Authorizing access to the data grid in the Liberty profile

Control which users have specific permissions to access the data grid in the Liberty through the policy file.

About this task

Even if a client is authenticated, that might not be enough to protect data grid access. If you use the KeyStoreLoginAuthenticator property, usually you define only a few identities, and all of the identities might have full access to the grid. In which case, authorization might not be necessary. Alternatively, if LDAP authentication is used, there might be many identities in the LDAP server that should not be granted access to grid data or operations.

Procedure

  1. Enable access control for the data grid.
    Specify securityEnabled=”true” in the ObjectGrid.xml file for the deployed data grid.

    Specify this setting for each grid you define. After you configure this setting, no reads or writes are run on data grid entries except for identities that have been granted permissions in a policy file.

  2. Create a policy file.
    See the following example policy file:
    grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
    principal javax.security.auth.x500.X500Principal "CN=cashier,O=acme,OU=OGSample" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "accounting.*", "read";
};

grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
    principal javax.security.auth.x500.X500Principal "CN=manager,O=acme,OU=OGSample" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "accounting.*", "all";
};
    Policy files can grant various permissions, depending on the authorization of the user. For more information about how to create this file, see Java SE security tutorial - Step 5.
  3. Configure each container server to load this policy file.
    You can complete this configuration by adding the following JVM argument to the jvm.options file in the wlp_installdir/usr/servers/<server_name> directory:
    -Djava.security.policy=<policy file>
    Tip: This policy file is also used in controlling administrative access to data grid servers. When you use this policy file to control administrative access, the policy file must contain MBeanPermission entries, and must be loaded by catalog servers and container servers.

    If you need to create a jvm.options file at the server configuration level, you need to copy the version in the wlp_install_root/etc/jvm.options file.

What to do next

Authorizing access for administrative operations in the Liberty profile