Authentication and Authorization

GridGain 9 provides advanced Authentication and Authorization capabilities. With it, you can fine-tune the permissions on a per-user basis.

Authentication Configuration

Basic Authentication

To start using basic authentication on the cluster, you need to enable it and create an initial administrator user. By default, the role that grants administrator permissions is called admin, but you can change it in cluster configuration. Here is an example of configuration that initializes the cluster and enables security on it:

cluster init --name=sampleCluster --metastorage-group=defaultNode  --config-files=license.conf --config=ignite{security{enabled:true,authentication.providers:[{name:default,type:basic,users:[{username:ignite,displayName:administrator,password:ignite,roles:["system"]}]}]}}

When cluster has been initialized, it has basic authorization configured for ignite user name and ignite password with system level access. However, by default security is disabled. To enable it:

cluster config update ignite.security.enabled=true

After authorization is enabled, you will be disconnected from the cluster and must reconnect to the cluster:

connect http://127.0.0.1:10300 --username ignite --password ignite

You can change the password for the default user by updating cluster configuration, for example:

cluster config update  ignite.security.authentication.providers.default.users.ignite.password=myPass

LDAP Authentication

To start using LDAP authentication on the cluster, you need to enable LDAP security provider on the cluster. Below is the configuration in the JSON format.

{
    "ignite" : {
        "ldap: : {
            "url" : "ldap://server:port",
            "userSearch" : {
                "dn" : "*******",
                "scope" : <SUB_TREE|ONE_LEVEL|BASE>,
                "filter" : "",
                "groupAttribute" : "memberof"
            },
            "groupSearch" : {
                "dn" : "*****",
                "scope" : "<SUB_TREE|ONE_LEVEL|BASE>",
                "filter" : "",
                "userAttribute" : ""
            },
            "roleMapping" : {
                "*Ldap group*" : [list of GG roles]
            }
        }
    }
}

Parameter Description

Parameter	Description
`url`	The URL of the LDAP server.
`userSearch`	Configuration of user-specific LDAP authentication. If configured, GridGain will search for specified users and then match them to required group attributes.
`userSearch.dn`	The DN of the container to search for users.
`userSearch.scope`	The scope of the search. Possible values: `SUB_TREE`, `ONE_LEVEL`, `BASE`.
`userSearch.filter`	A filter used when searching for the username. Default value: (uid={0}), with the username provided when searching.
`userSearch.groupAttribute`	An attribute checked for group membership. Ignored if `groupSearch` is specified.
`groupSearch`	If specified, users are searched only in the matching groups.
`groupSearch.dn`	The DN of the container to search.
`groupSearch.scope`	The scope of the search. Possible values: `SUB_TREE`, `ONE_LEVEL`, `BASE`. If `ONE_LEVEL` is specified, only searches objects directly contained within the dn. If `SUB_TREE` is specified, searches all objects contained under the dn. If `BASE` is specified, the specified group is searched. Default value: `SUB_TREE`.
`groupSearch.filter`	A filter used when searching for the username. If empty, all `group`, `groupOfNames`, `groupOfUniqueNames`, or `posixGroup` are searched. If `{0}` is specified, it is replaced by user attribute defined in group_search.userAttribute. Empty by default.
`groupSearch.userAttribute`	The user attribute provided as the parameter to the filter. Empty by default.
`roleMapping`	Mapping of LDAP groups to GridGain roles. If not specified, the groups are mapped to roles with matching names.

url

The URL of the LDAP server.

userSearch

Configuration of user-specific LDAP authentication. If configured, GridGain will search for specified users and then match them to required group attributes.

userSearch.dn

The DN of the container to search for users.

userSearch.scope

The scope of the search. Possible values: SUB_TREE, ONE_LEVEL, BASE.

userSearch.filter

A filter used when searching for the username. Default value: (uid={0}), with the username provided when searching.

userSearch.groupAttribute

An attribute checked for group membership. Ignored if groupSearch is specified.

groupSearch

If specified, users are searched only in the matching groups.

groupSearch.dn

The DN of the container to search.

groupSearch.scope

The scope of the search. Possible values: SUB_TREE, ONE_LEVEL, BASE. If ONE_LEVEL is specified, only searches objects directly contained within the dn. If SUB_TREE is specified, searches all objects contained under the dn. If BASE is specified, the specified group is searched. Default value: SUB_TREE.

groupSearch.filter

A filter used when searching for the username. If empty, all group, groupOfNames, groupOfUniqueNames, or posixGroup are searched. If {0} is specified, it is replaced by user attribute defined in group_search.userAttribute. Empty by default.

groupSearch.userAttribute

The user attribute provided as the parameter to the filter. Empty by default.

roleMapping

Mapping of LDAP groups to GridGain roles. If not specified, the groups are mapped to roles with matching names.

You can provide LDAP configuration in a similar way you provide basic authentication configuration.

User Authorization

In GridGain 9, users and their roles are configured by using CLI or SQL. You can see the full list of CLI commands in the GridGain CLI Tool section, and SQL commands in DDL reference. In most cases, the workflow would involve creating a role, assigning it some privileges and then assigning them to a user. Here is an example of this:

Create a new user:

user create --password=myPassword myUser

Create a new role on the cluster:
```
role create sampleRole
```
Grant a new privilege to the role. In this case, we will allow users with this role to create tables, but you can see the full list of role in the User Permissions and Roles section.
```
role privilege grant --action=CREATE_TABLE --on=PUBLIC.Person --to=sampleRole
```
Now the role has the required permission, you can assign it to the user:
```
user role assign --role=sampleRole --to=myUser
```

Now, the myUser user will have the permissions to use the CREATE TABLE sql statement.

connect http://127.0.0.1:10300 --username myUser --password myPassword
sql "CREATE TABLE IF NOT EXISTS PUBLIC.Person (id int primary key,  city varchar,  name varchar,  age int,  company varchar)"

© 2024 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.

Last updated on Nov 21, 2024