You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by kl...@apache.org on 2017/08/01 21:03:36 UTC
[42/50] [abbrv] geode git commit: GEODE-3324 Document finer-grained
security permissions
GEODE-3324 Document finer-grained security permissions
This closes #667
Project: http://git-wip-us.apache.org/repos/asf/geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/geode/commit/6f4bf30e
Tree: http://git-wip-us.apache.org/repos/asf/geode/tree/6f4bf30e
Diff: http://git-wip-us.apache.org/repos/asf/geode/diff/6f4bf30e
Branch: refs/heads/feature/GEODE-3299
Commit: 6f4bf30e86ad03e230e74bb2416301d44216bc7c
Parents: ab0543b
Author: Karen Miller <km...@pivotal.io>
Authored: Fri Jul 28 15:59:55 2017 -0700
Committer: Karen Miller <km...@pivotal.io>
Committed: Mon Jul 31 17:07:14 2017 -0700
----------------------------------------------------------------------
.../implementing_authorization.html.md.erb | 125 +++++++++----------
1 file changed, 59 insertions(+), 66 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/geode/blob/6f4bf30e/geode-docs/managing/security/implementing_authorization.html.md.erb
----------------------------------------------------------------------
diff --git a/geode-docs/managing/security/implementing_authorization.html.md.erb b/geode-docs/managing/security/implementing_authorization.html.md.erb
index 9fb55d3..8f91825 100644
--- a/geode-docs/managing/security/implementing_authorization.html.md.erb
+++ b/geode-docs/managing/security/implementing_authorization.html.md.erb
@@ -93,16 +93,14 @@ a Client-Server interaction.
| Region.registerInterest(regex) | DATA:READ:RegionName |
| Region.unregisterInterest(key) | DATA:READ:RegionName:Key |
| Region.unregisterInterest(regex) | DATA:READ:RegionName |
-| execute function | DATA:WRITE |
+| execute function | determined by the function API |
| clear region | DATA:WRITE:RegionName |
| Region.putAll | DATA:WRITE:RegionName |
| Region.clear | DATA:WRITE:RegionName |
| Region.removeAll | DATA:WRITE:RegionName |
| Region.destroy(key) | DATA:WRITE:RegionName:Key |
| Region.invalidate(key) | DATA:WRITE:RegionName:Key |
-| invalidate key (DIFFERENT?) | DATA:WRITE:RegionName:Key |
| Region.destroy(key) | DATA:WRITE:RegionName:Key |
-| destroy key (DIFFERENT?) | DATA:WRITE:RegionName:Key |
| Region.put(key) | DATA:WRITE:RegionName:Key |
| Region.replace | DATA:WRITE:RegionName:Key |
@@ -111,43 +109,39 @@ This table classifies the permissions assigned for `gfsh` operations.
| `gfsh` Command | Assigned `ResourcePermission`
|----------------------------------------|----------------------------------|
-| alter disk-store | DATA:MANAGE |
+| alter disk-store | CLUSTER:MANAGE:DISK |
| alter region | DATA:MANAGE:RegionName |
| alter runtime | CLUSTER:MANAGE |
-| backup disk-store | DATA:READ |
+| backup disk-store | DATA:READ and CLUSTER:WRITE:DISK |
| change loglevel | CLUSTER:WRITE |
-| clear defined indexes | DATA:MANAGE |
-| close durable-client | DATA:MANAGE |
-| close durable-cq | DATA:MANAGE |
-| compact disk-store | DATA:MANAGE |
-| compact offline-disk-store | DATA:MANAGE |
+| clear defined indexes | CLUSTER:MANAGE:QUERY |
+| close durable-client | CLUSTER:MANAGE:QUERY |
+| close durable-cq | CLUSTER:MANAGE:QUERY |
+| compact disk-store | CLUSTER:MANAGE:DISK |
| configure pdx | CLUSTER:MANAGE |
-| create async-event-queue | DATA:MANAGE |
-| create defined indexes | DATA:MANAGE |
-| create disk-store | DATA:MANAGE |
-| create gateway-receiver | DATA:MANAGE |
-| create gateway-sender | DATA:MANAGE |
-| create index | DATA:MANAGE:RegionName |
-| create lucene index | DATA:MANAGE:RegionName |
-| create region | DATA:MANAGE |
-| define index | DATA:MANAGE:RegionName |
-| deploy | DATA:MANAGE, DATA:WRITE, CLUSTER:MANAGE, and CLUSTER:WRITE |
+| create async-event-queue | CLUSTER:MANAGE:JAR, plus CLUSTER:WRITE:DISK if the associated region is persistent |
