Now
that you have configured authentication for clients,
you can further configure authorization to give different users varying
permissions. For example, an "operator" user might only be able to
view data, while a "manager" user can perform all operations.
After authenticating a client, as in the previous
module in this tutorial, you can give security privileges through
eXtreme Scale authorization mechanisms.
The previous module of this tutorial demonstrated how to enable authentication
for a data grid using integration with
WebSphere® Application Server. As a result, no unauthenticated
client can connect to the
eXtreme Scale servers
or submit requests to your system. However, every authenticated client
has the same permission or privileges to the server, such as reading,
writing, or deleting data that is stored in the ObjectGrid maps. Clients
can also issue any type of query.
This part of the tutorial demonstrates
how to use eXtreme Scale authorization
to give authenticated users varying privileges. WebSphere eXtreme Scale uses a permission-based
authorization mechanism. You can assign different permission categories
that are represented by different permission classes. This module
features the MapPermission class. For a list of
all possible permissions, see Client authorization programming.
In
WebSphere eXtreme Scale, the
com.ibm.websphere.objectgrid.security.MapPermission class
represents permissions to the
eXtreme Scale resources, specifically
the methods of the
ObjectMap or
JavaMap interfaces.
WebSphere eXtreme Scale defines the following
permission strings to access the methods of ObjectMap and JavaMap:
- read: Grants permission to read the data from the
map.
- write: Grants permission to update the data in
the map.
- insert: Grants permission to insert the data
into the map.
- remove: Grants permission to remove the
data from the map.
- invalidate: Grants permission to
invalidate the data from
the map.
- all: Grants all permissions to read, write,
insert, remote,
and invalidate.
The authorization occurs when an
eXtreme Scale client uses a data
access API, such as the
ObjectMap ,
JavaMap,
or EntityManager APIs. The run time checks corresponding map permissions
when the method is called. If the required permissions are not granted
to the client, an AccessControlException exception results. This tutorial
demonstrates how to use Java Authentication
and Authorization Service (JAAS) authorization to grant authorization
map access for different users.
Learning objectives
After completing
the lessons in this module, you know how to:
- Enable authorization
for WebSphere eXtreme Scale.
- Enable
user-based authorization.
Time required
This
module takes
approximately 60 minutes.