The Overview within the GemFire user guide, Security Implementation Introduction and Overview provides a concise description of the authentication and authorization mechanism that may be implemented for a cluster.
Authentication and authorization are facilitated by a custom implementation of the Java
authenticate example in the https://github.com/gemfire/node-examples repository illustrates the authentication and authorization mechanism for a local GemFire cluster.
The custom implementation of the
SecurityManager.authenticate method will be invoked as an app connects to the cluster. This callback method is expected to authenticate the app to the cluster. The method returns a principal for a successfully authenticated app, or it throws an exception.
An authenticated app (connection) will be assigned a role. Role-based authorization permits or prohibits operations on the cluster or on the data held by the cluster based on the role.
Each operation on the cluster or the data held in the cluster has a predetermined set of permissions that are required for that operation to be authorized.
Each authenticated app’s role is assigned a set of permissions. These permissions identify what types of operations the app will be allowed (authorized) to do.
SecurityManager.authorize method will be invoked for each operation that the app requests. If the app’s role has been granted the predetermined permissions required by the operation requested, the
SecurityManager.authorize method authorizes the operation.
If the app invokes an operation that it is not authorized to perform, the operation throws an error. The
authenticate example within the set of examples at https://github.com/gemfire/node-examples demonstrates both authentication and authorization, and shows wrapping region operations within a
A Cloud Cache service instance implements the
SecurityManager interface. The environment of a pushed Node.js app contains the
VCAP_SERVICES environment variable, which has a user name and password that will provide authorization for operations allowed to a cluster operator.
A Node.js app extracts the user name and password from the
VCAP_SERVICES environment variable, and passes them along when the app connects and is authenticated. An example that does this is the
book-service example at https://github.com/gemfire/node-examples.