Apache Geode CHANGELOG

Enable Security with Property Definitions

security-manager Property

The authentication callback and the authorization callback that implement the SecurityManager interface are specified with the security-manager property. When this property is defined, authentication and authorization are enabled. The definition of the security-manager property is the fully qualified name of the class that implements the SecurityManager interface. For example:

security-manager = com.example.security.MySecurityManager

To ensure that the security-manager property is applied consistently across a cluster, follow these guidelines:

  • Specify the security-manager property in a properties file, such as gemfire.properties, not in a cluster configuration file (such as cluster.properties).
  • Specify the properties file when you start the first locator for the cluster. The locator will propagate the value to all members (locators and servers) that follow.
  • If you must specify the security-manager property for servers (neither necessary nor recommended) make sure its value is exactly identical to that specified for the first locator.

All components of the system invoke the same callbacks. Here are descriptions of the components and the connections that they make with the system.

  • A client connects with a server and makes operation requests of that server. The callbacks invoked are those defined by the SecurityManager interface for that server.
  • A server connects with a locator, invoking the authenticate callback defined for that locator.
  • Components communicating with a locator’s JMX manager connect and make operation requests of the locator. The callbacks invoked are those defined by the SecurityManager interface for that locator. Both gfsh and Pulse use this form of communication.
  • Applications communicating via the REST API make of a server invoke security callbacks upon connection and operation requests.
  • Requests that a gateway sender makes of a locator invoke security callbacks defined for that locator.

security-post-processor Property

The PostProcessor interface allows the definition of a set of callbacks that are invoked after operations that get data, but before the data is returned. This permits the callback to intervene and format the data that is to be returned. The callbacks do not modify the region data, only the data to be returned.

Enable the post processing of data by defining the security-post-processor property with the path to the definition of the interface. For example,

security-post-processor = com.example.security.MySecurityPostProcessing