Control which users have specific permissions to access the data grid in the Liberty through the policy file.
About this task
Even if a client is authenticated, that might not be enough to protect data grid access. If
you use the KeyStoreLoginAuthenticator property, usually you define only a few identities, and all
of the identities might have full access to the grid. In which case, authorization might not be
necessary. Alternatively, if LDAP authentication is used, there might be many identities in the LDAP
server that should not be granted access to grid data or operations.
Procedure
-
Enable access control for the data grid.
Specify
securityEnabled=”true”
in the
ObjectGrid.xml
file for the deployed data grid.
Specify this setting for each grid you define. After you
configure this setting, no reads or writes are run on data grid entries except for identities that
have been granted permissions in a policy file.
-
Create a policy file.
See the following example policy
file:
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal javax.security.auth.x500.X500Principal "CN=cashier,O=acme,OU=OGSample" {
permission com.ibm.websphere.objectgrid.security.MapPermission "accounting.*", "read";
};
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal javax.security.auth.x500.X500Principal "CN=manager,O=acme,OU=OGSample" {
permission com.ibm.websphere.objectgrid.security.MapPermission "accounting.*", "all";
};
Policy
files can grant various permissions, depending on the authorization of the user. For more
information about how to create this file, see
Java SE security tutorial - Step 5.
-
Configure each container server to load this policy file.
You can complete this configuration by adding the following JVM argument to the
jvm.options file in the
wlp_installdir/usr/servers/<server_name>
directory:
-Djava.security.policy=<policy file>
Tip: This policy
file is also used in controlling administrative access to data grid servers. When you use this
policy file to control administrative access, the policy file must contain MBeanPermission entries,
and must be loaded by catalog servers and container servers.
If you need to create a
jvm.options file at the server configuration level, you need to copy the
version in the wlp_install_root/etc/jvm.options file.