New Security Framework in Apache Geode

PivotalOpenSourceHub
PivotalOpenSourceHub
Geode Security Before and After
Apache Geode Apache Geode is a data management platform. It provides you tools to manage your cluster and your data: Cluster management: start/stop locator/server, shutdown, alter runtime… Cluster read/write: describe member, config, regions, alter log level... Data management: create/destroy region, indexes, disk stores, create functions... Data read/write: put/get data entries, querying…. Various ways for you to interact with your cluster/data: Java client, native client
Geode Security Authentication Resolve identity, represented as a principal Authorization Resolve roles and permissions Post Processing Resolve final value presented back to user
Geode Security - Before Java Client JMX Client Gfsh Pulse Locator Server Server Server Native Client Credentials(TCP) Peer Auth RESTful Client Client-Auth Not Secured (HTTP) Client-Accessor Properties needed: Security-peer-auth-init Security-peer-authenticator Security-client-auth-init Security-client-authenticator Security-client-accessor Jmx-manager-password-file jmx-manager-access-file
Security Manager Security Manager Security Manager Geode Security - 1.0 Java Client JMX Client Gfsh Pulse Locator Server Server Native Client Credentials(TCP) RESTful Client Properties needed: security-manager
SecurityManager Implement a single interface to secure your Geode cluster. public class SimpleSecurityManager implements SecurityManager { @Override public void init(Properties securityProps) {} // authenticated if username matches password public Object authenticate(Properties credentials) throws AuthenticationFailedException { String username = credentials.getProperty("security-username"); String password = credentials.getProperty("security-password"); If (username!=null && username.equals(password)) { return username; } throw new AuthenticationFailedException("invalid username/password"); } // authorized if username is the beginning part of the permission string public boolean authorize(Object principal, ResourcePermission permission) { String permissionString = permission.toString().replace(":","").toLowerCase(); String principle = principal.toString().toLowerCase(); return permissionString.startsWith(principle); } @Override public void close() {} }
Defined by your implementation of SecurityManager authorize(principal, permission) Defined by Geode Security Users, Permissions and Operations Permission Permission Permission Permission Permission Operation Operation Operation Operation Operation Operation Operation Operation Operation has requires
ResourcePermission It’s the key to unify authorization across different communication channels. It contains at most 4 parts: Resource: DATA, CLUSTER Operation: READ, WRITE, MANAGE Region (only for data): region name Key (only for data): key value Each operation, no matter where it originates, has a corresponding ResourcePermission: Start server: CLUSTER:MANAGE
Roles ● Your SecurityManager needs to define User ->Permission mapping. ● By definition, there would be 2 x 3 x #of regions x #of keys permission permutations. Can’t possibly grant them individually. ● ResourcePermission(resource:operation:region:key) has this implication system built in: ○ A --> A:B --> A:B:C --> A:B:C:D ○ E.g. data -> data:manage -> data:manage:regionA -> data:manage:regionA:key1 ○ * means “all”, and can be put in any of the four parts. ● It’s easier to assign roles to the user and have roles implies specific
Post Processor An add-on feature to authentication/authorization Any region data returned back to clients as a result of user operation will pass through this post processor first Any form of getting region value in the client, gfsh command or rest service Query results, continued query results. Data in the registered interest events Configured by security-post-processor property Method to be implemented (showing SamplePostProcessor): public Object processRegionValue(Object principal, String regionName, Object key, Object value) {
Demo
Geode How it’s Done Shiro Security Engine Custom Realm SecurityManager Client PeerJMX Rest Pulse Credentials In the authenticators: 1. Authenticate credentials. 2. Puts the logged-in subject in the current executing thread. Anywhere In Geode: 1. Get the subject out of the executing thread. 2. Check the required permission
Apache Shiro Apache Shiro is a Java security framework that performs authentication, authorization, cryptography, and session management. Easy to Use API Subject based, saved in ThreadLocal, you can retrieve it anywhere in your code. Single method call to authenticate/authorize currentUser.login(username, password) currentUser.checkPermission(permission) Powerful: Pluggable data source, called Realms to manage your users.
GEODE Security In Geode’s Future Shiro Security Engine LDAP Realm Custom Realm SecurityManager shiro.ini AD Realm JDBC Realm TextConfig Realm Client PeerJMX Rest Pulse Your own Realm
1 of 14

New Security Framework in Apache Geode

Download to read offline
Technology

Hear are the details of the new security framework for Apache Geode, based on Apache Shiro. Watch the video at: https://youtu.be/AhUPT3wfAMM

