[17/50] [abbrv] incubator-geode git commit: Complete content on integrated security's post processing [#129628127]

[rv...@apache.org]

Complete content on integrated security's post processing [#129628127]


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/914b796e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/914b796e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/914b796e

Branch: refs/staging/docs-grant1
Commit: 914b796e431ba8b0ff5ad5ab2e946b8962897b53
Parents: c9f6f0d
Author: Karen Miller <km...@pivotal.io>
Authored: Wed Sep 7 09:03:01 2016 -0700
Committer: Karen Miller <km...@pivotal.io>
Committed: Wed Sep 7 09:03:01 2016 -0700

----------------------------------------------------------------------
 managing/security/post_processing.html.md.erb | 44 ++++++++++++++++++++--
 1 file changed, 41 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/914b796e/managing/security/post_processing.html.md.erb
----------------------------------------------------------------------
diff --git a/managing/security/post_processing.html.md.erb b/managing/security/post_processing.html.md.erb
index 8b04380..2a6dc50 100644
--- a/managing/security/post_processing.html.md.erb
+++ b/managing/security/post_processing.html.md.erb
@@ -2,11 +2,49 @@
 title:  Post Processing of Region Data
 ---
 
-The  `PostProcessor` interface allows the definition of a set of callbacks
-that are invoked after operations that get data,
+The  `PostProcessor` interface allows the definition of a callback
+that is invoked after any and all client and `gfsh` operations that get data,
 but before the data is returned.
-This permits the callback to intervene and modify of the data
+It permits the callback to intervene and modify of the data
 that is to be returned.
 The callbacks do not modify the region data,
 only the data to be returned.
 
+The `processRegionValue` method is given the principal of the 
+operation requester.
+The operation will already have been completed, 
+implying that the principal will have been authorized to complete
+the requested operation.
+The post processing can therefore modify the returned data based
+on the identity of the requester (principal).
+
+A use of post processing will be to sanitize or mask out sensitive
+region information,
+while providing the remainder of a region entry unchanged.
+An implementation can alter the entry for some requesters,
+but not other requesters.
+
+The `processRegionValue` method is invoked for these API calls:
+ 
+- `Region.get`
+- `Region.getAll`
+- `Query.execute`
+- `CqQuery.execute`
+- `CqQuery.executeWithInitialResults`
+- `CqListener.onEvent`
+- for a relevant region event from `CacheListener.afterUpdate` for which
+there is interest registered with `Region.registerInterest` 
+
+Care should be taken when designing a system that implements the
+post processing callback.
+It incurs the performance penalty of an extra method invocation
+on every get operation.
+
+## Implement Post Processing
+
+Complete these items to implement post processing.
+
+- Define the `security-post-processor` property.
+See [Enable Security with Property Definitions](enable_security.html)
+for details about this property.
+- Implement the  `processRegionValue` method of the `PostProcessor` interface.