Apache Geode CHANGELOG

Security Implementation Introduction and Overview

Security Features

Encryption, SSL secure communication, authentication, and authorization features help to secure the cluster.

Security features include:

  • A single security interface for all components. The single authentication and authorization mechanism simplifies the security implementation. It views and interacts with all components in a consistent manner.
  • System-wide role-based access control. Roles regiment authorized operations requested by the various components.
  • SSL communication. Allows configuration of connections to be SSL-based, rather than plain socket connections. You can enable SSL separately for peer-to-peer, client, JMX, gateway senders and receivers, and HTTP connections.
  • Post processing of region data. Return values for operations that return region values may be formatted.

Overview

An authentication and authorization mechanism forms the core of the internal security of the cluster. Communications may be further protected by enabling SSL for data in transit.

Authentication verifies the identity of communicating components, leading to control over participation. The variety of participants include peer members, servers, clients, originators of JMX operations, Pulse, gateway senders and receivers representing WAN members of the system, and commands arriving from gfsh on behalf of system users or administrators.

Connection requests trigger the invocation of an authentication callback. This special-purpose callback is written as part of the application, and it attempts to authenticate the requester by whatever algorithm it chooses. The result is either a returned principal representing the requester’s authenticated identity or an exception indicating that the requester has not been authenticated. The principal becomes part of any request for operations, which go through the authorization process.

Given authentication, isolation and access to cache data and system state can be further protected by implementing the authorization mechanism, also implemented as a special-purpose callback as part of the application. For example, the protection may be to permit only certain system administrators to start and stop servers. The authority to do this needs to be limited to specific verified accounts, preventing those without the authorization. An implementation of the authorization callback will require that an authenticate identity accompanies all requests to the system, and that the system maintains a representation of which identities are permitted to complete which actions or cache commands.