Pivotal Knowledge Base

Follow

Configuration and Example Code for Java Client Authorization

Environment 

 Product  Version
 Pivotal GemFire  7.0.2.x, 8.x

Purpose

The Client Authorization feature is useful to authorize client operations regarding access control, such as preventing query execution from some specific clients. Basically, you need to write some custom logic to authorize your clients, with some additional configuration required as well. The purpose of this article is to enhance any documentation in this area, to help you understand how to write your custom logic, and alter the configuration. The article provides example Java code and configuration to help you incorporate the use of the Client Authorization feature to provide the functionality you may need. 

If you want to prevent query executions from the specific user using our Client Authorization feature via Java clients, this procedure should be followed.

Procedure

Follow the steps to implement your custom authorization:

  1. Configure authentication at server side
    To trigger your custom authorization code, you need to configure authentication as a prerequisite even if you don't need authentication in general. 

    You can use a DummyAuthenticator class, using source code available in the following GemFire installation directory, instead of writing your own code:
    /path/to/PivotalGemFire_82_b*********/templates/security
    As you can see, the DummyAuthenticator class just authenticates the following user only (password is the as same as each user ID).
    user, reader, writer, admin, root, administrator
    Please suppose that you want to deny queries from clients with a user ID of "user."

    Also, you can find the compiled class file for DummyAuthenticator class in the following jar file:
    /path/to/PivotalGemFire_82_b*********/lib/gfSecurityImpl.jar
    You can use the DummyAuthenticator class by simply adding the path for this jar file to CLASSPATH when starting your cache servers.

    At this point in the procedure, you should add the following entry to gemfire.properties, or through an API to start servers:
    security-client-authenticator=templates.security.DummyAuthenticator.create
  2. Configure GemFire client authorization at server side
    You need to implement an authorizer class based on Java. In this article, please assume that you write your logic to deny query activities from the specific user via Java clients.

    Please refer to the attached source code in DisableQueryAuthorization.java. You can use this test authorizer class, as it denies query activities from a user with user ID "user."

    You have to compile the authorizer class and add the class file to CLASSPATH when starting servers.

    You should also add the following entry to gemfire.properties or through the API:
    security-client-accessor=io.pivotal.akitada.DisableQueryAuthorization.create
  3. Confirm security configuration at server side
    Next, set the following entries using gemfire.properties or through the API. For the purpose of tracking authorization activity, you may set security-log and security-log-level setting additionally, as desired.
    security-client-authenticator=templates.security.DummyAuthenticator.create 
    security-client-accessor=io.pivotal.akitada.DisableQueryAuthorization.create
    security-log-file=security.log
    security-log-level=config
  4. Start your cluster with authorization
    Start locators (if you have them). Then, start your servers using the above security settings.

  5. Configure your Java client security setting
    You need to implement a principal class based on Java. In this case, it's used for the purpose of passing a user name and password required for user authentication from the client to the server. Even if you don't intend to use the user ID for query authorization, this principle class setting is required regardless.

    You will also need to implement your initializer class for authentication based on Java.

    You can use the UsernamePrincipal class for the principle and UserPasswordAuthInit class for the initializer class. The source code can be found in the following GemFire installation directory:
    /path/to/PivotalGemFire_82_b*********/templates/security
    As mentioned in the above step, you can find the compiled class files for UsernamePrincipal and UserPasswordAuthInit classes in the following jar file:
    /path/to/PivotalGemFire_82_b*********/lib/gfSecurityImpl.jar
    You can use UsernamePrincipal and UserPasswordAuthInit classes just by adding the path for this jar file to CLASSPATH when starting your client.

    Additionally, you need to set the following entries in gemfire.properties or through API at the client side to refer to the initializer class method (and specify user name and password in this specific case via specific entries security-username and security-password, specified at UserPasswordAuthInit class).
    security-client-auth-init=templates.security.UserPasswordAuthInit.create
    security-username=user
    security-password=user
  6. Start your test query client and check the behavior
    You can see NotAuthorizedException if trying to execute queries from your client with "user" user ID in this example. Now, you confirm Java client authorization works.

    You will see log messages in the security.log file on the server side which shows that query execution has been denied from the user with user ID  "user."

Additional Information

Starting with GemFire 9.0, the security framework has been changed, and this example for authentication and authorization cannot be directly applied to GemFire 9.0 or later. As of GemFire 9.0.4, this approach continues to work, though you will need to modify the package name from "com.gemstone.gemfire.*" to "org.apache.geode.*" in your authentication and authorization module. However, the this older security framework has been deprecated and this older security framework will be removed in some future version. Please refer to documents for authentication and authorization for GemFire 9.0.

Disable Query Authorization:

Comments

Powered by Zendesk