PivotalOpenSourceHub
PivotalOpenSourceHub

Recommended

Geode - Day 3Geode - Day 3
Geode - Day 3Swapnil Bawaskar
398 views17 slides
Making Storage Systems Accessible via Globus (GlobusWorld Tour West)Making Storage Systems Accessible via Globus (GlobusWorld Tour West)
Making Storage Systems Accessible via Globus (GlobusWorld Tour West)Globus
128 views31 slides
Best Practices for Data Sharing (GlobusWorld Tour - UCSD)Best Practices for Data Sharing (GlobusWorld Tour - UCSD)
Best Practices for Data Sharing (GlobusWorld Tour - UCSD)Globus
65 views17 slides
Globus Endpoint Setup and Configuration - XSEDE14 TutorialGlobus Endpoint Setup and Configuration - XSEDE14 Tutorial
Globus Endpoint Setup and Configuration - XSEDE14 TutorialGlobus
1.2K views33 slides
Tutorial: Managing Protected Data with Globus Connect Server v5Tutorial: Managing Protected Data with Globus Connect Server v5
Tutorial: Managing Protected Data with Globus Connect Server v5Globus
367 views40 slides
GlobusWorld 2021 Tutorial: The Globus CLI, Platform and SDKGlobusWorld 2021 Tutorial: The Globus CLI, Platform and SDK
GlobusWorld 2021 Tutorial: The Globus CLI, Platform and SDKGlobus
176 views32 slides

More Related Content

What's hot

What's hot(20)

Globus Command Line Interface (APS Workshop)Globus Command Line Interface (APS Workshop)
Globus Command Line Interface (APS Workshop)
Globus 100 views
Introduction to Globus for New Users (GlobusWorld Tour - UCSD)Introduction to Globus for New Users (GlobusWorld Tour - UCSD)
Introduction to Globus for New Users (GlobusWorld Tour - UCSD)
Globus 64 views
Broker otw.pptxBroker otw.pptx
Broker otw.pptx
Marcin Przepiórowski543 views
HandsOn ProxySQL Tutorial - PLSC18HandsOn ProxySQL Tutorial - PLSC18
HandsOn ProxySQL Tutorial - PLSC18
Derek Downey752 views
Globus for System Administrators (GlobusWorld Tour - UCSD)Globus for System Administrators (GlobusWorld Tour - UCSD)
Globus for System Administrators (GlobusWorld Tour - UCSD)
Globus 110 views
Percona live 2021 Practical Database Automation with Ansible Percona live 2021 Practical Database Automation with Ansible
Percona live 2021 Practical Database Automation with Ansible
Derek Downey43 views
Monitoring multiple ultra esb instances with u consoleMonitoring multiple ultra esb instances with u console
Monitoring multiple ultra esb instances with u console
ImeshLihinikaduarach171 views
인피니스팬 데이터그리드 플랫폼인피니스팬 데이터그리드 플랫폼
인피니스팬 데이터그리드 플랫폼
Jaehong Cheon1.1K views
Infinispan Data Grid PlatformInfinispan Data Grid Platform
Infinispan Data Grid Platform
jbugkorea2.8K views
Globus for System Administrators (GlobusWorld Tour - Columbia University)Globus for System Administrators (GlobusWorld Tour - Columbia University)
Globus for System Administrators (GlobusWorld Tour - Columbia University)
Globus 84 views
Docker pptDocker ppt
Docker ppt
Bhanuchander Udhayakumar342 views
LuSql: (Quickly and easily) Getting your data from your DBMS into LuceneLuSql: (Quickly and easily) Getting your data from your DBMS into Lucene
LuSql: (Quickly and easily) Getting your data from your DBMS into Lucene
eby2.3K views
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
Roland Bouman519 views
Status of Hadoop 0.23 Operations at YahooStatus of Hadoop 0.23 Operations at Yahoo
Status of Hadoop 0.23 Operations at Yahoo
DataWorks Summit793 views
MSSQL SERVERMSSQL SERVER
MSSQL SERVER
Dharmendrasingh41730 views
Infinispan and Enterprise Data GridInfinispan and Enterprise Data Grid
Infinispan and Enterprise Data Grid
JBug Italy4.7K views
High performance and high availability proxies for MySQLHigh performance and high availability proxies for MySQL
High performance and high availability proxies for MySQL
Mydbops1.7K views
FITC presents: Mobile & offline data synchronization in Angular JSFITC presents: Mobile & offline data synchronization in Angular JS
FITC presents: Mobile & offline data synchronization in Angular JS
FITC14.7K views
Introduction to Globus for System Administrators (GlobusWorld Tour - UMich)Introduction to Globus for System Administrators (GlobusWorld Tour - UMich)
Introduction to Globus for System Administrators (GlobusWorld Tour - UMich)
Globus 357 views
Active directory domain administration toolsActive directory domain administration tools
Active directory domain administration tools
Imran Khan570 views

Viewers also liked

Geode on DockerGeode on Docker
Geode on DockerApache Geode
2K views36 slides

Viewers also liked(8)

Similar to New Security Framework in Apache Geode

Hadoop securityHadoop security
Hadoop securityshrey mehrotra
1.6K views31 slides

Similar to New Security Framework in Apache Geode(20)

Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
Daniel López Jiménez1.4K views
Monitoring with Syslog and EventMachineMonitoring with Syslog and EventMachine
Monitoring with Syslog and EventMachine
Wooga2.9K views
Managing and Monitoring TeamPageManaging and Monitoring TeamPage
Managing and Monitoring TeamPage
Traction Software932 views
Hadoop securityHadoop security
Hadoop security
shrey mehrotra1.6K views
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
Opersys inc.53.4K views
Scalable Socket Server by AryoScalable Socket Server by Aryo
Scalable Socket Server by Aryo
Agate Studio316 views
Oracle GoldenGate Microservices Overview ( with Demo )Oracle GoldenGate Microservices Overview ( with Demo )
Oracle GoldenGate Microservices Overview ( with Demo )
Mari Kupatadze3.9K views
cloud computing preservitycloud computing preservity
cloud computing preservity
chennuruvishnu4.8K views
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi37 views
Matt Jarvis - Unravelling Logs: Log Processing with Logstash and Riemann Matt Jarvis - Unravelling Logs: Log Processing with Logstash and Riemann
Matt Jarvis - Unravelling Logs: Log Processing with Logstash and Riemann
Danny Abukalam1.1K views
airflowpresentation1-180717183432.pptxairflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptx
VIJAYAPRABAP2 views
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB823 views
Swift profiling middleware and toolsSwift profiling middleware and tools
Swift profiling middleware and tools
zhang hua1.3K views
Getting data into RudderGetting data into Rudder
Getting data into Rudder
RUDDER969 views
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
Jsonr4265 views
Distributed Computing on PostgreSQL | PGConf EU 2017 | Marco SlotDistributed Computing on PostgreSQL | PGConf EU 2017 | Marco Slot
Distributed Computing on PostgreSQL | PGConf EU 2017 | Marco Slot
Citus Data1.5K views
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB197 views
airflow web UI and CLI.pptxairflow web UI and CLI.pptx
airflow web UI and CLI.pptx
VIJAYAPRABAP2 views
SuricataSuricata
Suricata
tex_morgan48K views
FP - Découverte de Play Framework ScalaFP - Découverte de Play Framework Scala
FP - Découverte de Play Framework Scala
Kévin Margueritte201 views

More from PivotalOpenSourceHub

More from PivotalOpenSourceHub(20)

