Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 3. Configuring authentication and authorization

Control access to Data Grid clusters by adding credentials and assigning roles with different permissions.

3.1. Default credentials
Copiar o link

Data Grid adds default credentials in a <helm_release_name>-generated-secret secret.

Expand
UsernameDescription

developer

User that has the admin role with full access to Data Grid resources.

monitor

Internal user that has the monitor role with access to Data Grid metrics through port 11223.

3.1.1. Retrieving credentials
Copiar o link

Get Data Grid credentials from authentication secrets.

Prerequisites

  • Install the Data Grid Helm chart.
  • Have an oc client.

Procedure

  • Retrieve default credentials from the <helm_release_name>-generated-secret or custom credentials from another secret with the following command: 

    $ oc get secret <helm_release_name>-generated-secret \
-o jsonpath="{.data.identities-batch}" | base64 --decode
    Copy to Clipboard Toggle word wrap

3.2. Adding custom user credentials or credentials store
Copiar o link

Create Data Grid user credentials and assign roles that grant security authorization for cluster access.

Procedure

  • Create credentials by specifying the user create command in the deploy.security.batch field.

    User with implicit authorization

    deploy:
  security:
    batch: 'user create admin -p changeme'
    Copy to Clipboard Toggle word wrap

    User with a specific role

    deploy:
  security:
    batch: 'user create personone -p changeme -g deployer'
    Copy to Clipboard Toggle word wrap

3.2.1. User roles and permissions
Copiar o link

Data Grid uses role-based access control to authorize users for access to cluster resources and data. For additional security, you should grant Data Grid users with appropriate roles when you add credentials.

Expand
RolePermissionsDescription

admin

ALL

Superuser with all permissions including control of the Cache Manager lifecycle.

deployer

ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR, CREATE

Can create and delete Data Grid resources in addition to application permissions.

application

ALL_READ, ALL_WRITE, LISTEN, EXEC, MONITOR

Has read and write access to Data Grid resources in addition to observer permissions. Can also listen to events and execute server tasks and scripts.

observer

ALL_READ, MONITOR

Has read access to Data Grid resources in addition to monitor permissions.

monitor

MONITOR

Can view statistics for Data Grid clusters.

3.2.2. Adding credentials store
Copiar o link

Create Data Grid credentials store to avoid exposing passwords in clear text in the server configuration ConfigMap. See Section 4.1, “Enabling TLS encryption” for a use case.

Procedure

  1. Create credentials store by specifying a credentials add command in the deploy.security.batch field.

    Add a password to a store

    deploy:
  security:
    batch: 'credentials add keystore -c password -p secret --path="credentials.pfx"'
    Copy to Clipboard Toggle word wrap

  2. Credentials store needs then to be added to the server configuration.

    Configure a credential store

    deploy:
  infinispan:
    server:
      security:
        credentialStores:
          - name: credentials
            path: credentials.pfx
            clearTextCredential:
              clearText: "secret"
    Copy to Clipboard Toggle word wrap

3.2.3. Adding multiple credentials with authentication secrets
Copiar o link

Add multiple credentials to Data Grid clusters with authentication secrets.

Prerequisites

  • Have an oc client.

Procedure

  1. Create an identities-batch file that contains the commands to add your credentials. 

    apiVersion: v1
kind: Secret
metadata:
  name: connect-secret
type: Opaque
stringData:
  # The "monitor" user authenticates with the Prometheus ServiceMonitor.
  username: monitor
  # The password for the "monitor" user.
  password: password
  # The key must be 'identities-batch'.
  # The content is "user create" commands for the Data Grid CLI.
  identities-batch: |-
    user create user1 -p changeme -g admin
    user create user2 -p changeme -g deployer
    user create monitor -p password --users-file metrics-users.properties --groups-file metrics-groups.properties
    credentials add keystore -c password -p secret --path="credentials.pfx"
    Copy to Clipboard Toggle word wrap

  2. Create an authentication secret from your identities-batch file. 

    $ oc apply -f identities-batch.yaml
    Copy to Clipboard Toggle word wrap

  3. Specify the authentication secret in the deploy.security.SecretName field. 

    deploy:
  security:
    authentication: true
    secretName: 'connect-secret'
    Copy to Clipboard Toggle word wrap
  4. Install or upgrade your Data Grid Helm release.

3.3. Disabling authentication
Copiar o link

Allow users to access Data Grid clusters and manipulate data without providing credentials.

Important

Do not disable authentication if endpoints are accessible from outside the OpenShift cluster. You should disable authentication for development environments only.

Procedure

  1. Remove the propertiesRealm fields from the "default" security realm.
  2. Install or upgrade your Data Grid Helm release.

3.4. Disabling security authorization
Copiar o link

Allow Data Grid users to perform any operation regardless of their role.

Procedure

  1. Set null as the value for the deploy.infinispan.cacheContainer.security field.

    Tip

    Use the --set deploy.infinispan.cacheContainer.security=null argument with the helm client.

  2. Install or upgrade your Data Grid Helm release.
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat