Re: [PROPOSAL]: Finer Grained Security When Invoking Methods in OQL

Hello Dave, Thanks for the heads up, spelling errors fixed (at least that one :-/). Cheers!. On Mon, Jun 25, 2018 at 4:34 PM Dave Barnes wrote: > Juan, > Nice work - you've obviously given this plenty of thought. I'm not > qualified to comment on the technical aspects of your proposal, but as

Re: [PROPOSAL]: Finer Grained Security When Invoking Methods in OQL

Juan, Nice work - you've obviously given this plenty of thought. I'm not qualified to comment on the technical aspects of your proposal, but as a proofreader I noticed that there are a couple of occurrences of "invokation" that should be spelled "invocation". Dave On Mon, Jun 25, 2018 at 2:52

[PROPOSAL]: Finer Grained Security When Invoking Methods in OQL

Hello all, The current approach used to authorize methods during OQL execution seems to be way too restrictive, I've drafted a proposal to change the current behavior and allow further customization:

[GitHub] geode pull request #667: GEODE-3324 Document finer-grained security permissi...

Github user asfgit closed the pull request at: https://github.com/apache/geode/pull/667 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is

[GitHub] geode pull request #667: GEODE-3324 Document finer-grained security permissi...

GitHub user karensmolermiller opened a pull request: https://github.com/apache/geode/pull/667 GEODE-3324 Document finer-grained security permissions @jinmeiliao @PurelyApplied @jaredjstewart @joeymcallister @davebarnes97 Please review. You can merge this pull request

[GitHub] geode pull request #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user PurelyApplied closed the pull request at: https://github.com/apache/geode/pull/596 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature

[GitHub] geode issue #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user jaredjstewart commented on the issue: https://github.com/apache/geode/pull/596 Merged as 451d12e --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes

[GitHub] geode issue #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user PurelyApplied commented on the issue: https://github.com/apache/geode/pull/596 Excepting one flaky test, precheckin is green through `14298a`. Precheckin is currently very unhappy, though, and starting new test runs is not going well. --- If your project is set up for

[GitHub] geode issue #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user jaredjstewart commented on the issue: https://github.com/apache/geode/pull/596 +1 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the

[GitHub] geode pull request #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user PurelyApplied commented on a diff in the pull request: https://github.com/apache/geode/pull/596#discussion_r123832520 --- Diff: geode-core/src/main/java/org/apache/geode/management/internal/cli/commands/ClientCommands.java --- @@ -109,12 +107,10 @@ public Result

[GitHub] geode pull request #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user PurelyApplied commented on a diff in the pull request: https://github.com/apache/geode/pull/596#discussion_r123832527 --- Diff: geode-core/src/main/java/org/apache/geode/management/internal/cli/commands/FunctionCommands.java --- @@ -130,31 +125,8 @@ public Result

[GitHub] geode pull request #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user PurelyApplied commented on a diff in the pull request: https://github.com/apache/geode/pull/596#discussion_r123830383 --- Diff: geode-core/src/main/java/org/apache/geode/management/internal/beans/MemberMBean.java --- @@ -148,7 +148,12 @@ public long

[GitHub] geode pull request #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user PurelyApplied commented on a diff in the pull request: https://github.com/apache/geode/pull/596#discussion_r123829882 --- Diff: geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java --- @@ -57,7 +56,48 @@ public

[GitHub] geode pull request #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user jaredjstewart commented on a diff in the pull request: https://github.com/apache/geode/pull/596#discussion_r123822645 --- Diff: geode-core/src/main/java/org/apache/geode/management/internal/cli/commands/FunctionCommands.java --- @@ -130,31 +125,8 @@ public Result

[GitHub] geode pull request #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user jaredjstewart commented on a diff in the pull request: https://github.com/apache/geode/pull/596#discussion_r123820699 --- Diff: geode-core/src/main/java/org/apache/geode/management/internal/cli/commands/ClientCommands.java --- @@ -109,12 +107,10 @@ public Result

[GitHub] geode pull request #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user jaredjstewart commented on a diff in the pull request: https://github.com/apache/geode/pull/596#discussion_r123819260 --- Diff: geode-core/src/main/java/org/apache/geode/management/internal/beans/MemberMBean.java --- @@ -148,7 +148,12 @@ public long

[GitHub] geode pull request #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user jaredjstewart commented on a diff in the pull request: https://github.com/apache/geode/pull/596#discussion_r123818520 --- Diff: geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java --- @@ -57,7 +56,48 @@ public

