Control access to Data Grid clusters by adding credentials and assigning roles with different permissions.
Default credentials
Data Grid adds default credentials in a <helm_release_name>-generated-secret
secret.
Username | Description |
---|---|
|
User that has the |
|
Internal user that has the |
Retrieving credentials
Get Data Grid credentials from authentication secrets.
-
Install the Data Grid Helm chart.
-
Have an
oc
client.
-
Retrieve default credentials from the
<helm_release_name>-generated-secret
or custom credentials from another secret with the following command:$ oc get secret <helm_release_name>-generated-secret \ -o jsonpath="{.data.identities-batch}" | base64 --decode
Adding custom user credentials
Create Data Grid user credentials and assign roles that grant security authorization for cluster access.
-
Create credentials by specifying a
user create
command in thedeploy.security.batch
field.User with implicit authorizationdeploy: security: batch: 'user create admin -p changeme'
User with a specific roledeploy: security: batch: 'user create personone -p changeme -g deployer'
-
Install or upgrade your Data Grid Helm release.
User roles and permissions
Data Grid uses role-based access control to authorize users for access to cluster resources and data. For additional security, you should grant Data Grid users with appropriate roles when you add credentials.
Role | Permissions | Description |
---|---|---|
|
ALL |
Superuser with all permissions including control of the Cache Manager lifecycle. |
|
ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR, CREATE |
Can create and delete Data Grid resources in addition to |
|
ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR |
Has read and write access to Data Grid resources in addition to |
|
ALL_READ, MONITOR |
Has read access to Data Grid resources in addition to |
|
MONITOR |
Can view statistics for Data Grid clusters. |
Adding multiple credentials with authentication secrets
Add multiple credentials to Data Grid clusters with authentication secrets.
-
Have an
oc
client.
-
Create an
identities-batch
file that contains the commands to add your credentials.apiVersion: v1 kind: Secret metadata: name: connect-secret type: Opaque stringData: # The "monitor" user authenticates with the Prometheus ServiceMonitor. username: monitor # The password for the "monitor" user. password: password # The key must be 'identities-batch'. # The content is "user create" commands for the Data Grid CLI. identities-batch: |- user create user1 -p changeme -g admin user create user2 -p changeme -g deployer user create monitor -p password --users-file metrics-users.properties --groups-file metrics-groups.properties
-
Create an authentication secret from your
identities-batch
file.$ {oc_apply} identities-batch.yaml
-
Specify the authentication secret in the
deploy.security.SecretName
field.deploy: security: authentication: true secretName: 'connect-secret'
-
Install or upgrade your Data Grid Helm release.
Disabling authentication
Allow users to access Data Grid clusters and manipulate data without providing credentials.
Do not disable authentication if endpoints are accessible from outside the OpenShift cluster. You should disable authentication for development environments only.
-
Remove the
propertiesRealm
fields from the "default" security realm. -
Install or upgrade your Data Grid Helm release.
Disabling security authorization
Allow Data Grid users to perform any operation regardless of their role.
-
Set
null
as the value for thedeploy.infinispan.cacheContainer.security
field.Use the
--set deploy.infinispan.cacheContainer.security=null
argument with thehelm
client. -
Install or upgrade your Data Grid Helm release.