can also be supplied using a pu.properties
file supplied during deployment. If these are supplied, they will be used to implicitly connect to a secured Space, returning an authenticated proxy for this user.
#pu.properties
security.username=user
security.password=password
security.username
and security.password
are constant property keys. If you want to set your own property placeholders, such as $\{mySpace.username\}
and $\{mySpace.password\}
, you must use plain XML configuration. These properties have to be injected at deploy time, by some property resolver.
<bean id="mySpace" class="org.openspaces.core.space.SpaceProxyFactoryBean">
<property name="name" value="mySpace" />
<property name="securityConfig">
<bean class="org.openspaces.core.space.SecurityConfig">
<property name="username" value="${myusername}" />
<property name="password" value="${mypassword}" />
</bean>
</property>
</bean>
Using the CLI deploy
command, embed the username and password matching the placeholders given in the pu.xml
:
> gs deploy -properties embed://myusername=testing;mypassword=1234 myPU.jar
Protecting User/Password
Leaving the username and password exposed (in pu.xml/pu.properties) isn't secure. A preferred implementation is to supply the credentials during deployment. The GigaSpaces Management Center, CLI, and Admin API administration tools provide comprehensive support for deploying a secured Processing Unit (refer to Accessing a Secured Service Grid).
Here is how the CLI deploy command would look like:
<bean id="mySpace" class="org.openspaces.core.space.SpaceProxyFactoryBean">
<property name="name" value="mySpace" />
</bean>
Using the CLI deploy
command, supply the username and password using -user
and -password
:
> gs deploy -secured -user testing -password 1234 myPU.jar
Property substitution is not supported for the nested os-core:security
element. If you don't want to add a Space property (and need to use property placeholders instead), you can pass the username and password as parameters:
<os-core:security credentials-provider="com.gigaspaces.security.directory.DefaultCredentialsProvider" />
<bean id="com.gigaspaces.security.directory.DefaultCredentialsProvider" class="com.gigaspaces.security.directory.DefaultCredentialsProvider">
<constructor-arg value="%{ims.username[default:%{SPACE_USERNAME}]}" />
<constructor-arg value="%{ims.password[default:%{SPACE_PASSWORD}]}" />
</bean>
Local Cache
The local cache Java version | .NET version is a read-only service on top of a remote Space. Thus, the local cache "creator" needs to have Read privileges. Security is enforced by the remote Space, and the proxy should be acquired by supplying the username and password.
SpaceProxyConfigurer spaceProxyConfigurer = new SpaceProxyConfigurer("space").credentials("user", "password");
GigaSpace remoteSpace = new GigaSpaceConfigurer(spaceProxyConfigurer).gigaSpace();
LocalCacheSpaceConfigurer configurer = new LocalCacheSpaceConfigurer(remoteSpace.getSpace()).updateMode(UpdateMode.PULL);
GigaSpace localCache = new GigaSpaceConfigurer(configurer.localCache()).gigaSpace();
<os-core:space-proxy id="remoteSpace" space-name="space" >
<os-core:security username="user" password="password"/>
</os-core:space-proxy>
<os-core:local-cache id="localCacheSpace" space="remoteSpace" update-mode="PULL"/>
<!--
OpenSpaces simplified Space API built on top of IJSpace/JavaSpace.
-->
<os-core:giga-space id="localCache" space="localCacheSpace"/>
Local View
SpaceProxyConfigurer spaceProxyConfigurer = new SpaceProxyConfigurer("space").credentials("user", "password");
GigaSpace remoteSpace = new GigaSpaceConfigurer(spaceProxyConfigurer).gigaSpace();
LocalViewSpaceConfigurer configurer = new LocalViewSpaceConfigurer(remoteSpace.getSpace())
.addView(new View(Trade.class, "quantity = 20"))
.addView(new View(Stock.class, "stockId => 10"));
GigaSpace localView = new GigaSpaceConfigurer(configurer.localView()).gigaSpace();
<os-core:space-proxy id="remoteSpace" space-name="space" >
<os-core:security username="user" password="password"/>
</os-core:space-proxy>
<os-core:local-view id="localViewSpace" space="space">
<os-core:view-query where="quantity = 20" class="...Trade"/>
<os-core:view-query where="stockId => 10" class="...Stock"/>
</os-core:local-view>
<!--
OpenSpaces simplified Space API built on top of IJSpace/JavaSpace.