[GitHub] geode pull request #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user jaredjstewart commented on a diff in the pull request: https://github.com/apache/geode/pull/596#discussion_r123817037 --- Diff: geode-core/src/main/java/org/apache/geode/management/CacheServerMXBean.java --- @@ -60,48 +61,48 @@ /** * Returns the port on

[GitHub] geode issue #596: GEODE-2920 - GEODE-2925: Finer Grained Security

Github user PurelyApplied commented on the issue: https://github.com/apache/geode/pull/596 Precheckin running. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes

[GitHub] geode pull request #596: GEODE-2920 - GEODE-2925: Finer Grained Security

GitHub user PurelyApplied opened a pull request: https://github.com/apache/geode/pull/596 GEODE-2920 - GEODE-2925: Finer Grained Security Due to the size of this commit and for your convenience of review, I have not yet squashed my commits. Do note that I have not individually

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

2, 2017, 2:44 p.m.) > > > Review request for geode, Emily Yeh, Jared Stewart, Ken Howe, Kirk Lund, and > Patrick Rhomberg. > > > Repository: geode > > > Description > --- > > GEODE-2925: add target for resource operation for finer grained secu

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

omberg. > > > Repository: geode > > > Description > --- > > GEODE-2925: add target for resource operation for finer grained security > > > Diffs > - > > geode-core/src/main/java/org/apache/geode/cache/CacheFactory.java > 9b23f6c1a8ed3449d8a49

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

to avoid code duplication. 3) added default implemenation of SecurityService (debateble) 4) reworked SecurityServicefactory and add more tests. Repository: geode Description --- GEODE-2925: add target for resource operation for finer grained security Diffs (updated) - geode-core/src/main

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

- > > (Updated June 5, 2017, 6:32 p.m.) > > > Review request for geode, Emily Yeh, Jared Stewart, Ken Howe, Kirk Lund, and > Patrick Rhomberg. > > > Repository: geode > > > Description > --- > > GEODE-2925: add target for resource operation for

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

Stewart, Ken Howe, Kirk Lund, and Patrick Rhomberg. Changes --- added a new interface method according review. Repository: geode Description --- GEODE-2925: add target for resource operation for finer grained security Diffs (updated) - geode-core/src/main/java/org/apache

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

Emily Yeh, Jared Stewart, Ken Howe, Kirk Lund, and > Patrick Rhomberg. > > > Repository: geode > > > Description > --- > > GEODE-2925: add target for resource operation for finer grained security > > > Diffs > - > > > geo

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

--- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/59692/ > --- > > (Updated June 2, 2017, 4:08 p.m.) > > > Review request for geode, Emily Yeh, Jared Stewart, Ken Howe, Kirk Lund, and > Patrick Rhom

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

s is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/59692/ > --- > > (Updated June 2, 2017, 4:08 p.m.) > > > Review request for geode, Emily Yeh, Jared Stewart, Ken Howe, Kirk Lund, and > Patrick Rhomberg. > > > Repository: g

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

Stewart, Ken Howe, Kirk Lund, and Patrick Rhomberg. Repository: geode Description --- GEODE-2925: add target for resource operation for finer grained security Diffs (updated) - geode-core/src/main/java/org/apache/geode/examples/security/ExampleSecurityManager.java 84f97de56

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

r geode, Emily Yeh, Jared Stewart, Ken Howe, Kirk Lund, and > Patrick Rhomberg. > > > Repository: geode > > > Description > --- > > GEODE-2925: add target for resource operation for finer grained security > > > Diffs > - > > >

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

Stewart, Ken Howe, Kirk Lund, and Patrick Rhomberg. Changes --- review changes Repository: geode Description --- GEODE-2925: add target for resource operation for finer grained security Diffs (updated) - geode-core/src/main/java/org/apache/geode/examples/security

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

ick Rhomberg. > > > Repository: geode > > > Description > --- > > GEODE-2925: add target for resource operation for finer grained security > > > Diffs > - > > > geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecuritySe

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

: geode > > > Description > --- > > GEODE-2925: add target for resource operation for finer grained security > > > Diffs > - > > > geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java > 600d5462b1d18cfc70

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

ly Yeh, Jared Stewart, Ken Howe, Kirk Lund, and > Patrick Rhomberg. > > > Repository: geode > > > Description > --- > > GEODE-2925: add target for resource operation for finer grained security > > > Diffs > - > > > geode-c

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

Stewart, Ken Howe, Kirk Lund, and Patrick Rhomberg. Repository: geode Description --- GEODE-2925: add target for resource operation for finer grained security Diffs (updated) - geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

