Friday, 11 April 2014

Infinispan Security #1: Authorization

Dear all, with the release of 7.0.0.Alpha3, Infinispan has finally gained the ability to perform Access Control (aka Authorization) on CacheManagers and Caches. This is the first stepping-stone towards the full-fledged security work that will be completed during the 7.0 cycle.

Infinispan authorization is built around the standard security features available in a JDK near you, such as JAAS and the SecurityManager. Here's a worked example.

Running within a SecurityManager

In order for Infinispan to be able to enforce access restrictions, you should enable the SecurityManager in your JVM. This can be done from the command-line:

java ...

or programmatically:

System.setSecurityManager(new SecurityManager());

You don't have to use the default implementation that comes with the JDK, but if you do you need to supply an appropriate policy file. The Infinispan distribution comes with an example policy file which illustrates the permissions required by some of Infinispan's JAR files. Integrate these permissions with the ones required by your application.

While Infinispan's authorization can work without a SecurityManager for the basic cache operations (put, get, etc), some more complex tasks (distexec, map/reduce, query) will fail without one.

Configuring Infinispan for authorization

Authorization in Infinispan is configured at two levels: at the cache container and at the single cache.
Let's look at cache containers (aka CacheManagers) first:
Each cache container determines the following:
  • whether to use authorization, via the enabled attribute. 
  • a class which will map the user's principals to a set of roles
  • a set of named roles and the permissions they represent
We then need to define the specific roles for each cache:

As you can see you can choose to use only a subset of the roles defined at the container level.

Before you can start using a secured cache, you need to get yourself a

Obtaining a Subject

Infinispan is not fussy about how you obtain a JAAS Subject: you may use your container's features, or a third-party library (such as JBoss PicketBox or Apache Shiro). The important thing is that your Subject should be populated with a set of Principals which represent the user and the groups it belongs to in your security domain (e.g. LDAP, Active Directory, etc).
It is then the duty of the mapper to look through the principals associated with the Subject and convert them into roles suitable for matching those you have defined at the container level.
Once you have a Subject, you interact with the Cache within the context of a PrivilegedAction as follows:

Obviously if you're lucky enough to use Java 8, you can use the following, more concise, lambda-enabled code:

For more details consult the Security chapter in the Infinispan documentation and the JavaDocs.

Stay tuned for the next parts in the Infinispan security saga !

No comments:

Post a Comment