This topic describes how to implement, configure and deploy a custom SecurityManager
in VMware Tanzu GemFire for Kubernetes.
Implement the SecurityManager
and AuthInitialize
interfaces. See the server documentation at Authentication and Authorization.
Build a Container
image with the implementation and all required runtime dependencies. This image will be later used as a library source when configuring the classpath for the Tanzu GemFire members during startup, so it must adhere to the following rules:
Bourne-again SHell (bash)
installed and executable through /bin/bash
.Declare the location of the image through the libraries
field within the cluster deployment yaml
, along with the directory to copy the jars from. If the image is hosted in a private image registry, use the container.imagePullSecretRef
field. For more information, see Custom Resource Definition.
apiVersion: gemfire.vmware.com/v1
kind: GemFireCluster
metadata:
name: <CLUSTER-NAME>
namespace: <NAMESPACE-NAME>
spec:
image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.1.0
locators:
libraries:
- name: custom-security
container:
image: my-repo/my-image:1.2.0
path: "/custom-manager/*.jar"
servers:
libraries:
- name: custom-security
container:
image: my-repo/my-image:1.2.0
path: "/custom-manager/*.jar"
Using the security-manager
and security-peer-auth-init
properties from Tanzu GemFire, declare the fully qualified class name of the SecurityManager
and AuthInitialize
implementations within the gemFireProperties
field in the cluster deployment yaml
(the same value for both properties must be set on locators
and servers
). All properties prefixed with security-
are also passed into the SecurityManager.init(Properties)
method, so these can be used as an extra configuration source if needed.
apiVersion: gemfire.vmware.com/v1
kind: GemFireCluster
metadata:
name: <CLUSTER-NAME>
namespace: <NAMESPACE-NAME>
spec:
image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.1.0
locators:
overrides:
gemFireProperties:
- name: "security-manager"
value: "com.example.security.CustomSecurityManager"
- name: "security-peer-auth-init"
value: "com.example.security.CustomAuthInitializer"
servers:
overrides:
gemFireProperties:
- name: "security-manager"
value: "com.example.security.CustomSecurityManager"
- name: "security-peer-auth-init"
value: "com.example.security.CustomAuthInitializer"
Create a new Kubernetes Secret, within the namespace
on which the Tanzu GemFire cluster will be deployed, containing the credentials that the gemfire-operator will use when interacting with the cluster. For more information, see Provision in Authentication and Authorization Introduction.
Update the mgmtSvcCredentialsSecretName
field within the Tanzu GemFire cluster deployment yaml
.
apiVersion: gemfire.vmware.com/v1
kind: GemFireCluster
metadata:
name: <CLUSTER-NAME>
namespace: <NAMESPACE-NAME>
spec:
image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.1.0
security:
mgmtSvcCredentialsSecretName: <CMS-SECRET-NAME>
If the implementation requires external configuration, make it available to all Tanzu GemFire pods using the overrides
field in the cluster deployment yaml
. The SecurityManager
can be executed on any member at any given time, so the configuration must be available both on locators
and servers
. The following example, assumes that all external configuration has been added into the Secret
named custom-configuration-secret
within the same namespace
on which the Tanzu GemFire cluster will be deployed:
apiVersion: gemfire.vmware.com/v1
kind: GemFireCluster
metadata:
name: <CLUSTER-NAME>
namespace: <NAMESPACE-NAME>
spec:
image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.1.0
locators:
overrides:
statefulSet:
spec:
template:
spec:
volumes:
- name: security-config-volume
secret:
secretName: custom-configuration-secret
containers:
- name: locator
volumeMounts:
- name: security-config-volume
mountPath: "/security-configuration"
servers:
overrides:
statefulSet:
spec:
template:
spec:
volumes:
- name: security-config-volume
secret:
secretName: custom-configuration-secret
containers:
- name: server
volumeMounts:
- name: security-config-volume
mountPath: "/security-configuration"
Deploy the Tanzu GemFire cluster using the deployment yaml
file.
apiVersion: gemfire.vmware.com/v1
kind: GemFireCluster
metadata:
name: <CLUSTER-NAME>
namespace: <NAMESPACE-NAME>
spec:
image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:10.1.0
security:
mgmtSvcCredentialsSecretName: <CMS-SECRET-NAME>
locators:
libraries:
- name: custom-security
container:
image: my-repo/my-image:1.2.0
path: "/custom-manager/*.jar"
overrides:
gemFireProperties:
- name: "security-manager"
value: "com.example.security.CustomSecurityManager"
- name: "security-peer-auth-init"
value: "com.example.security.CustomAuthInitializer"
statefulSet:
spec:
template:
spec:
volumes:
- name: security-config-volume
secret:
secretName: custom-configuration-secret
containers:
- name: locator
volumeMounts:
- name: security-config-volume
mountPath: "/security-configuration"
servers:
libraries:
- name: custom-security
container:
image: my-repo/my-image:1.2.0
path: "/custom-manager/*.jar"
overrides:
gemFireProperties:
- name: "security-manager"
value: "com.example.security.CustomSecurityManager"
- name: "security-peer-auth-init"
value: "com.example.security.CustomAuthInitializer"
statefulSet:
spec:
template:
spec:
volumes:
- name: security-config-volume
secret:
secretName: custom-configuration-secret
containers:
- name: server
volumeMounts:
- name: security-config-volume
mountPath: "/security-configuration"