Security Overview
For both Service Grid
A built-in orchestration tool which contains a set of Grid Service Containers (GSCs) managed by a Grid Service Manager. The containers host various deployments of Processing Units and data grids. Each container can be run on a separate physical machine. This orchestration is available for Smart Cache only. For Smart DIH, we recommend using our Kubernetes orchestration. and Kubernetes An open-source container orchestration system for automating software deployment, scaling, and management. Orchestration This is the automated configuration, management, and coordination of computer systems, applications, and services. Orchestration strings together multiple tasks in order to execute and easily manage a larger workflow or process. These processes can consist of multiple complex tasks that are automated and can involve multiple systems. Kubernetes, used by GigaSpaces, is a popular open source platform for container orchestration., Security is made up of Authentication and Authorization. Security provides comprehensive support for securing your data and services.
Authentication
Authentication is the process of establishing and confirming the authenticity of a principal. A principal in GigaSpaces terms, means a user (human or software) performing an action in your application. A principal in data grid terms means a user (human or software) performing an action in your application. Data grid Security is equipped with standard encryption algorithms (such as AES and MD5), which can be easily configured and replaced. The authentication layer is provided with a default implementation, which can be customized to integrate with other security standards. This layer is also known as the authentication manager. You can integrated the authentication layer through Spring Security to use LDAP Lightweight Directory Access Protocol.
An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. or Data Base authentication.
Authorization
Authorization refers to the process of deciding whether a principal is allowed to perform a certain action. The authorization decision layer is totally independent from the authentication layer. The authorization decision manager is internal to data grid components and is used to intercept unauthorized access/operations to data and services. This layer uses roles that are made up of authorities which contain a set of permissions.
Role-Based Security
Data grid's authorization implementation is based on roles. A role is comprised of a collection of authorities where an authority has a set of permissions.
There are two categories of user authorities: System for the entire system or Resource level (for example different authorities for the same user for different Spaces).
Authorities are related to monitoring, managing and performing operations on the various resources. Some authorities can be defined only in system level, and some can be configured per resource. If they are configured per resources, the permissions can only be added to the relevant system authority. For example, if the system authority allows read operations for a user, a read cannot be restricted on a specific space for this user, but write can be added for that space.
| Level | Authorities |
|---|---|
| System | |
| Resources | Spaces |
System Authority
The System Authority defines the distinction between a user who is allowed to define roles and a user which is only allowed to assign user's to predefined roles. In general, one can have both management capabilities, but in some organizations this separation may be required.:
| Privilege | Description | Orchestration |
|---|---|---|
| Manage Roles | Define roles (a set of privileges assigned to a logical role name). | Service Grid, Kubernetes |
| Manage Identity Providers | Allows users to create Identity Provider (IDP An identity provider, or IDP, stores and manages users' digital identities. IDP and SSO can work together to authenticate users.) settings and to view the current as well as historical IDP settings. |
Kubernetes |
| Manage Root User Details | Manages root user details. | Kubernetes |
Pipeline Authority
| Privilege | Description | Orchestration |
|---|---|---|
| Create | Allows the creation of a pipeline using a predefined data source. | Smart DIH Kubernetes |
| Edit | This is included as a mandatory extra for the Create privilege. It allows the management of data source tables when creating a pipeline. It can also be assigned independently in the case where it is required to enable table editing for the existing pipelines. | Smart DIH Digital Integration Hub.
