This topic describes how to implement, configure and deploy a custom SecurityManager in VMware Tanzu GemFire for Kubernetes.

  1. Implement the SecurityManager and AuthInitialize interfaces. See the server documentation at Authentication and Authorization.

  2. Build a Container image with the implementation and all required runtime dependencies. This image will be later used as a library source when configuring the classpath for the Tanzu GemFire members during startup, so it must adhere to the following rules:

    • Must have all the dependencies under a single directory.
    • Must have the Bourne-again SHell (bash) installed and executable through /bin/bash.
    • Must not have dependencies with versions that clash with those used by Tanzu GemFire.
    • Must have only those dependencies required by the custom implementations. Tanzu GemFire jars must be included within the image.
  3. Declare the location of the image through the libraries field within the cluster deployment yaml, along with the directory to copy the jars from. If the image is hosted in a private image registry, use the container.imagePullSecretRef field. For more information, see Custom Resource Definition.

    apiVersion: gemfire.vmware.com/v1
    kind: GemFireCluster
    metadata:
      name: <CLUSTER-NAME>
      namespace: <NAMESPACE-NAME>
    spec:
      image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.1.0
      locators:
        libraries:
          - name: custom-security
            container:
              image: my-repo/my-image:1.2.0
              path: "/custom-manager/*.jar"
      servers:
        libraries:
          - name: custom-security
            container:
              image: my-repo/my-image:1.2.0
              path: "/custom-manager/*.jar"
    
  4. Using the security-manager and security-peer-auth-init properties from Tanzu GemFire, declare the fully qualified class name of the SecurityManager and AuthInitialize implementations within the gemFireProperties field in the cluster deployment yaml (the same value for both properties must be set on locators and servers). All properties prefixed with security- are also passed into the SecurityManager.init(Properties) method, so these can be used as an extra configuration source if needed.

    apiVersion: gemfire.vmware.com/v1
    kind: GemFireCluster
    metadata:
      name: <CLUSTER-NAME>
      namespace: <NAMESPACE-NAME>
    spec:
      image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.1.0
      locators:
        overrides:
          gemFireProperties:
            - name: "security-manager"
              value: "com.example.security.CustomSecurityManager"
            - name: "security-peer-auth-init"
              value: "com.example.security.CustomAuthInitializer"
      servers:
        overrides:
          gemFireProperties:
            - name: "security-manager"
              value: "com.example.security.CustomSecurityManager"
            - name: "security-peer-auth-init"
              value: "com.example.security.CustomAuthInitializer"
    
  5. Create a new Kubernetes Secret, within the namespace on which the Tanzu GemFire cluster will be deployed, containing the credentials that the gemfire-operator will use when interacting with the cluster. For more information, see Provision in Authentication and Authorization Introduction.

  6. Update the mgmtSvcCredentialsSecretName field within the Tanzu GemFire cluster deployment yaml.

    apiVersion: gemfire.vmware.com/v1
    kind: GemFireCluster
    metadata:
      name: <CLUSTER-NAME>
      namespace: <NAMESPACE-NAME>
    spec:
      image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.1.0
      security:
        mgmtSvcCredentialsSecretName: <CMS-SECRET-NAME>
    
  7. If the implementation requires external configuration, make it available to all Tanzu GemFire pods using the overrides field in the cluster deployment yaml. The SecurityManager can be executed on any member at any given time, so the configuration must be available both on locators and servers. The following example, assumes that all external configuration has been added into the Secret named custom-configuration-secret within the same namespace on which the Tanzu GemFire cluster will be deployed:

    apiVersion: gemfire.vmware.com/v1
    kind: GemFireCluster
    metadata:
      name: <CLUSTER-NAME>
      namespace: <NAMESPACE-NAME>
    spec:
      image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.1.0
      locators:
        overrides:
          statefulSet:
            spec:
              template:
                spec:
                  volumes:
                    - name: security-config-volume
                      secret:
                        secretName: custom-configuration-secret
                  containers:
                    - name: locator
                      volumeMounts:
                        - name: security-config-volume
                          mountPath: "/security-configuration"
      servers:
        overrides:
          statefulSet:
            spec:
              template:
                spec:
                  volumes:
                    - name: security-config-volume
                      secret:
                        secretName: custom-configuration-secret
                  containers:
                    - name: server
                      volumeMounts:
                        - name: security-config-volume
                          mountPath: "/security-configuration"
    
  8. Deploy the Tanzu GemFire cluster using the deployment yaml file.

    apiVersion: gemfire.vmware.com/v1
    kind: GemFireCluster
    metadata:
      name: <CLUSTER-NAME>
      namespace: <NAMESPACE-NAME>
    spec:
      image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.1.0
      security:
        mgmtSvcCredentialsSecretName: <CMS-SECRET-NAME>
      locators:
        libraries:
          - name: custom-security
            container:
              image: my-repo/my-image:1.2.0
              path: "/custom-manager/*.jar"
        overrides:
          gemFireProperties:
            - name: "security-manager"
              value: "com.example.security.CustomSecurityManager"
            - name: "security-peer-auth-init"
              value: "com.example.security.CustomAuthInitializer"
          statefulSet:
            spec:
              template:
                spec:
                  volumes:
                    - name: security-config-volume
                      secret:
                        secretName: custom-configuration-secret
                  containers:
                    - name: locator
                      volumeMounts:
                        - name: security-config-volume
                          mountPath: "/security-configuration"
      servers:
        libraries:
          - name: custom-security
            container:
              image: my-repo/my-image:1.2.0
              path: "/custom-manager/*.jar"
        overrides:
          gemFireProperties:
            - name: "security-manager"
              value: "com.example.security.CustomSecurityManager"
            - name: "security-peer-auth-init"
              value: "com.example.security.CustomAuthInitializer"
          statefulSet:
            spec:
              template:
                spec:
                  volumes:
                    - name: security-config-volume
                      secret:
                        secretName: custom-configuration-secret
                  containers:
                    - name: server
                      volumeMounts:
                        - name: security-config-volume
                          mountPath: "/security-configuration"
    
check-circle-line exclamation-circle-line close-line
Scroll to top icon