Securing the Grid Services
Data grid security is enabled by setting the
gs.security.enabled system property.
Append the property to
setenv-overides script. The following example sets the property along with other optional security parameters.
-Dcom.gs.security.enabled=true -Dcom.gs.security.userid=xxx -Dcom.gs.security.password=yyy -Dcom.gigaspaces.webui.username.mandatory=true
This property affects the GSA, GSM, and GSC.
The Grid Service Agent (GSA) acts as a process manager that can spawn and manage Service Grid processes (GSM, GSC, etc.). When the GSA is secured, a spawned GSM/GSC will also be secured. To start, kill, or restart a process you need Manage Grid privileges.
The Grid Service Manager (GSM) is responsible for managing Processing Units and Grid Service Containers. The GSM accepts deployment and un-deployment requests of Processing Units, and provisions them to GSCs. To deployand un-deploy you need Provision PU privileges.
A secured GSM can only connect to another secured GSM. This means that a Processing Unit managed by a secured GSM can be recoverable upon failover only by another secured GSM.
The XAP Manager is a component that stacks together the LUS and GSM along with Apache ZooKeeper and GigaSpaces's REST Manager API. The privileges of the GSM are the same as if it were standalone. For each REST operation, we list the required privilege in the yaml file, also viewable in the Swagger tool (see the REST Manager API topic). For example, starting a container would require Manage Grid privileges. Deploying a Space or a Processing Unit would require Provision PU privileges. For more information about using the REST Manager APU with security, refer to REST Manager API - Security.
When an Elastic Processing Unit is deployed, the GSM performs the initial provisioning and the ESM monitors it to ensure the elastic requirements are met. This means that when the service grid is secured, the ESM requires credentials with Manage PU and Manage Grid permissions to monitor and manage the elastic processing units. This is done using the
com.gs.esm.password system properties.
A Grid Service Container (GSC) is a container that hosts deployed Processing Unit Instances, and reports its status to the GSM. In general, operations on the GSC are routed to the managing GSM of the processing unit. To scale up/down, relocate, restart PU instance, destroy PU instance you need Manage PU privileges.
A secured GSC can only connect to a secured GSM. This means that a Processing Unit managed by a secured GSM can only be provisioned to a secured GSC.
Security of a GSC does not enforce any security on the deployed Processing Unit. i.e., a secured GSC can contain a Processing unit with a non-secured Space, and a non-secured GSC can contain a Processing Unit with a secured Space.