Apache Geode Clubhouse - WAN-based ReplicationApache Geode Clubhouse - WAN-based Replication
Apache Geode Clubhouse - WAN-based Replication
PivotalOpenSourceHub738 views
#GeodeSummit: Easy Ways to Become a Contributor to Apache Geode#GeodeSummit: Easy Ways to Become a Contributor to Apache Geode
#GeodeSummit: Easy Ways to Become a Contributor to Apache Geode
PivotalOpenSourceHub3K views
#GeodeSummit Keynote: Creating the Future of Big Data Through 'The Apache Way"#GeodeSummit Keynote: Creating the Future of Big Data Through 'The Apache Way"
#GeodeSummit Keynote: Creating the Future of Big Data Through 'The Apache Way"
PivotalOpenSourceHub2.2K views
#GeodeSummit - Off-Heap Storage Current and Future Design#GeodeSummit - Off-Heap Storage Current and Future Design
#GeodeSummit - Off-Heap Storage Current and Future Design
PivotalOpenSourceHub2.6K views
#GeodeSummit - Redis to Geode Adaptor#GeodeSummit - Redis to Geode Adaptor
#GeodeSummit - Redis to Geode Adaptor
PivotalOpenSourceHub2.5K views
#GeodeSummit - Integration & Future Direction for Spring Cloud Data Flow & Geode#GeodeSummit - Integration & Future Direction for Spring Cloud Data Flow & Geode
#GeodeSummit - Integration & Future Direction for Spring Cloud Data Flow & Geode
PivotalOpenSourceHub2.2K views
#GeodeSummit - Spring Data GemFire API Current and Future#GeodeSummit - Spring Data GemFire API Current and Future
#GeodeSummit - Spring Data GemFire API Current and Future
PivotalOpenSourceHub2.2K views
#GeodeSummit - Modern manufacturing powered by Spring XD and Geode#GeodeSummit - Modern manufacturing powered by Spring XD and Geode
#GeodeSummit - Modern manufacturing powered by Spring XD and Geode
PivotalOpenSourceHub2.4K views
#GeodeSummit - Using Geode as Operational Data Services for Real Time Mobile ...#GeodeSummit - Using Geode as Operational Data Services for Real Time Mobile ...
#GeodeSummit - Using Geode as Operational Data Services for Real Time Mobile ...
PivotalOpenSourceHub2.2K views
#GeodeSummit - Large Scale Fraud Detection using GemFire Integrated with Gree...#GeodeSummit - Large Scale Fraud Detection using GemFire Integrated with Gree...
#GeodeSummit - Large Scale Fraud Detection using GemFire Integrated with Gree...
PivotalOpenSourceHub3K views
#GeodeSummit: Democratizing Fast Analytics with Ampool (Powered by Apache Geode)#GeodeSummit: Democratizing Fast Analytics with Ampool (Powered by Apache Geode)
#GeodeSummit: Democratizing Fast Analytics with Ampool (Powered by Apache Geode)
PivotalOpenSourceHub2.6K views
#GeodeSummit: Architecting Data-Driven, Smarter Cloud Native Apps with Real-T...#GeodeSummit: Architecting Data-Driven, Smarter Cloud Native Apps with Real-T...
#GeodeSummit: Architecting Data-Driven, Smarter Cloud Native Apps with Real-T...
PivotalOpenSourceHub2.6K views
#GeodeSummit - Apex & Geode: In-memory streaming, storage & analytics#GeodeSummit - Apex & Geode: In-memory streaming, storage & analytics
#GeodeSummit - Apex & Geode: In-memory streaming, storage & analytics
PivotalOpenSourceHub3K views
#GeodeSummit - Where Does Geode Fit in Modern System Architectures#GeodeSummit - Where Does Geode Fit in Modern System Architectures
#GeodeSummit - Where Does Geode Fit in Modern System Architectures
PivotalOpenSourceHub3.2K views
#GeodeSummit - Design Tradeoffs in Distributed Systems#GeodeSummit - Design Tradeoffs in Distributed Systems
#GeodeSummit - Design Tradeoffs in Distributed Systems
PivotalOpenSourceHub2.9K views
#GeodeSummit - Wall St. Derivative Risk Solutions Using Geode#GeodeSummit - Wall St. Derivative Risk Solutions Using Geode
#GeodeSummit - Wall St. Derivative Risk Solutions Using Geode
PivotalOpenSourceHub2.7K views
Building Apps with Distributed In-Memory Computing Using Apache GeodeBuilding Apps with Distributed In-Memory Computing Using Apache Geode
Building Apps with Distributed In-Memory Computing Using Apache Geode
PivotalOpenSourceHub1.2K views
GPORCA: Query Optimization as a ServiceGPORCA: Query Optimization as a Service
GPORCA: Query Optimization as a Service
PivotalOpenSourceHub1.1K views
Pivoting Spring XD to Spring Cloud Data Flow with Sabby AnandanPivoting Spring XD to Spring Cloud Data Flow with Sabby Anandan
Pivoting Spring XD to Spring Cloud Data Flow with Sabby Anandan
PivotalOpenSourceHub2.7K views
Apache Geode Offheap StorageApache Geode Offheap Storage
Apache Geode Offheap Storage
PivotalOpenSourceHub991 views

Recently uploaded

IDEAS Products 2023IDEAS Products 2023
IDEAS Products 2023Dirk Meier
40 views21 slides
AI Science AI Science
AI Science Melanie Swan
33 views71 slides

Recently uploaded(20)

