Configuring user roles and permissions

Guide
  • Red Hat Data Grid 8.2
  • Updated 21 July 2021
  • Published 21 July 2021

Topics included in this guide

Configuring user roles and permissions

Guide
Red Hat Data Grid 8.2
  • Updated 21 July 2021
  • Published 21 July 2021

Secure access to Data Grid services by configuring role-based access control (RBAC) for users. This requires you to assign roles to users so that they have permission to access caches and Data Grid resources.

Enabling security authorization

By default authorization is disabled to ensure backwards compatibility with Infinispan CR instances. Complete the following procedure to enable authorization and use role-based access control (RBAC) for Data Grid users.

Procedure

  1. Set true as the value for the spec.security.authorization.enabled field in your Infinispan CR.

    spec:
  security:
    authorization:
      enabled: true

  2. Apply the changes.

User roles and permissions

Data Grid Operator provides a set of default roles that are associated with different permissions.

Table 1. Default roles and permissions
Role Permissions Description

admin

ALL

Superuser with all permissions including control of the Cache Manager lifecycle.

deployer

ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR, CREATE

Can create and delete Data Grid resources in addition to application permissions.

application

ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR

Has read and write access to Data Grid resources in addition to observer permissions. Can also listen to events and execute server tasks and scripts.

observer

ALL_READ, MONITOR

Has read access to Data Grid resources in addition to monitor permissions.

monitor

MONITOR

Can view statistics for Data Grid clusters.

Data Grid Operator credentials

Data Grid Operator generates credentials that it uses to authenticate with Data Grid clusters to perform internal operations. By default Data Grid Operator credentials are automatically assigned the admin role when you enable security authorization.

Additional resources

Assigning roles and permissions to users

Assign users with roles that control whether users are authorized to access Data Grid cluster resources. Roles can have different permission levels, from read-only to unrestricted access.

Users gain authorization implicitly. For example, "admin" gets admin permissions automatically. A user named "deployer" has the deployer role automatically, and so on.

Procedure

  1. Create an identities.yaml file that assigns roles to users.

    credentials:
  - username: admin
    password: changeme
  - username: my-user-1
    password: changeme
    roles:
      - admin
  - username: my-user-2
    password: changeme
    roles:
      - monitor

  2. Create an authentication secret from identities.yaml.

    If necessary, delete the existing secret first.

    $ oc delete secret connect-secret --ignore-not-found
$ oc create secret generic --from-file=identities.yaml connect-secret

  3. Specify the authentication secret with spec.security.endpointSecretName in your Infinispan CR and then apply the changes.

    spec:
  security:
    endpointSecretName: connect-secret

Adding custom roles and permissions

You can define custom roles with different combinations of permissions.

Procedure

  1. Open your Infinispan CR for editing.

  2. Specify custom roles and their associated permissions with the spec.security.authorization.roles field.

    spec:
  security:
    authorization:
      enabled: true
      roles:
        - name: my-role-1
          permissions:
            - ALL
        - name: my-role-2
          permissions:
            - READ
            - WRITE

  3. Apply the changes.

Legal Notices for Trademarks