Complete content on integrated security's post processing [#129628127]
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/914b796e Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/914b796e Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/914b796e Branch: refs/heads/staging/docs-grant1 Commit: 914b796e431ba8b0ff5ad5ab2e946b8962897b53 Parents: c9f6f0d Author: Karen Miller <[email protected]> Authored: Wed Sep 7 09:03:01 2016 -0700 Committer: Karen Miller <[email protected]> Committed: Wed Sep 7 09:03:01 2016 -0700 ---------------------------------------------------------------------- managing/security/post_processing.html.md.erb | 44 ++++++++++++++++++++-- 1 file changed, 41 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/914b796e/managing/security/post_processing.html.md.erb ---------------------------------------------------------------------- diff --git a/managing/security/post_processing.html.md.erb b/managing/security/post_processing.html.md.erb index 8b04380..2a6dc50 100644 --- a/managing/security/post_processing.html.md.erb +++ b/managing/security/post_processing.html.md.erb @@ -2,11 +2,49 @@ title: Post Processing of Region Data --- -The `PostProcessor` interface allows the definition of a set of callbacks -that are invoked after operations that get data, +The `PostProcessor` interface allows the definition of a callback +that is invoked after any and all client and `gfsh` operations that get data, but before the data is returned. -This permits the callback to intervene and modify of the data +It permits the callback to intervene and modify of the data that is to be returned. The callbacks do not modify the region data, only the data to be returned. +The `processRegionValue` method is given the principal of the +operation requester. +The operation will already have been completed, +implying that the principal will have been authorized to complete +the requested operation. +The post processing can therefore modify the returned data based +on the identity of the requester (principal). + +A use of post processing will be to sanitize or mask out sensitive +region information, +while providing the remainder of a region entry unchanged. +An implementation can alter the entry for some requesters, +but not other requesters. + +The `processRegionValue` method is invoked for these API calls: + +- `Region.get` +- `Region.getAll` +- `Query.execute` +- `CqQuery.execute` +- `CqQuery.executeWithInitialResults` +- `CqListener.onEvent` +- for a relevant region event from `CacheListener.afterUpdate` for which +there is interest registered with `Region.registerInterest` + +Care should be taken when designing a system that implements the +post processing callback. +It incurs the performance penalty of an extra method invocation +on every get operation. + +## Implement Post Processing + +Complete these items to implement post processing. + +- Define the `security-post-processor` property. +See [Enable Security with Property Definitions](enable_security.html) +for details about this property. +- Implement the `processRegionValue` method of the `PostProcessor` interface.