IDEAS Products 2023IDEAS Products 2023
IDEAS Products 2023
Dirk Meier40 views
Navigating the Future: UiPath’s Latest Certifications UnveiledNavigating the Future: UiPath’s Latest Certifications Unveiled
Navigating the Future: UiPath’s Latest Certifications Unveiled
DianaGray1064 views
Utilizing FME as an API Test Framework Utilizing FME as an API Test Framework
Utilizing FME as an API Test Framework
Safe Software25 views
Ontology Repositories and Semantic Artefact Catalogues with the OntoPortal Te...Ontology Repositories and Semantic Artefact Catalogues with the OntoPortal Te...
Ontology Repositories and Semantic Artefact Catalogues with the OntoPortal Te...
INRAE (MISTEA) and University of Montpellier (LIRMM)52 views
Introduction to RPA and Document UnderstandingIntroduction to RPA and Document Understanding
Introduction to RPA and Document Understanding
DianaGray1052 views
AI Science AI Science
AI Science
Melanie Swan33 views
Orchestration, Automation and Virtualisation Maturity ModelOrchestration, Automation and Virtualisation Maturity Model
Orchestration, Automation and Virtualisation Maturity Model
CSUC - Consorci de Serveis Universitaris de Catalunya54 views
Platform Engineering: Manage your infrastructure using Kubernetes and CrossplanePlatform Engineering: Manage your infrastructure using Kubernetes and Crossplane
Platform Engineering: Manage your infrastructure using Kubernetes and Crossplane
Ahmed AbouZaid151 views
Getting Started With Managed Backup - 2023.pptxGetting Started With Managed Backup - 2023.pptx
Getting Started With Managed Backup - 2023.pptx
MSP36029 views
Save Time and Boost Productivity with No-Code Web AppsSave Time and Boost Productivity with No-Code Web Apps
Save Time and Boost Productivity with No-Code Web Apps
Safe Software248 views
Challenges in AI LLMs adoption in the EnterpriseChallenges in AI LLMs adoption in the Enterprise
Challenges in AI LLMs adoption in the Enterprise
George Bara41 views
Vers un écosystème unique en Wallonie pour l’innovation dans le secteur aéron...Vers un écosystème unique en Wallonie pour l’innovation dans le secteur aéron...
Vers un écosystème unique en Wallonie pour l’innovation dans le secteur aéron...
LIEGE CREATIVE27 views
Voxelized GICP for Fast and Accurate 3D Point Cloud Registration [ICRA2021]Voxelized GICP for Fast and Accurate 3D Point Cloud Registration [ICRA2021]
Voxelized GICP for Fast and Accurate 3D Point Cloud Registration [ICRA2021]
KenjiKoide194 views
Onewheel e-skateboard recallOnewheel e-skateboard recall
Onewheel e-skateboard recall
Bisnar Chase Personal Injury Attorneys23 views
GoTech_SustainableAI_DebmalyaBiswas.pdfGoTech_SustainableAI_DebmalyaBiswas.pdf
GoTech_SustainableAI_DebmalyaBiswas.pdf
Debmalya Biswas16 views
SQLSatOregon_kgorman_keynote_NIAIMLEC.pptxSQLSatOregon_kgorman_keynote_NIAIMLEC.pptx
SQLSatOregon_kgorman_keynote_NIAIMLEC.pptx
Kellyn Pot'Vin-Gorman38 views
Integrating GeoAI Models in FMEIntegrating GeoAI Models in FME
Integrating GeoAI Models in FME
Safe Software33 views
MIND Revenue Release Q3 2023MIND Revenue Release Q3 2023
MIND Revenue Release Q3 2023
MIND CTI126 views
PoC Azure AdministrationPoC Azure Administration
PoC Azure Administration
Olaf Reitmaier Veracierta69 views
Serverless at LifestageServerless at Lifestage
Serverless at Lifestage
BATbern16 views

