Search

Chapter 3. Configuring authentication and authorization

download PDF

Control access to Data Grid clusters by adding credentials and assigning roles with different permissions.

3.1. Default credentials

Data Grid adds default credentials in a <helm_release_name>-generated-secret secret.

UsernameDescription

developer

User that has the admin role with full access to Data Grid resources.

monitor

Internal user that has the monitor role with access to Data Grid metrics through port 11223.

Additional resources

3.1.1. Retrieving credentials

Get Data Grid credentials from authentication secrets.

Prerequisites

  • Install the Data Grid Helm chart.
  • Have an oc client.

Procedure

  • Retrieve default credentials from the <helm_release_name>-generated-secret or custom credentials from another secret with the following command:

    $ oc get secret <helm_release_name>-generated-secret \
    -o jsonpath="{.data.identities-batch}" | base64 --decode

3.2. Adding custom user credentials

Create Data Grid user credentials and assign roles that grant security authorization for cluster access.

Procedure

  1. Create credentials by specifying a user create command in the deploy.security.batch field.

    User with implicit authorization

    deploy:
      security:
        batch: 'user create admin -p changeme'

    User with a specific role

    deploy:
      security:
        batch: 'user create personone -p changeme -g deployer'

  2. Install or upgrade your Data Grid Helm release.

3.2.1. User roles and permissions

Data Grid uses role-based access control to authorize users for access to cluster resources and data. For additional security, you should grant Data Grid users with appropriate roles when you add credentials.

RolePermissionsDescription

admin

ALL

Superuser with all permissions including control of the Cache Manager lifecycle.

deployer

ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR, CREATE

Can create and delete Data Grid resources in addition to application permissions.

application

ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR

Has read and write access to Data Grid resources in addition to observer permissions. Can also listen to events and execute server tasks and scripts.

observer

ALL_READ, MONITOR

Has read access to Data Grid resources in addition to monitor permissions.

monitor

MONITOR

Can view statistics for Data Grid clusters.

Additional resources

3.2.2. Adding multiple credentials with authentication secrets

Add multiple credentials to Data Grid clusters with authentication secrets.

Prerequisites

  • Have an oc client.

Procedure

  1. Create an identities-batch file that contains the commands to add your credentials.

    apiVersion: v1
    kind: Secret
    metadata:
      name: connect-secret
    type: Opaque
    stringData:
      # The "monitor" user authenticates with the Prometheus ServiceMonitor.
      username: monitor
      # The password for the "monitor" user.
      password: password
      # The key must be 'identities-batch'.
      # The content is "user create" commands for the Data Grid CLI.
      identities-batch: |-
        user create user1 -p changeme -g admin
        user create user2 -p changeme -g deployer
        user create monitor -p password --users-file metrics-users.properties --groups-file metrics-groups.properties
  2. Create an authentication secret from your identities-batch file.

    $ oc apply -f identities-batch.yaml
  3. Specify the authentication secret in the deploy.security.SecretName field.

    deploy:
      security:
        authentication: true
        secretName: 'connect-secret'
  4. Install or upgrade your Data Grid Helm release.

3.3. Disabling authentication

Allow users to access Data Grid clusters and manipulate data without providing credentials.

Important

Do not disable authentication if endpoints are accessible from outside the OpenShift cluster. You should disable authentication for development environments only.

Procedure

  1. Remove the propertiesRealm fields from the "default" security realm.
  2. Install or upgrade your Data Grid Helm release.

3.4. Disabling security authorization

Allow Data Grid users to perform any operation regardless of their role.

Procedure

  1. Set null as the value for the deploy.infinispan.cacheContainer.security field.

    Tip

    Use the --set deploy.infinispan.cacheContainer.security=null argument with the helm client.

  2. Install or upgrade your Data Grid Helm release.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.