Control access to Data Grid clusters by adding credentials and assigning roles with different permissions.
Default credentials
Data Grid adds default credentials in a <helm_release_name>-generated-secret secret.
| Username | Description |
|---|---|
|
|
User that has the |
|
|
Internal user that has the |
Retrieving credentials
Get Data Grid credentials from authentication secrets.
-
Install the Data Grid Helm chart.
-
Have an
occlient.
-
Retrieve default credentials from the
<helm_release_name>-generated-secretor custom credentials from another secret with the following command:$ oc get secret <helm_release_name>-generated-secret \ -o jsonpath="{.data.identities-batch}" | base64 --decode
Adding custom user credentials
Create Data Grid user credentials and assign roles that grant security authorization for cluster access.
-
Create credentials by specifying a
user createcommand in thedeploy.security.batchfield.User with implicit authorizationdeploy: security: batch: 'user create admin -p changeme'User with a specific roledeploy: security: batch: 'user create personone -p changeme -g deployer' -
Install or upgrade your Data Grid Helm release.
User roles and permissions
Data Grid uses role-based access control to authorize users for access to cluster resources and data. For additional security, you should grant Data Grid users with appropriate roles when you add credentials.
| Role | Permissions | Description |
|---|---|---|
|
|
ALL |
Superuser with all permissions including control of the Cache Manager lifecycle. |
|
|
ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR, CREATE |
Can create and delete Data Grid resources in addition to |
|
|
ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR |
Has read and write access to Data Grid resources in addition to |
|
|
ALL_READ, MONITOR |
Has read access to Data Grid resources in addition to |
|
|
MONITOR |
Can view statistics for Data Grid clusters. |
Adding multiple credentials with authentication secrets
Add multiple credentials to Data Grid clusters with authentication secrets.
-
Have an
occlient.
-
Create an
identities-batchfile that contains the commands to add your credentials.apiVersion: v1 kind: Secret metadata: name: connect-secret type: Opaque stringData: # The "monitor" user authenticates with the Prometheus ServiceMonitor. username: monitor # The password for the "monitor" user. password: password # The key must be 'identities-batch'. # The content is "user create" commands for the Data Grid CLI. identities-batch: |- user create user1 -p changeme -g admin user create user2 -p changeme -g deployer user create monitor -p password --users-file metrics-users.properties --groups-file metrics-groups.properties -
Create an authentication secret from your
identities-batchfile.$ {oc_apply} identities-batch.yaml -
Specify the authentication secret in the
deploy.security.SecretNamefield.deploy: security: authentication: true secretName: 'connect-secret' -
Install or upgrade your Data Grid Helm release.
Disabling authentication
Allow users to access Data Grid clusters and manipulate data without providing credentials.
Do not disable authentication if endpoints are accessible from outside the OpenShift cluster. You should disable authentication for development environments only.
-
Remove the
propertiesRealmfields from the "default" security realm. -
Install or upgrade your Data Grid Helm release.
Disabling security authorization
Allow Data Grid users to perform any operation regardless of their role.
-
Set
nullas the value for thedeploy.infinispan.cacheContainer.securityfield.Use the
--set deploy.infinispan.cacheContainer.security=nullargument with thehelmclient. -
Install or upgrade your Data Grid Helm release.
