geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kirk Lund <kl...@apache.org>
Subject Re: OQL rewriting
Date Thu, 22 Jun 2017 23:18:14 GMT
You cannot use SecurityManager AND AccessControl/Authenticator at the same
time. It's either SecurityManager or the old callbacks but not both.

The authorizeOperation callback is specific to OperationContext.
OperationContext is deprecated in favor of ResourcePermission which
reorganizes everything as Resource (NULL, CLUSTER, DATA), Operation (NULL,
MANAGE, WRITE, READ) and Target (ALL, DISK, GATEWAY, QUERY, JAR).

On Thu, Jun 22, 2017 at 3:11 PM, John Blum <jblum@pivotal.io> wrote:

> We should also keep in mind this may not be possible when using an actual,
> robust security framework like *Apache Shiro*, or *Shiro* may provide
> different callbacks/mechanisms/extensions.
>
> This should be taken into account in the "solution" since most sensible
> users will use a well-known, proven security framework when securing their
> Geode deployment.
>
> -j
>
> On Thu, Jun 22, 2017 at 2:34 PM, Michael Stolz <mstolz@pivotal.io> wrote:
>
> > The old security framework had an authorizeOperation method that had
> enough
> > information to be able to inspect and modify an OQL string before it
> would
> > be executed. That whole framework is now deprecated, but I feel like
> it's a
> > really powerful feature being able to modify OQL in such a way as to
> > support adding some kind of security column to the where clause so you
> can
> > implement row-level security on queries.
> >
> > My question is, are the new securityManager and the old AccessControl
> > interface able to both be used together or are they mutually exclusive?
> >
> > --
> > Mike Stolz
> > Principal Engineer, GemFire Product Manager
> > Mobile: +1-631-835-4771
> >
>
>
>
> --
> -John
> john.blum10101 (skype)
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message