Home
Products
Red Hat Data Grid
8.4
Data Grid Operator Guide
Chapter 11. Configuring user roles and permissions

Chapter 11. Configuring user roles and permissions

Secure access to Data Grid services by configuring role-based access control (RBAC) for users. This requires you to assign roles to users so that they have permission to access caches and Data Grid resources.

11.1. Enabling security authorization
Copy link

By default authorization is disabled to ensure backwards compatibility with Infinispan CR instances. Complete the following procedure to enable authorization and use role-based access control (RBAC) for Data Grid users.

Procedure

Set true as the value for the spec.security.authorization.enabled field in your Infinispan CR.
```
spec:
  security:
    authorization:
      enabled: true
```
```
spec:
  security:
    authorization:
      enabled: true
```
Copy to Clipboard Toggle word wrap
Apply the changes.

11.2. User roles and permissions
Copy link

Data Grid Operator provides a set of default roles that are associated with different permissions.

Expand

Table 11.1. Default roles and permissions
Role	Permissions	Description
`admin`	ALL	Superuser with all permissions including control of the Cache Manager lifecycle.
`deployer`	ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR, CREATE	Can create and delete Data Grid resources in addition to `application` permissions.
`application`	ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR	Has read and write access to Data Grid resources in addition to `observer` permissions. Can also listen to events and execute server tasks and scripts.
`observer`	ALL_READ, MONITOR	Has read access to Data Grid resources in addition to `monitor` permissions.
`monitor`	MONITOR	Can view statistics for Data Grid clusters.

Data Grid Operator credentials

Data Grid Operator generates credentials that it uses to authenticate with Data Grid clusters to perform internal operations. By default Data Grid Operator credentials are automatically assigned the admin role when you enable security authorization.

11.3. Assigning roles and permissions to users
Copy link

Assign users with roles that control whether users are authorized to access Data Grid cluster resources. Roles can have different permission levels, from read-only to unrestricted access.

Note

Users gain authorization implicitly. For example, "admin" gets admin permissions automatically. A user named "deployer" has the deployer role automatically, and so on.

Procedure

Create an identities.yaml file that assigns roles to users.

credentials:
  - username: admin
    password: changeme
  - username: my-user-1
    password: changeme
    roles:
      - admin
  - username: my-user-2
    password: changeme
    roles:
      - monitor

credentials:
  - username: admin
    password: changeme
  - username: my-user-1
    password: changeme
    roles:
      - admin
  - username: my-user-2
    password: changeme
    roles:
      - monitor

Copy to Clipboard

Toggle word wrap

Create an authentication secret from identities.yaml.

If necessary, delete the existing secret first.

oc delete secret connect-secret --ignore-not-found
oc create secret generic --from-file=identities.yaml connect-secret

oc delete secret connect-secret --ignore-not-found
oc create secret generic --from-file=identities.yaml connect-secret

Copy to Clipboard

Toggle word wrap

Specify the authentication secret with spec.security.endpointSecretName in your Infinispan CR and then apply the changes.
```
spec:
  security:
    endpointSecretName: connect-secret
```
```
spec:
  security:
    endpointSecretName: connect-secret
```
Copy to Clipboard Toggle word wrap

11.4. Adding custom roles and permissions
Copy link

You can define custom roles with different combinations of permissions.

Procedure

Open your Infinispan CR for editing.

Specify custom roles and their associated permissions with the spec.security.authorization.roles field.

spec:
  security:
    authorization:
      enabled: true
      roles:
        - name: my-role-1
          permissions:
            - ALL
        - name: my-role-2
          permissions:
            - READ
            - WRITE

spec:
  security:
    authorization:
      enabled: true
      roles:
        - name: my-role-1
          permissions:
            - ALL
        - name: my-role-2
          permissions:
            - READ
            - WRITE

Copy to Clipboard

Toggle word wrap

Apply the changes.

Chapter 11. Configuring user roles and permissions

11.1. Enabling security authorization
Copy link

11.2. User roles and permissions
Copy link

Data Grid Operator credentials

11.3. Assigning roles and permissions to users
Copy link

11.4. Adding custom roles and permissions
Copy link

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Chapter 11. Configuring user roles and permissions

11.1. Enabling security authorizationCopy linkLink copied to clipboard!

11.2. User roles and permissionsCopy linkLink copied to clipboard!

Data Grid Operator credentials

11.3. Assigning roles and permissions to usersCopy linkLink copied to clipboard!

11.4. Adding custom roles and permissionsCopy linkLink copied to clipboard!

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

11.1. Enabling security authorization
Copy link

11.2. User roles and permissions
Copy link

11.3. Assigning roles and permissions to users
Copy link

11.4. Adding custom roles and permissions
Copy link