This section describes how to implement, configure and deploy a custom SecurityManager.

  • Implement the SecurityManager and AuthInitialize interfaces. See the server documentation at Authentication and Authorization.

  • Build a Container image with the implementation and all required runtime dependencies. This image will be later used as a library source when configuring the classpath for the Tanzu GemFire members during startup, so it must adhere to the following rules:

    • Must have all the dependencies under a single directory.
    • Must have the Bourne-again SHell (bash) installed and executable through /bin/bash.
    • Must not have dependencies with versions that clash with those used by Tanzu GemFire.
    • Must have only those dependencies required by the custom implementations. Tanzu GemFire jars must be included within the image.
  • Declare the location of the image through the libraries field within the cluster deployment yaml, along with the directory to copy the jars from. If the image is hosted within a private repository, use the container.imagePullSecretRef field (see Custom Resource Definition for further details).

apiVersion: gemfire.vmware.com/v1
kind: GemFireCluster
metadata:
  name: <CLUSTER-NAME>
  namespace: <NAMESPACE-NAME>
spec:
  image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:9.15.0
  locators:
    libraries:
      - name: custom-security
        container:
          image: my-repo/my-image:1.2.0
          path: "/custom-manager/*.jar"
  servers:
    libraries:
      - name: custom-security
        container:
          image: my-repo/my-image:1.2.0
          path: "/custom-manager/*.jar"
  • Using the security-manager and security-peer-auth-init properties from Tanzu GemFire, declare the fully qualified class name of the SecurityManager and AuthInitialize implementations within the gemFireProperties field in the cluster deployment yaml (the same value for both properties must be set on locators and servers). All properties prefixed with security- are also passed into the SecurityManager.init(Properties) method, so these can be used as an extra configuration source if needed.
apiVersion: gemfire.vmware.com/v1
kind: GemFireCluster
metadata:
  name: <CLUSTER-NAME>
  namespace: <NAMESPACE-NAME>
spec:
  image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:9.15.0
  locators:
    overrides:
      gemFireProperties:
        - name: "security-manager"
          value: "com.example.security.CustomSecurityManager"
        - name: "security-peer-auth-init"
          value: "com.example.security.CustomAuthInitializer"
  servers:
    overrides:
      gemFireProperties:
        - name: "security-manager"
          value: "com.example.security.CustomSecurityManager"
        - name: "security-peer-auth-init"
          value: "com.example.security.CustomAuthInitializer"
  • Create a new Kubernetes Secret, within the namespace on which the Tanzu GemFire cluster will be deployed, containing the credentials that the gemfire-operator will use when interacting with the cluster. Refer to Provision for further details.

  • Update the mgmtSvcCredentialsSecretName field within the Tanzu GemFire cluster deployment yaml.

apiVersion: gemfire.vmware.com/v1
kind: GemFireCluster
metadata:
  name: <CLUSTER-NAME>
  namespace: <NAMESPACE-NAME>
spec:
  image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:9.15.0
  security:
    mgmtSvcCredentialsSecretName: <CMS-SECRET-NAME>
  • If the implementation requires external configuration, make it available to all Tanzu GemFire pods using the overrides field in the cluster deployment yaml. The SecurityManager can be executed on any member at any given time, so the configuration must be available both on locators and servers. The following example, assumes that all external configuration has been added into the Secret named custom-configuration-secret within the same namespace on which the Tanzu GemFire cluster will be deployed:
apiVersion: gemfire.vmware.com/v1
kind: GemFireCluster
metadata:
  name: <CLUSTER-NAME>
  namespace: <NAMESPACE-NAME>
spec:
  image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:9.15.0
  locators:
    overrides:
      statefulSet:
        spec:
          template:
            spec:
              volumes:
                - name: security-config-volume
                  secret:
                    secretName: custom-configuration-secret
              containers:
                - name: locator
                  volumeMounts:
                    - name: security-config-volume
                      mountPath: "/security-configuration"
  servers:
    overrides:
      statefulSet:
        spec:
          template:
            spec:
              volumes:
                - name: security-config-volume
                  secret:
                    secretName: custom-configuration-secret
              containers:
                - name: server
                  volumeMounts:
                    - name: security-config-volume
                      mountPath: "/security-configuration"
  • Deploy the Tanzu GemFire cluster using the deployment yaml file.
apiVersion: gemfire.vmware.com/v1
kind: GemFireCluster
metadata:
  name: <CLUSTER-NAME>
  namespace: <NAMESPACE-NAME>
spec:
  image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:9.15.0
  security:
    mgmtSvcCredentialsSecretName: <CMS-SECRET-NAME>
  locators:
    libraries:
      - name: custom-security
        container:
          image: my-repo/my-image:1.2.0
          path: "/custom-manager/*.jar"
    overrides:
      gemFireProperties:
        - name: "security-manager"
          value: "com.example.security.CustomSecurityManager"
        - name: "security-peer-auth-init"
          value: "com.example.security.CustomAuthInitializer"
      statefulSet:
        spec:
          template:
            spec:
              volumes:
                - name: security-config-volume
                  secret:
                    secretName: custom-configuration-secret
              containers:
                - name: locator
                  volumeMounts:
                    - name: security-config-volume
                      mountPath: "/security-configuration"
  servers:
    libraries:
      - name: custom-security
        container:
          image: my-repo/my-image:1.2.0
          path: "/custom-manager/*.jar"
    overrides:
      gemFireProperties:
        - name: "security-manager"
          value: "com.example.security.CustomSecurityManager"
        - name: "security-peer-auth-init"
          value: "com.example.security.CustomAuthInitializer"
      statefulSet:
        spec:
          template:
            spec:
              volumes:
                - name: security-config-volume
                  secret:
                    secretName: custom-configuration-secret
              containers:
                - name: server
                  volumeMounts:
                    - name: security-config-volume
                      mountPath: "/security-configuration"
check-circle-line exclamation-circle-line close-line
Scroll to top icon