Control which users have specific permissions to access
the data grid in the OSGi framework through the policy file.
About this task
Even if a client is authenticated, that might not be enough
to protect data grid access. If you use the KeyStoreLoginAuthenticator
property, usually you only define a few identities, and all of the
identities might have full access to the grid. In which case, authorization
may not be necessary. Alternatively, if LDAP authentication is used,
there might be many identities in the LDAP server that should not
be granted access to grid data or operations.
Procedure
- Enable access control for the data grid.
Specify
securityEnabled=”true”
in the
ObjectGrid.xml file for the deployed data grid.
Specify this setting for each
grid you define. After you configure this setting, no reads or writes
are run on data grid entries except for identities that have been
granted permissions in a policy file.
- Create a policy file.
Add the following lines
of code to the security policy file to give AllPermission to the
osgi.jar file for the deployed data grid.
grant codeBase "file:/opt/OSGI2/plugins/org.eclipse.osgi_3.7.1.R37x_v20110808-1106.jar" {
permission java.security.AllPermission;
};
Specify this code for each grid you define. After
you configure this setting, no reads or writes are run on data grid
entries except for identities that have been specifically granted
permissions in a policy file. Policy files can grant various permissions,
depending on the authorization of the user. For more information
about how to create this file, see Java SE security tutorial - Step 5.
The policy file resembles the following example:
grant codeBase "file:${objectgrid.home}/-" {
permission java.security.AllPermission;
};
grant principal javax.security.auth.x500.X500Principal "CN=manager,O=acme,OU=OGSample"
{
permission javax.management.MBeanPermission "*", "getAttribute,setAttribute,
invoke,queryNames,addNotificationListener,removeNotificationListener";
};
- Configure each container server to load this policy file.
You can complete this configuration by starting the container with
the following JVM argument:
-Djava.security.policy=<policy file>
Tip: This policy file is also used in controlling administrative
access to data grid servers. When you use this policy file to control
administrative access, the policy file must contain MBeanPermission
entries, and must be loaded by catalog servers and container servers.