New Security Framework in Apache Geode

  • 1. Geode Security Before and After
  • 2. Apache Geode Apache Geode is a data management platform. It provides you tools to manage your cluster and your data: Cluster management: start/stop locator/server, shutdown, alter runtime… Cluster read/write: describe member, config, regions, alter log level... Data management: create/destroy region, indexes, disk stores, create functions... Data read/write: put/get data entries, querying…. Various ways for you to interact with your cluster/data: Java client, native client
  • 3. Geode Security Authentication Resolve identity, represented as a principal Authorization Resolve roles and permissions Post Processing Resolve final value presented back to user
  • 4. Geode Security - Before Java Client JMX Client Gfsh Pulse Locator Server Server Server Native Client Credentials(TCP) Peer Auth RESTful Client Client-Auth Not Secured (HTTP) Client-Accessor Properties needed: Security-peer-auth-init Security-peer-authenticator Security-client-auth-init Security-client-authenticator Security-client-accessor Jmx-manager-password-file jmx-manager-access-file
  • 5. Security Manager Security Manager Security Manager Geode Security - 1.0 Java Client JMX Client Gfsh Pulse Locator Server Server Native Client Credentials(TCP) RESTful Client Properties needed: security-manager
  • 6. SecurityManager Implement a single interface to secure your Geode cluster. public class SimpleSecurityManager implements SecurityManager { @Override public void init(Properties securityProps) {} // authenticated if username matches password public Object authenticate(Properties credentials) throws AuthenticationFailedException { String username = credentials.getProperty("security-username"); String password = credentials.getProperty("security-password"); If (username!=null && username.equals(password)) { return username; } throw new AuthenticationFailedException("invalid username/password"); } // authorized if username is the beginning part of the permission string public boolean authorize(Object principal, ResourcePermission permission) { String permissionString = permission.toString().replace(":","").toLowerCase(); String principle = principal.toString().toLowerCase(); return permissionString.startsWith(principle); } @Override public void close() {} }
  • 7. Defined by your implementation of SecurityManager authorize(principal, permission) Defined by Geode Security Users, Permissions and Operations Permission Permission Permission Permission Permission Operation Operation Operation Operation Operation Operation Operation Operation Operation has requires
  • 8. ResourcePermission It’s the key to unify authorization across different communication channels. It contains at most 4 parts: Resource: DATA, CLUSTER Operation: READ, WRITE, MANAGE Region (only for data): region name Key (only for data): key value Each operation, no matter where it originates, has a corresponding ResourcePermission: Start server: CLUSTER:MANAGE
  • 9. Roles ● Your SecurityManager needs to define User ->Permission mapping. ● By definition, there would be 2 x 3 x #of regions x #of keys permission permutations. Can’t possibly grant them individually. ● ResourcePermission(resource:operation:region:key) has this implication system built in: ○ A --> A:B --> A:B:C --> A:B:C:D ○ E.g. data -> data:manage -> data:manage:regionA -> data:manage:regionA:key1 ○ * means “all”, and can be put in any of the four parts. ● It’s easier to assign roles to the user and have roles implies specific
  • 10. Post Processor An add-on feature to authentication/authorization Any region data returned back to clients as a result of user operation will pass through this post processor first Any form of getting region value in the client, gfsh command or rest service Query results, continued query results. Data in the registered interest events Configured by security-post-processor property Method to be implemented (showing SamplePostProcessor): public Object processRegionValue(Object principal, String regionName, Object key, Object value) {
  • 11. Demo
  • 12. Geode How it’s Done Shiro Security Engine Custom Realm SecurityManager Client PeerJMX Rest Pulse Credentials In the authenticators: 1. Authenticate credentials. 2. Puts the logged-in subject in the current executing thread. Anywhere In Geode: 1. Get the subject out of the executing thread. 2. Check the required permission
  • 13. Apache Shiro Apache Shiro is a Java security framework that performs authentication, authorization, cryptography, and session management. Easy to Use API Subject based, saved in ThreadLocal, you can retrieve it anywhere in your code. Single method call to authenticate/authorize currentUser.login(username, password) currentUser.checkPermission(permission) Powerful: Pluggable data source, called Realms to manage your users.
  • 14. GEODE Security In Geode’s Future Shiro Security Engine LDAP Realm Custom Realm SecurityManager shiro.ini AD Realm JDBC Realm TextConfig Realm Client PeerJMX Rest Pulse Your own Realm

Editor's Notes

  1. What is region, in memory, key value pair (Apache con)
  2. Just showing a typical Geode topology to illustrate the security framework (pre 9.0) Pulse’s underlying communication to Geode is still over JMX, so still secured by jmx-manager-* settings, but no restrictions on page views Each of those colored components is different implementation. Too much setup, too many implementations and un-unified implementation leads to data leak.
  3. Currently credentials are sent in as security-username and security-password for all interfaces. RESTful OAuth is after 1.0
  4. Authenticate method returns the principal used in the authorize method.
  5. Roles are used to group permissions for easier management
  6. This ResourcePermission is passed to your implementation of SecurityManager for authorization
  7. Note regionName or key could be null when the system is calling this method, because in some situations we can’t determine those values, like when we return a big resultset
  8. Start locator with security Login using wrong password Login using user Start server with locators (demo peer to peer authentication/authorization) (server 1 with sufficient privilage, server2 with insufficient privilage) Create region Put data Get data Demo permission is specific enough to allow granular control.
  9. Lesson learned Threading, annotations
  10. Geode’s ResourcePermission extends from Shiro’s WildCardPermission