Chapter 3. Configuring authentication and authorization

Control access to Data Grid clusters by adding credentials and assigning roles with different permissions.

3.1. Default credentials

Data Grid adds default credentials in a <helm_release_name>-generated-secret secret.

UsernameDescription

developer

User that has the admin role with full access to Data Grid resources.

monitor

Internal user that has the monitor role with access to Data Grid metrics through port 11223.

Additional resources

3.1.1. Retrieving credentials

Get Data Grid credentials from authentication secrets.

Prerequisites

  • Install the Data Grid Helm chart.
  • Have an oc client.

Procedure

  • Retrieve default credentials from the <helm_release_name>-generated-secret or custom credentials from another secret with the following command: 

    $ oc get secret <helm_release_name>-generated-secret \
-o jsonpath="{.data.identities-batch}" | base64 --decode

3.2. Adding custom user credentials or credentials store

Create Data Grid user credentials and assign roles that grant security authorization for cluster access.

Procedure

  • Create credentials by specifying the user create command in the deploy.security.batch field.

    User with implicit authorization

    deploy:
  security:
    batch: 'user create admin -p changeme'

    User with a specific role

    deploy:
  security:
    batch: 'user create personone -p changeme -g deployer'

3.2.1. User roles and permissions

Data Grid uses role-based access control to authorize users for access to cluster resources and data. For additional security, you should grant Data Grid users with appropriate roles when you add credentials.

RolePermissionsDescription

admin

ALL

Superuser with all permissions including control of the Cache Manager lifecycle.

deployer

ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR, CREATE

Can create and delete Data Grid resources in addition to application permissions.

application

ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR

Has read and write access to Data Grid resources in addition to observer permissions. Can also listen to events and execute server tasks and scripts.

observer

ALL_READ, MONITOR

Has read access to Data Grid resources in addition to monitor permissions.

monitor

MONITOR

Can view statistics for Data Grid clusters.

Additional resources

3.2.2. Adding credentials store

Create Data Grid credentials store to avoid exposing passwords in clear text in the server configuration ConfigMap. See Section 4.1, “Enabling TLS encryption” for a use case.

Procedure

  1. Create credentials store by specifying a credentials add command in the deploy.security.batch field.

    Add a password to a store

    deploy:
  security:
    batch: 'credentials add keystore -c password -p secret --path="credentials.pfx"'

  2. Credentials store needs then to be added to the server configuration.

    Configure a credential store

    deploy:
  infinispan:
    server:
      security:
        credentialStores:
          - name: credentials
            path: credentials.pfx
            clearTextCredential:
              clearText: "secret"

3.2.3. Adding multiple credentials with authentication secrets

Add multiple credentials to Data Grid clusters with authentication secrets.

Prerequisites

  • Have an oc client.

Procedure

  1. Create an identities-batch file that contains the commands to add your credentials. 

    apiVersion: v1
kind: Secret
metadata:
  name: connect-secret
type: Opaque
stringData:
  # The "monitor" user authenticates with the Prometheus ServiceMonitor.
  username: monitor
  # The password for the "monitor" user.
  password: password
  # The key must be 'identities-batch'.
  # The content is "user create" commands for the Data Grid CLI.
  identities-batch: |-
    user create user1 -p changeme -g admin
    user create user2 -p changeme -g deployer
    user create monitor -p password --users-file metrics-users.properties --groups-file metrics-groups.properties
    credentials add keystore -c password -p secret --path="credentials.pfx"

  2. Create an authentication secret from your identities-batch file. 

    $ oc apply -f identities-batch.yaml

  3. Specify the authentication secret in the deploy.security.SecretName field. 

    deploy:
  security:
    authentication: true
    secretName: 'connect-secret'
  4. Install or upgrade your Data Grid Helm release.

3.3. Disabling authentication

Allow users to access Data Grid clusters and manipulate data without providing credentials.

Important

Do not disable authentication if endpoints are accessible from outside the OpenShift cluster. You should disable authentication for development environments only.

Procedure

  1. Remove the propertiesRealm fields from the "default" security realm.
  2. Install or upgrade your Data Grid Helm release.

3.4. Disabling security authorization

Allow Data Grid users to perform any operation regardless of their role.

Procedure

  1. Set null as the value for the deploy.infinispan.cacheContainer.security field.

    Tip

    Use the --set deploy.infinispan.cacheContainer.security=null argument with the helm client.

  2. Install or upgrade your Data Grid Helm release.