An application architecture that decouples digital applications from the systems of record, and aggregates operational data into a low-latency data fabric. Kubernetes |
| Start_Stop | Allows the stopping or starting of any of the existing pipelines. | Smart DIH Kubernetes |
| Delete | Allows the deletion of any stopped pipelines. If a pipeline is in an active state it cannot be deleted unless it has first been stopped. | Smart DIH Kubernetes |
Service Authority
| Privilege | Description | Orchestration |
|---|---|---|
| Manage Service | Deploy and undeploy of service operations. | Smart DIH Kubernetes |
Space Authority
The Space Where GigaSpaces data is stored. It is the logical cache that holds data objects in memory and might also hold them in layered in tiering. Data is hosted from multiple SoRs, consolidated as a unified data model. Authority consists of privileges for operations on space data.
| Privilege | Description | Example V3 Driver | Orchestration |
|---|---|---|---|
| Write | Use to write or update operations. |
Insert into Employee (id, name) value (1, 'First'); |
Service Grid, Kubernetes |
| Create | Write only (not update). In order to create, use a WRITE_ONLY modifier with the write operation. |
Service Grid, Kubernetes |
|
| Read | Use to read, count and notify operations. |
select * from Employee; Read + Write: update Employee set name = 'new name'; Read + Take: delete from Employee; |
Service Grid, Kubernetes |
| Take | Delete from table. Use for take and clear operations. Take returns the objects that were deleted. Clear returns the number of objects deleted. |
Service Grid, Kubernetes |
|
| Alter | Register type descriptor, clean and drop class operations. |
CREATE TABLE Employee (id INT4, name VARCHAR (32), primary key (id)); DROP TABLE Employee; |
Service Grid, Kubernetes |
| Execute | Execute tasks. For more information refer to the task execution overview page. |
Service Grid, Kubernetes |
Grid Authority
The Grid Authority consists of privileges for managing the Grid and its Services (cluster components).
| Privilege | Description | Orchestration |
|---|---|---|
| Provision PU This is the unit of packaging and deployment in the GigaSpaces Data Grid, and is essentially the main GigaSpaces service. The Processing Unit (PU) itself is typically deployed onto the Service Grid. When a Processing Unit is deployed, a Processing Unit instance is the actual runtime entity. |
Deploy, undeploy of processing units This is the unit of packaging and deployment in the GigaSpaces Data Grid, and is essentially the main GigaSpaces service. The Processing Unit (PU) itself is typically deployed onto the Service Grid. When a Processing Unit is deployed, a Processing Unit instance is the actual runtime entity.. |
Service Grid |
| Manage PU | Scale up/down, relocate, restart PU instance, destroy PU instance. | Service Grid |
| Manage Grid | Start, terminate, restart of all cluster components. | Service Grid |
Monitoring Authority
The Monitor Authority consists of privileges for monitoring the Grid and its Processing Units. Note that the monitoring is secured only by the "tooling' (CLI/UI).
| Privilege | Description | Orchestration |
|---|---|---|
| Monitor JVM Java Virtual Machine. A virtual machine that enables a computer to run Java programs as well as programs written in other languages that are also compiled to Java bytecode. |
Monitoring of JVM statistics. Capable of generating a dump of JVM. | Service Grid, Kubernetes |
| Monitor PU | Monitoring of PUs (classes, connections, statistics, etc.). | Service Grid, Kubernetes |
For more information about role-based security for Smart Cache on Service Grid, refer to the Authorities and Privileges for Smart Cache Service Grid page in the Security section of the Administration guide.
Pipeline and Low-Code Authorities are relevant for Smart DIH only
Pipeline Authority
| Privilege | Description | Orchestration |
|---|---|---|
| Create | Allows the creation of a pipeline using a predefined data source. | Smart DIH Kubernetes |
| Edit | This is included as a mandatory extra for the Create privilege. It allows the management of data source tables when creating a pipeline. It can also be assigned independently in the case where it is required to enable table editing for the existing pipelines. | Smart DIH Kubernetes |
| Start_Stop | Allows the stopping or starting of any of the existing pipelines. | Smart DIH Kubernetes |
| Delete | Allows the deletion of any stopped pipelines. If a pipeline is in an active state it cannot be deleted unless it has first been stopped. | Smart DIH Kubernetes |
Low-Code Service Authority
| Privilege | Description | Orchestration |
|---|---|---|
| Manage Service | Deploy and undeploy of service operations. | Smart DIH Kubernetes |