geode git commit: GEODE-2924 Revise authorization permissions

kmiller Fri, 28 Jul 2017 09:36:55 -0700

Repository: geode
Updated Branches:
  refs/heads/develop acf0668fd -> 0b4a1a239



GEODE-2924 Revise authorization permissions

For finer-grained security, identify new targets for CLUSTER
operations (DISK, GATEWAY, QUERY, JAR, LUCENE). And, revise 4
operations listed in this ticket.

    This closes #660


Project: http://git-wip-us.apache.org/repos/asf/geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/geode/commit/0b4a1a23
Tree: http://git-wip-us.apache.org/repos/asf/geode/tree/0b4a1a23
Diff: http://git-wip-us.apache.org/repos/asf/geode/diff/0b4a1a23

Branch: refs/heads/develop
Commit: 0b4a1a23900d93125e9b9286aa91d170a89f3353
Parents: acf0668
Author: Karen Miller <kmil...@pivotal.io>
Authored: Thu Jul 27 10:28:33 2017 -0700
Committer: Karen Miller <kmil...@pivotal.io>
Committed: Fri Jul 28 09:35:17 2017 -0700

----------------------------------------------------------------------
 .../implementing_authorization.html.md.erb      | 21 +++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/geode/blob/0b4a1a23/geode-docs/managing/security/implementing_authorization.html.md.erb
----------------------------------------------------------------------
diff --git 
a/geode-docs/managing/security/implementing_authorization.html.md.erb 
b/geode-docs/managing/security/implementing_authorization.html.md.erb
index d16280e..9fb55d3 100644
--- a/geode-docs/managing/security/implementing_authorization.html.md.erb
+++ b/geode-docs/managing/security/implementing_authorization.html.md.erb
@@ -56,13 +56,24 @@ which classifies whether the operation as
 The operations are not hierarchical;
 `MANAGE` does not imply `WRITE`, and `WRITE` does not imply `READ`.
 
-Some operations further specify a region name in the permission.
+Some `DATA` operations further specify a region name in the permission.
 This permits restricting operations on that region to only those
 authorized principals.
 And within a region, some operations may specify a key.
 This permits restricting operations on that key within that region to 
 only those authorized principals.
 
+Some `CLUSTER` operations further specify a finer-grained
+target for the operation.
+Specify the target with a string value of:
+
+- `DISK` to target operations that write to a disk store
+- `GATEWAY` to target operations that manage gateway senders and receivers
+- `QUERY` to target operations that manage both indexes and continuous
+ queries
+- `JAR` to target operations that deploy code to servers
+- `LUCENE` to target Lucene index operations
+
 This table classifies the permissions assigned for operations common to
 a Client-Server interaction.
 
@@ -110,7 +121,7 @@ This table classifies the permissions assigned for `gfsh` 
operations.
 | close durable-cq                       | DATA:MANAGE                      |
 | compact disk-store                     | DATA:MANAGE                      |
 | compact offline-disk-store             | DATA:MANAGE                      |
-| configure pdx                          | DATA:MANAGE                      |
+| configure pdx                          | CLUSTER:MANAGE                   |
 | create async-event-queue               | DATA:MANAGE                      |
 | create defined indexes                 | DATA:MANAGE                      |
 | create disk-store                      | DATA:MANAGE                      |
@@ -146,7 +157,7 @@ This table classifies the permissions assigned for `gfsh` 
operations.
 | gc                                     | CLUSTER:MANAGE                   |
 | get &#8209;key=key1 &#8209;region=region1        | DATA:READ:RegionName:Key  
       |
 | import data                            | DATA:WRITE:RegionName            |
-| import cluster-configuration           | DATA:MANAGE                      |
+| import cluster-configuration           | CLUSTER:MANAGE                   |
 | list async-event-queues                | CLUSTER:READ                     |
 | list clients                           | CLUSTER:READ                     |
 | list deployed                          | CLUSTER:READ                     |
@@ -157,7 +168,7 @@ This table classifies the permissions assigned for `gfsh` 
operations.
 | list indexes                           | CLUSTER:READ                     |
 | list lucene indexes                    | CLUSTER:READ                     |
 | list members                           | CLUSTER:READ                     |
-| list regions                           | DATA:READ                        |
+| list regions                           | CLUSTER:READ                     |
 | load-balance gateway-sender            | DATA:MANAGE                      |
 | locate entry                           | DATA:READ:RegionName:Key         |
 | netstat                                | CLUSTER:READ                     |
@@ -247,7 +258,7 @@ This table classifies the permissions assigned for JMX 
operations.
 | GatewaySenderMXBean.resume                     | DATA:MANAGE               |
 | GatewaySenderMXBean.start                      | DATA:MANAGE               |
 | GatewaySenderMXBean.stop                       | DATA:MANAGE               |
-| LockServiceMXBean.becomeLockGrantor            | DATA:MANAGE               |
+| LockServiceMXBean.becomeLockGrantor            | CLUSTER:MANAGE            |
 | MemberMXBean.compactAllDiskStores              | DATA:MANAGE               |
 
 ## Implement Authorization

geode git commit: GEODE-2924 Revise authorization permissions

Reply via email to