Menu Close
Settings Close

Language and Page Formatting Options

Chapter 11. Configuring user roles and permissions

Secure access to Data Grid services by configuring role-based access control (RBAC) for users. This requires you to assign roles to users so that they have permission to access caches and Data Grid resources.

11.1. Enabling security authorization

By default authorization is disabled to ensure backwards compatibility with Infinispan CR instances. Complete the following procedure to enable authorization and use role-based access control (RBAC) for Data Grid users.

Procedure

  1. Set true as the value for the spec.security.authorization.enabled field in your Infinispan CR.

    spec:
      security:
        authorization:
          enabled: true
  2. Apply the changes.

11.2. User roles and permissions

Data Grid Operator provides a set of default roles that are associated with different permissions.

Table 11.1. Default roles and permissions

RolePermissionsDescription

admin

ALL

Superuser with all permissions including control of the Cache Manager lifecycle.

deployer

ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR, CREATE

Can create and delete Data Grid resources in addition to application permissions.

application

ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR

Has read and write access to Data Grid resources in addition to observer permissions. Can also listen to events and execute server tasks and scripts.

observer

ALL_READ, MONITOR

Has read access to Data Grid resources in addition to monitor permissions.

monitor

MONITOR

Can view statistics for Data Grid clusters.

Data Grid Operator credentials

Data Grid Operator generates credentials that it uses to authenticate with Data Grid clusters to perform internal operations. By default Data Grid Operator credentials are automatically assigned the admin role when you enable security authorization.

Additional resources

11.3. Assigning roles and permissions to users

Assign users with roles that control whether users are authorized to access Data Grid cluster resources. Roles can have different permission levels, from read-only to unrestricted access.

Note

Users gain authorization implicitly. For example, "admin" gets admin permissions automatically. A user named "deployer" has the deployer role automatically, and so on.

Procedure

  1. Create an identities.yaml file that assigns roles to users.

    credentials:
      - username: admin
        password: changeme
      - username: my-user-1
        password: changeme
        roles:
          - admin
      - username: my-user-2
        password: changeme
        roles:
          - monitor
  2. Create an authentication secret from identities.yaml.

    If necessary, delete the existing secret first.

    oc delete secret connect-secret --ignore-not-found
    oc create secret generic --from-file=identities.yaml connect-secret
  3. Specify the authentication secret with spec.security.endpointSecretName in your Infinispan CR and then apply the changes.

    spec:
      security:
        endpointSecretName: connect-secret

11.4. Adding custom roles and permissions

You can define custom roles with different combinations of permissions.

Procedure

  1. Open your Infinispan CR for editing.
  2. Specify custom roles and their associated permissions with the spec.security.authorization.roles field.

    spec:
      security:
        authorization:
          enabled: true
          roles:
            - name: my-role-1
              permissions:
                - ALL
            - name: my-role-2
              permissions:
                - READ
                - WRITE
  3. Apply the changes.