Chapter 3. Configuring authentication and authorization
Control access to Data Grid clusters by adding credentials and assigning roles with different permissions.
3.1. Default credentials
Data Grid adds default credentials in a <helm_release_name>-generated-secret
secret.
Username | Description |
---|---|
|
User that has the |
|
Internal user that has the |
Additional resources
3.1.1. Retrieving credentials
Get Data Grid credentials from authentication secrets.
Prerequisites
- Install the Data Grid Helm chart.
-
Have an
oc
client.
Procedure
Retrieve default credentials from the
<helm_release_name>-generated-secret
or custom credentials from another secret with the following command:$ oc get secret <helm_release_name>-generated-secret \ -o jsonpath="{.data.identities-batch}" | base64 --decode
3.2. Adding custom user credentials
Create Data Grid user credentials and assign roles that grant security authorization for cluster access.
Procedure
Create credentials by specifying a
user create
command in thedeploy.security.batch
field.User with implicit authorization
deploy: security: batch: 'user create admin -p changeme'
User with a specific role
deploy: security: batch: 'user create personone -p changeme -g deployer'
- Install or upgrade your Data Grid Helm release.
3.2.1. User roles and permissions
Data Grid uses role-based access control to authorize users for access to cluster resources and data. For additional security, you should grant Data Grid users with appropriate roles when you add credentials.
Role | Permissions | Description |
---|---|---|
| ALL | Superuser with all permissions including control of the Cache Manager lifecycle. |
| ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR, CREATE |
Can create and delete Data Grid resources in addition to |
| ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR |
Has read and write access to Data Grid resources in addition to |
| ALL_READ, MONITOR |
Has read access to Data Grid resources in addition to |
| MONITOR | Can view statistics for Data Grid clusters. |
Additional resources
3.2.2. Adding multiple credentials with authentication secrets
Add multiple credentials to Data Grid clusters with authentication secrets.
Prerequisites
-
Have an
oc
client.
Procedure
Create an
identities-batch
file that contains the commands to add your credentials.apiVersion: v1 kind: Secret metadata: name: connect-secret type: Opaque stringData: # The "monitor" user authenticates with the Prometheus ServiceMonitor. username: monitor # The password for the "monitor" user. password: password # The key must be 'identities-batch'. # The content is "user create" commands for the Data Grid CLI. identities-batch: |- user create user1 -p changeme -g admin user create user2 -p changeme -g deployer user create monitor -p password --users-file metrics-users.properties --groups-file metrics-groups.properties
Create an authentication secret from your
identities-batch
file.$ oc apply -f identities-batch.yaml
Specify the authentication secret in the
deploy.security.SecretName
field.deploy: security: authentication: true secretName: 'connect-secret'
- Install or upgrade your Data Grid Helm release.
3.3. Disabling authentication
Allow users to access Data Grid clusters and manipulate data without providing credentials.
Do not disable authentication if endpoints are accessible from outside the OpenShift cluster. You should disable authentication for development environments only.
Procedure
-
Remove the
propertiesRealm
fields from the "default" security realm. - Install or upgrade your Data Grid Helm release.
3.4. Disabling security authorization
Allow Data Grid users to perform any operation regardless of their role.
Procedure
Set
null
as the value for thedeploy.infinispan.cacheContainer.security
field.TipUse the
--set deploy.infinispan.cacheContainer.security=null
argument with thehelm
client.- Install or upgrade your Data Grid Helm release.