-->
<os-core:giga-space id="localView" space="localViewSpace"/>
Space Filters
Space Filters Java version | .NET version are interceptors inside the GigaSpaces Space that allow implementation of user-defined logic based on Space events. Some filters need to perform operations on the embedded Space. If secured, the filter needs sufficient privileges for its operations.
The username and password supplied when creating a Space are used to implicitly create a secured Space. The security privileges of the specified user are propagated to the filter. If the user has Read privileges, then the filter can perform a space.read(..)
on its embedded Space.
Before-Authentication Operation
A filter can be registered for before-authentication
events. Before a client tries to authenticate, any filter with the before-authentication
operation-code is invoked. The SpaceContext
supplied as part of the call holds a SecurityContext
that has the UserDetails
object.
The following Spring configuration registers this filter for before-authentication
(6) operation:
<bean id="simpleISpaceFilter" class="eg.SimpleISpaceFilter" />
<os-core:embedded-space id="space" space-name="space">
<os-core:security secured="true"/>
<os-core:space-filter>
<os-core:filter ref="simpleISpaceFilter" />
<os-core:operation code="6" />
...
</os-core:space-filter>
</os-core:embedded-space>
An example of a simple POJO Plain Old Java Object. A regular Java object with no special restrictions other than those forced by the Java Language Specification and does not require any classpath. filter using annotations:
<bean id="simpleFilter" class="eg.SimpleFilter" />
<os-core:embedded-space id="space" space-name="space">
<os-core:security secured="true"/>
<os-core:annotation-adapter-filter priority="1">
<os-core:filter ref="simpleFilter" />
</os-core:annotation-adapter-filter>
</os-core:embedded-space>
The annotated method must have SpaceContext
as a parameter.
//Delegate Filter
public class SimpleFilter {
@BeforeAuthentication
public void beforeAuthenticationMethod(SpaceContext context) {
SecurityContext securityContext = context.getSecurityContext();
UserDetails user = securityContext.getUserDetails();
AuditDetails audit = securityContext.getAuditDetails();
System.out.println("user: " + user.getUsername() + " connecting from host: " + audit.getHost());
}
...
}
The following Spring configuration XML shows how the filter can be configured using explicit method listings (in this case, annotations are not required).
Note the before-authentication
method adapter.
<bean id="simpleFilter" class="eg.SimpleFilter" />
<os-core:embedded-space id="space" space-name="space">
<os-core:security secured="true"/>
<os-core:method-adapter-filter before-authentication="beforeAuthenticationMethod">
<os-core:filter ref="simpleFilter"/>
</os-core:method-adapter-filter>
</os-core:embedded-space>
Implicitly create a secured Space, with security privileges that are propagated to the filter. These privileges should be sufficient for operations being performed by the filter on the embedded Space.
<!-- pu.xml -->
<bean id="simpleFilter" class="eg.SimpleFilter" />
<os-core:embedded-space id="space" space-name="space">
<os-core:security username="user" password="password"/>
<os-core:method-adapter-filter filter-init="init"
before-write="beforeWrite">
<os-core:filter ref="simpleFilter"/>
</os-core:method-adapter-filter>
</os-core:embedded-space>
The filter acquires a GigaSpaces reference on filter initialization. Now the filter can perform operations on the embedded secured Space.
public class SimpleFilter {
GigaSpace gigaSpace;
@OnFilterInit
void init(IJSpace space) {
gigaSpace= new GigaSpaceConfigurer(space).gigaSpace();
}
@BeforeWrite
public void beforeWrite(Data data) {
int seq = gigaSpace.count(new Data()); //Needs "Read' privileges for "count' operation
data.setSeq( seq++);
data.setTimestamp( new Date());
}
}
Custom Access Control
Custom Access control using Space Filters allows for access decisions based on user/role/data relationships. The SpaceContext
filter invocation parameter holds the SecurityContext
of the current operation. This context provides you with UserDetails
, the Authentication
and AuditDetails
. Based on these, you can enforce custom access decisions (such as allow or disallow the operation).
The SpaceContext
may be null
when related to replication/recovery and filter operations, such as notify-trigger
. In these cases, there is no user context.
The filter can be declared just like any other filter, but note that the priority
plays a role in the order of filter execution. The default priority is zero.