+| create defined indexes | CLUSTER:MANAGE:QUERY |
+| create disk-store | CLUSTER:MANAGE:DISK |
+| create gateway-receiver | CLUSTER:MANAGE:GATEWAY |
+| create gateway-sender | CLUSTER:MANAGE:GATEWAY |
+| create index | CLUSTER:MANAGE:QUERY |
+| create lucene index | CLUSTER:MANAGE:LUCENE |
+| create region | DATA:MANAGE, plus CLUSTER:WRITE:DISK if the associated region is persistent |
+| define index | CLUSTER:MANAGE:QUERY |
+| deploy | CLUSTER:MANAGE:JAR |
| describe client | CLUSTER:READ |
| describe config | CLUSTER:READ |
| describe disk-store | CLUSTER:READ |
-| describe lucene index | CLUSTER:READ |
+| describe lucene index | CLUSTER:READ:LUCENE |
| describe member | CLUSTER:READ |
| describe offline-disk-store | CLUSTER:READ |
| describe region | CLUSTER:READ |
-| destroy disk-store | DATA:MANAGE |
-| destroy function | DATA:MANAGE |
-| destroy index | DATA:MANAGE or DATA:MANAGE:RegionName |
-| destroy lucene index | DATA:MANAGE:RegionName |
+| destroy disk-store | CLUSTER:MANAGE:DISK |
+| destroy function | CLUSTER:MANAGE:JAR |
+| destroy index | CLUSTER:MANAGE:QUERY |
+| destroy lucene index | CLUSTER:MANAGE:LUCENE |
| destroy region | DATA:MANAGE |
-| disconnect | DATA:MANAGE |
-| echo | DATA:MANAGE |
-| encrypt password | DATA:MANAGE |
-| execute function | DATA:WRITE |
+| execute function | determined by the function API |
| export cluster-configuration | CLUSTER:READ |
| export config | CLUSTER:READ |
| export data | CLUSTER:READ |
@@ -165,46 +159,45 @@ This table classifies the permissions assigned for `gfsh` operations.
| list durable-cqs | CLUSTER:READ |
| list functions | CLUSTER:READ |
| list gateways | CLUSTER:READ |
-| list indexes | CLUSTER:READ |
-| list lucene indexes | CLUSTER:READ |
+| list indexes | CLUSTER:READ:QUERY |
+| list lucene indexes | CLUSTER:READ:LUCENE |
| list members | CLUSTER:READ |
| list regions | CLUSTER:READ |
-| load-balance gateway-sender | DATA:MANAGE |
+| load-balance gateway-sender | CLUSTER:MANAGE:GATEWAY |
| locate entry | DATA:READ:RegionName:Key |
| netstat | CLUSTER:READ |
-| pause gateway-sender | DATA:MANAGE |
-| pdx rename | DATA:MANAGE |
+| pause gateway-sender | CLUSTER:MANAGE:GATEWAY |
| put --key=key1 --region=region1 | DATA:WRITE:RegionName:Key |
-| query | DATA:READ |
+| query | DATA:READ
| rebalance | DATA:MANAGE |
| remove | DATA:WRITE:RegionName or DATA:WRITE:RegionName:Key |
-| resume gateway-sender | DATA:MANAGE |
-| revoke mising-disk-store | DATA:MANAGE |
-| search lucene | DATA:WRITE |
+| resume gateway-sender | CLUSTER:MANAGE:GATEWAY |
+| revoke mising-disk-store | CLUSTER:MANAGE:DISK |
+| search lucene | DATA:READ:RegionName |
| show dead-locks | CLUSTER:READ |
| show log | CLUSTER:READ |
| show metrics | CLUSTER:READ |
| show missing-disk-stores | CLUSTER:READ |
| show subscription-queue-size | CLUSTER:READ |
| shutdown | CLUSTER:MANAGE |
-| start gateway-receiver | DATA:MANAGE |
-| start gateway-sender | DATA:MANAGE |
+| start gateway-receiver | CLUSTER:MANAGE:GATEWAY |
+| start gateway-sender | CLUSTER:MANAGE:GATEWAY |
| start server | CLUSTER:MANAGE |
| status cluster-config-service | CLUSTER:READ |
| status gateway-receiver | CLUSTER:READ |
| status gateway-sender | CLUSTER:READ |
| status locator | CLUSTER:READ |
| status server | CLUSTER:READ |
-| stop gateway-receiver | DATA:MANAGE |
-| stop gateway-receiver | DATA:MANAGE |
+| stop gateway-receiver | CLUSTER:MANAGE:GATEWAY |
+| stop gateway-receiver | CLUSTER:MANAGE:GATEWAY |
| stop locator | CLUSTER:MANAGE |
| stop server | CLUSTER:MANAGE |
-| undeploy | DATA:MANAGE |
+| undeploy | CLUSTER:MANAGE:JAR |
The `gfsh connect` does not have a permission,
as it is the operation that invokes authentication.
These `gfsh` commands do not have permission defined,
-as they do not interact with the distributed system.
