Securing the Grid Service Manager and Grid Service Container

Added by Moran Avigdor, last edited by Uri Cohen on Jul 05, 2009 (view change)

Search XAP 7.0

Browse XAP 7.0

Quick Start Guide

Product Overview

Programmer's Guide

Administrator's Guide

Offline Documentation

Download latest offline documentation in HTML format:
xap-7.0.2-documentation.zip (12.3MB)

Summary: Service Grid secured administration

Overview | Prerequisites | Usage | Considerations | FAQ

Overview

The security model around the Service Grid components is in terms of Service Grid administration. This includes the basic life cycle control of: deployment, undeployment, manual relocation, termination, etc. If you start a secure Grid Service Manager/Grid Service Container (GSM/GSC), the only way you can apply administrative operations is if you authenticate using a secure client (e.g. UI/CLI).

Once authenticated, the client may be authorized with full credentials, allowing full administrative control. Clients may also be limited with read-only credentials, allowing them only view control. Future versions may also support no credentials at all.

Prerequisites

The Service Grid security model follows the same security model of the Space. The user accounts file holding user names, passwords, roles and credentials is accessed using the same driver. This information is stored by default in an encrypted file located at <GigaSpaces Root>\security\default-users.

Usage

To enable security for the Service Grid, the GSM and GSC need to be loaded in secured mode. This is done either by modifying the services.config file directly, or by providing a system property.

Once enabled, you should see an INFO message stating that the component is secured. For example, when the GSM is secured, the following is displayed.

INFO \[com.gigaspaces.grid.gsm\]: Secured mode enabled for GSM.

Considerations

The location of the security file must be shared or copied to all instances of the GigaSpaces installation.

Configuration

The GigaSpaces default security filter uses the default-users file, located under the <GigaSpaces Root>/security directory, as the default user accounts list. The security file URL can be configured using two system properties. These system properties can be set as part of EXT_JAVA_OPTIONS in the setenv script.

Set the filter logging level to CONFIG to check the current configuration settings:

CONFIG \[com.gigaspaces.filters\]: Loaded users security permissions file from <f:/gigaspaces-xap/security/default-users>

Overriding Security Filename

-Dcom.gs.security.file.name=my-users

This results in a path to <GigaSpaces Root>/security/my-users.

Changing The Implicit 'security' Directory

By default, the security sub-directory is implicit. To manage a different directory structure, indicate a path as part of the url property – in other words, start the URL with a forward slash (/), followed by the desired path.

-Dcom.gs.security.file.name=/my-security-folder/my-users

This will result in a path to <GigaSpaces Root>/my-security-folder/my-users.

Changing the root directory

By default, the root directory of the security file is <GigaSpaces Root>. To manage the security file out-side of the installation directory, you will need to set the following system property:

-Dcom.gs.security.file.dir=f:/foo

This will result in a path to f:/foo/security/default-users.

FAQ

Does the space need to be secured?

Can a non-secured GSC connect to a secured GSM?

IMPORTANT: This is an old version of GigaSpaces XAP. Click here for the latest version.

Labels

(None)

Add Labels
Enter labels to add to this page: Looking for a label? Just start typing.