Chapter 3. Configuring authentication and authorization
Control access to Data Grid clusters by adding credentials and assigning roles with different permissions.
3.1. Default credentials
Data Grid adds default credentials in a <helm_release_name>-generated-secret
secret.
Username | Description |
---|---|
|
User that has the |
|
Internal user that has the |
Additional resources
3.1.1. Retrieving credentials
Get Data Grid credentials from authentication secrets.
Prerequisites
- Install the Data Grid Helm chart.
-
Have an
oc
client.
Procedure
Retrieve default credentials from the
<helm_release_name>-generated-secret
or custom credentials from another secret with the following command:$ oc get secret <helm_release_name>-generated-secret \ -o jsonpath="{.data.identities-batch}" | base64 --decode
3.2. Adding custom user credentials or credentials store
Create Data Grid user credentials and assign roles that grant security authorization for cluster access.
Procedure
Create credentials by specifying the
user create
command in thedeploy.security.batch
field.User with implicit authorization
deploy: security: batch: 'user create admin -p changeme'
User with a specific role
deploy: security: batch: 'user create personone -p changeme -g deployer'
3.2.1. User roles and permissions
Data Grid uses role-based access control to authorize users for access to cluster resources and data. For additional security, you should grant Data Grid users with appropriate roles when you add credentials.
Role | Permissions | Description |
---|---|---|
| ALL | Superuser with all permissions including control of the Cache Manager lifecycle. |
| ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR, CREATE |
Can create and delete Data Grid resources in addition to |
| ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR |
Has read and write access to Data Grid resources in addition to |
| ALL_READ, MONITOR |
Has read access to Data Grid resources in addition to |
| MONITOR | Can view statistics for Data Grid clusters. |
Additional resources
3.2.2. Adding credentials store
Create Data Grid credentials store to avoid exposing passwords in clear text in the server configuration ConfigMap. See Section 4.1, “Enabling TLS encryption” for a use case.
Procedure
Create credentials store by specifying a
credentials add
command in thedeploy.security.batch
field.Add a password to a store
deploy: security: batch: 'credentials add keystore -c password -p secret --path="credentials.pfx"'
Credentials store needs then to be added to the server configuration.
Configure a credential store
deploy: infinispan: server: security: credentialStores: - name: credentials path: credentials.pfx clearTextCredential: clearText: "secret"
3.2.3. Adding multiple credentials with authentication secrets
Add multiple credentials to Data Grid clusters with authentication secrets.
Prerequisites
-
Have an
oc
client.
Procedure
Create an
identities-batch
file that contains the commands to add your credentials.apiVersion: v1 kind: Secret metadata: name: connect-secret type: Opaque stringData: # The "monitor" user authenticates with the Prometheus ServiceMonitor. username: monitor # The password for the "monitor" user. password: password # The key must be 'identities-batch'. # The content is "user create" commands for the Data Grid CLI. identities-batch: |- user create user1 -p changeme -g admin user create user2 -p changeme -g deployer user create monitor -p password --users-file metrics-users.properties --groups-file metrics-groups.properties credentials add keystore -c password -p secret --path="credentials.pfx"
Create an authentication secret from your
identities-batch
file.$ oc apply -f identities-batch.yaml
Specify the authentication secret in the
deploy.security.SecretName
field.deploy: security: authentication: true secretName: 'connect-secret'
- Install or upgrade your Data Grid Helm release.
3.3. Disabling authentication
Allow users to access Data Grid clusters and manipulate data without providing credentials.
Do not disable authentication if endpoints are accessible from outside the OpenShift cluster. You should disable authentication for development environments only.
Procedure
-
Remove the
propertiesRealm
fields from the "default" security realm. - Install or upgrade your Data Grid Helm release.
3.4. Disabling security authorization
Allow Data Grid users to perform any operation regardless of their role.
Procedure
Set
null
as the value for thedeploy.infinispan.cacheContainer.security
field.TipUse the
--set deploy.infinispan.cacheContainer.security=null
argument with thehelm
client.- Install or upgrade your Data Grid Helm release.