+as they do not interact with the distributed system:
- `gfsh describe connection`, which describes the `gfsh` end of the connection
- `gfsh debug`, which toggles the mode within `gfsh`
@@ -234,32 +227,32 @@ This table classifies the permissions assigned for JMX operations.
| DistributedSystemMXBean.changerAlertLevel | CLUSTER:WRITE |
| ManagerMXBean.setPulseURL | CLUSTER:WRITE |
| ManagerMXBean.setStatusMessage | CLUSTER:WRITE |
-| CacheServerMXBean.closeAllContinuousQuery | DATA:MANAGE |
-| CacheServerMXBean.closeContinuousQuery | DATA:MANAGE |
+| CacheServerMXBean.closeAllContinuousQuery | CLUSTER:MANAGE:QUERY |
+| CacheServerMXBean.closeContinuousQuery | CLUSTER:MANAGE:QUERY |
| CacheServerMXBean.executeContinuousQuery | DATA:READ |
-| DiskStoreMXBean.flush | DATA:MANAGE |
-| DiskStoreMXBean.forceCompaction | DATA:MANAGE |
-| DiskStoreMXBean.forceRoll | DATA:MANAGE |
-| DiskStoreMXBean.setDiskUsageCriticalPercentage | DATA:MANAGE |
-| DiskStoreMXBean.setDiskUsageWarningPercentage | DATA:MANAGE |
-| DistributedSystemMXBean.revokeMissingDiskStores| DATA:MANAGE |
-| DistributedSystemMXBean.setQueryCollectionsDepth| DATA:MANAGE |
-| DistributedSystemMXBean.setQueryResultSetLimit | DATA:MANAGE |
-| DistributedSystemMXBean.backupAllMembers | DATA:READ |
+| DiskStoreMXBean.flush | CLUSTER:MANAGE:DISK |
+| DiskStoreMXBean.forceCompaction | CLUSTER:MANAGE:DISK |
+| DiskStoreMXBean.forceRoll | CLUSTER:MANAGE:DISK |
+| DiskStoreMXBean.setDiskUsageCriticalPercentage | CLUSTER:MANAGE:DISK |
+| DiskStoreMXBean.setDiskUsageWarningPercentage | CLUSTER:MANAGE:DISK |
+| DistributedSystemMXBean.revokeMissingDiskStores| CLUSTER:MANAGE:DISK |
+| DistributedSystemMXBean.setQueryCollectionsDepth| CLUSTER:MANAGE:QUERY |
+| DistributedSystemMXBean.setQueryResultSetLimit | CLUSTER:MANAGE:QUERY |
+| DistributedSystemMXBean.backupAllMembers | DATA:READ and CLUSTER:WRITE:DISK |
| DistributedSystemMXBean.queryData | DATA:READ |
| DistributedSystemMXBean.queryDataForCompressedResult | DATA:READ |
-| GatewayReceiverMXBean.pause | DATA:MANAGE |
-| GatewayReceiverMXBean.rebalance | DATA:MANAGE |
-| GatewayReceiverMXBean.resume | DATA:MANAGE |
-| GatewayReceiverMXBean.start | DATA:MANAGE |
-| GatewayReceiverMXBean.stop | DATA:MANAGE |
-| GatewaySenderMXBean.pause | DATA:MANAGE |
-| GatewaySenderMXBean.rebalance | DATA:MANAGE |
-| GatewaySenderMXBean.resume | DATA:MANAGE |
-| GatewaySenderMXBean.start | DATA:MANAGE |
-| GatewaySenderMXBean.stop | DATA:MANAGE |
+| GatewayReceiverMXBean.pause | CLUSTER:MANAGE:GATEWAY |
+| GatewayReceiverMXBean.rebalance | CLUSTER:MANAGE:GATEWAY |
+| GatewayReceiverMXBean.resume | CLUSTER:MANAGE:GATEWAY |
+| GatewayReceiverMXBean.start | CLUSTER:MANAGE:GATEWAY |
+| GatewayReceiverMXBean.stop | CLUSTER:MANAGE:GATEWAY |
+| GatewaySenderMXBean.pause | CLUSTER:MANAGE:GATEWAY |
+| GatewaySenderMXBean.rebalance | CLUSTER:MANAGE:GATEWAY |
+| GatewaySenderMXBean.resume | CLUSTER:MANAGE:GATEWAY |
+| GatewaySenderMXBean.start | CLUSTER:MANAGE:GATEWAY |
+| GatewaySenderMXBean.stop | CLUSTER:MANAGE:GATEWAY |
| LockServiceMXBean.becomeLockGrantor | CLUSTER:MANAGE |
-| MemberMXBean.compactAllDiskStores | DATA:MANAGE |
+| MemberMXBean.compactAllDiskStores | CLUSTER:MANAGE:DISK |
## Implement Authorization