Through administrative security, you can authorize users
to access the data grid in the OSGi framework.
About this task
Most data grid deployers restrict administrative access to
only a subset of the users who can access grid data.
Procedure
- You must run the catalog servers and container servers
using the Java™ security manager,
which requires a policy file.
The policy file is specified
by passing the -Djava.security.policy=<policy_file> JVM argument.
The Java security manager is started
by specifying the JVM argument, -Djava.security.manager, when the eXtreme Scale server is started.
Specify this argument for both container and catalog servers.
The policy file resembles the following example:
grant codeBase "file:${objectgrid.home}/-" {
permission java.security.AllPermission;
};
grant principal javax.security.auth.x500.X500Principal "CN=manager,O=acme,OU=OGSample"
{
permission javax.management.MBeanPermission "*",
"getAttribute,setAttribute,invoke,queryNames,addNotificationListener,
removeNotificationListener";
};
In this example, only the manager principal
is authorized for administrative operations with the xscmd command. You can add other lines as necessary to give additional
principals MBean permissions.
- Start the catalog and server containers by specifying the
previous JVM arguments on the command line; for example:
/opt/XS86/java/jre/bin/java -DclusterSecurityFile=/og/security/secFiles_SA/objectGridSecurity.xml
-Djava.security.auth.login.config=/og/security/secFiles_SA/ogjaas.config -Djava.security.manager
-Djava.security.policy=/og/security/secFiles_SA/og_auth.policy
-Dobjectgrid.home=/opt/XS860/ObjectGrid -jar org.eclipse.osgi_3.7.1.R37x_v20110808-1106.jar
-console