Authentication and Authorization

The Overview within the GemFire user guide, Security Implementation Introduction and Overview provides a concise description of the authentication and authorization mechanism that may be implemented for a cluster.

Authentication and authorization are facilitated by a custom implementation of the Java SecurityManager interface.

The authenticate example in the https://github.com/gemfire/node-examples repository illustrates the authentication and authorization mechanism for a local GemFire cluster.

Authentication

The custom implementation of the SecurityManager.authenticate method will be invoked as an app connects to the cluster. This callback method is expected to authenticate the app to the cluster. The method returns a principal for a successfully authenticated app, or it throws an exception.

Authorization

An authenticated app (connection) will be assigned a role. Role-based authorization permits or prohibits operations on the cluster or on the data held by the cluster based on the role.

Each operation on the cluster or the data held in the cluster has a predetermined set of permissions that are required for that operation to be authorized.

Each authenticated app’s role is assigned a set of permissions. These permissions identify what types of operations the app will be allowed (authorized) to do.

The SecurityManager.authorize method will be invoked for each operation that the app requests. If the app’s role has been granted the predetermined permissions required by the operation requested, the SecurityManager.authorize method authorizes the operation.

If the app invokes an operation that it is not authorized to perform, the operation throws an error. The authenticate example within the set of examples at https://github.com/gemfire/node-examples demonstrates both authentication and authorization, and shows wrapping region operations within a try/catch block.

Cloud Cache Authentication and Authorization

A Cloud Cache service instance implements the SecurityManager interface. The environment of a pushed Node.js app contains the VCAP_SERVICES environment variable, which has a user name and password that will provide authorization for operations allowed to a cluster operator.

A Node.js app extracts the user name and password from the VCAP_SERVICES environment variable, and passes them along when the app connects and is authenticated. An example that does this is the book-service example at https://github.com/gemfire/node-examples.