<bean id="customAccessControlFilter" class="example.CustomAccessControlFilter" />
<os-core:embedded-space id="space" space-name="space">
<os-core:security secured="true"/>
<os-core:annotation-adapter-filter priority="0">
<os-core:filter ref="customAccessControlFilter" />
</os-core:annotation-adapter-filter>
</os-core:embedded-space>
Usage examples:
public class CustomAccessControlFilter {
...
@BeforeRead
public void beforeRead(Account account, int operationCode, SpaceContext context) {
SecurityContext securityContext = context.getSecurityContext();
UserDetails user = securityContext.getUserDetails();
/*
* only owner of an account can have access to his/her record data
*/
if (!user.getUsername().equals(account.getOwner())) {
throw new AccessDeniedException("you are not the account owner!");
}
}
...
}
public class CustomAccessControlFilter {
...
@BeforeWrite
public void beforeWrite(Account account, int operationCode, SpaceContext context) {
SecurityContext securityContext = context.getSecurityContext();
GrantedAuthorities authorities = securityContext.getAuthentication().getGrantedAuthorities();
/*
* "accountants" can only create an account with an initial balance of $500
*/
if (authorities.isUserInRole("accountants") && account.getBalance() > 500) {
throw new AccessDeniedException("don't be greedy!");
}
}
...
}
Task Execution over the Space
Tasks Java version | .NET version can be executed in a co-located, asynchronous manner within the Space (Processing Unit with an embedded Space). To execute a task, you must have Execute privileges. Execution can be restricted to certain tasks by applying "Class-Filter'. There is no need to define specific privileges for operations being performed by the task on the Space.
The following is a simple implementation of a task that performs a "count' operation on the Space.
private static final class MyTask implements Task<Integer> {
@TaskGigaSpace
transient GigaSpace gigaSpace;
public Integer execute() throws Exception {
return gigaSpace.count(null,null);
};
}
While executed tasks are effective when co-located, you may require operations on the cluster.
GigaSpace clustered = gigaSpace.getClustered();
Space operations performed from within the task are guarded by a temporary trust available throughout the life-cycle of the task. If you are trying to enforce custom access control, the SecurityContext
must be extracted in a before-execute
filter call.
Executor-Based Remoting
Executor-based remoting Java version | .NET version allows you to use remote invocations of POJO services with the Space as the transport layer, using OpenSpaces Executors. To invoke a service method, you must have Execute privileges for class org.openspaces.remoting.ExecutorRemotingTask
.
Event-Driven Remoting
Event-driven remoting allows you to use remote invocations of POJO services with the Space as the transport layer, using a polling container on the Space side to process the invocations. Under the wires, event-driven remoting uses the Space write and take capabilities. As such, you must have Write and Take privileges (at both ends) for class org.openspaces.remoting.EventDrivenSpaceRemotingEntry
.
JDBC Driver
GigaSpaces allows applications to connect using a JDBC driver. A GigaSpaces JDBC Java DataBase Connectivity. This is an application programming interface (API) for the Java programming language, which defines how a client may access a database. driver accepts SQL statements, translates them into Space operations, and returns standard result sets. To acquire a connection to a remote secured Space, provide the credentials (username and password) as parameters to the connection.
Class.forName("com.j_spaces.jdbc.driver.GDriver").newInstance();
String url = "jdbc:gigaspaces:url:jini://*/*/space";
Connection conn = DriverManager.getConnection(url, "user", "password");
Statement st = conn.createStatement();
...
An alternative method for querying the Space using SQL syntax is the SQLQuery class, with a privileged GigaSpace proxy.
Accessing a Secured Space via GigaSpaces Tools
When accessing a query on a secured Space, the related proxy has three important properties: capacity, timeout and eviction. These properties and their default values are described in the System Properties topic.
These properties can be modified in the setenv-overrides.bat/sh
file. For example, to change the capacity to 100 proxies:
export GS_OPTIONS_EXT='-Dcom.gs.proxypool.capacity=100 -Dcom.gs.security.enabled=true -Dcom.gs.manager.rest REpresentational State Transfer. Application Programming Interface
An API, or application programming interface, is a set of rules that define how applications or devices can connect to and communicate with each other. A REST API is an API that conforms to the design principles of the REST, or representational state transfer architectural style..ssl.enabled=false'