| --- |
| title: Security Implementation Introduction and Overview |
| --- |
| |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| ## Security Features |
| |
| Encryption, SSL secure communication, authentication, and authorization |
| features help to secure the cluster. |
| |
| Security features include: |
| |
| - **A single security interface for all components**. The single |
| authentication and authorization mechanism simplifies the security |
| implementation. |
| It views and interacts with all components in a consistent manner. |
| - **System-wide role-based access control**. |
| Roles regiment authorized operations requested by the various components. |
| - **SSL communication**. Allows configuration of connections to be |
| SSL-based, rather than plain socket connections. |
| You can enable SSL separately for peer-to-peer, client, JMX, gateway senders and receivers, and HTTP connections. |
| - **Post processing of region data**. Return values for operations that |
| return region values may be formatted. |
| |
| ## Overview |
| |
| An authentication and authorization mechanism forms the core of |
| the internal security of the cluster. |
| Communications may be further protected by enabling SSL for |
| data in transit. |
| |
| Authentication verifies the identity of communicating components, |
| leading to control over participation. |
| The variety of participants include peer members, servers, |
| clients, originators of JMX operations, Pulse, |
| gateway senders and receivers representing WAN members of the system, |
| and commands arriving from `gfsh` on behalf of system users |
| or administrators. |
| |
| Connection requests trigger the invocation of an authentication |
| callback. |
| This special-purpose callback is written as part of the application, |
| and it attempts to authenticate the requester by whatever |
| algorithm it chooses. |
| The result is either a returned principal representing the requester's |
| authenticated identity or an exception indicating that the requester |
| has not been authenticated. |
| The principal becomes part of any request for operations, |
| which go through the authorization process. |
| |
| |
| Given authentication, |
| isolation and access to cache data and system state can be further |
| protected by implementing the authorization mechanism, |
| also implemented as a special-purpose callback as part of the application. |
| For example, the protection may be to permit only certain system administrators |
| to start and stop servers. |
| The authority to do this needs to be limited to specific |
| verified accounts, preventing those without the authorization. |
| An implementation of the authorization callback will require |
| that an authenticate identity accompanies all requests to the system, |
| and that the system maintains a representation of which identities |
| are permitted to complete which actions or cache commands. |
| |