> Description > --- > > GEODE-2925: add target for resource operation for finer grained security > > > Diffs > - > > > geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java > 600d5462b1d18cfc702d400f6d9

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

Stewart, Ken Howe, Kirk Lund, and Patrick Rhomberg. Changes --- add more methods in security service Repository: geode Description --- GEODE-2925: add target for resource operation for finer grained security Diffs (updated) - geode-core/src/main/java/org/apache/geode

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

Stewart, Ken Howe, Kirk Lund, and Patrick Rhomberg. Repository: geode Description --- GEODE-2925: add target for resource operation for finer grained security Diffs (updated) - geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java

Re: Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

, Ken Howe, Kirk Lund, and > Patrick Rhomberg. > > > Repository: geode > > > Description > --- > > GEODE-2925: add target for resource operation for finer grained security > > > Diffs > - > >

Review Request 59692: GEODE-2925: add target for resource operation for finer grained security

, and Patrick Rhomberg. Repository: geode Description --- GEODE-2925: add target for resource operation for finer grained security Diffs - geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java 600d5462b1d18cfc702d400f6d91c1ac1fab3755 geode-core

[jira] [Created] (GEODE-2987) document finer grained security migration

Swapnil Bawaskar created GEODE-2987: --- Summary: document finer grained security migration Key: GEODE-2987 URL: https://issues.apache.org/jira/browse/GEODE-2987 Project: Geode Issue Type

[jira] [Updated] (GEODE-2919) Provide finer grained security

[ https://issues.apache.org/jira/browse/GEODE-2919?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joey McAllister updated GEODE-2919: --- Component/s: docs > Provide finer grained secur

[jira] [Created] (GEODE-2919) Provide finer grained security

Swapnil Bawaskar created GEODE-2919: --- Summary: Provide finer grained security Key: GEODE-2919 URL: https://issues.apache.org/jira/browse/GEODE-2919 Project: Geode Issue Type: Improvement

Re: Finer grained security

Thanks for feedback! I have tried to incorporate this on our wiki: https://cwiki.apache.org/confluence/display/GEODE/Finer+grained+security. Comments welcome. On Thu, Apr 27, 2017 at 1:33 PM John Blum <jb...@pivotal.io> wrote: > +1 to Jake's comments, and is a fundamental property

Re: Finer grained security

+1 to Jake's comments, and is a fundamental property of Java's security internally. On Thu, Apr 27, 2017 at 1:09 PM, Jacob Barrett wrote: > Typical solution to the X service needs to create something it service Y > where user has permission to X but not to Y is to treat the

Re: Finer grained security

Typical solution to the X service needs to create something it service Y where user has permission to X but not to Y is to treat the actions on Y performed by X to be trusted. Often I have seen this implemented such that after asserting permission on "create" on X that X performs actions on Y as a

Re: Finer grained security

We have seen users who need per-Region permission for Data read/write, so there is precedent there at least. -- Mike Stolz Principal Engineer, GemFire Product Manager Mobile: +1-631-835-4771 On Thu, Apr 27, 2017 at 2:11 PM, pulkit chandra wrote: > For per instance

Re: Finer grained security

For per instance permission, I would say look for the evidence. Do we have evidence that customers want per instance permission? If not may be implement minimally in the first cut and validate with customers if they want per instance model? About Lucene concern, It is in fact good to provide

Re: Finer grained security

I agree that async event queues seem like a different case than wan or disk. In that case you are not using anything that creating a region doesn't do. Shouldn't creating a region be DATA:MANAGE:DISK? Requiring DATA privileges for a region without disk and CLUSTER privileges for a region with

Re: Finer grained security

One more possible complication is that creating a Lucene index will also create an AsyncEventQueue. Today the required permission to create the AEQ is DATA:MANAGE which coincidentally nicely matches the permission required to create an OQL index. Pulling out the AEQ as a separate resource will

Re: Finer grained security

DATA:*:RegionA would allow you to only operate that region but not all of them. if we want to control a specific wan, maybe we add a fourth parameter: cluster:*:wan:wanName, same goes for Disk etc. On Tue, Apr 25, 2017 at 3:03 PM, Jacob Barrett wrote: > Think further, what

Re: Finer grained security

Think further, what about the team that ask that I be able to mange a region not all regions, or a wan not all wan. It may be time to think about a full per instance / named resource based security model. On Tue, Apr 25, 2017 at 2:59 PM Jared Stewart wrote: > +1 > > I think

Re: Finer grained security

+1 I think it would also be a good idea to move the current operations permitted by CLUSTER:MANAGE ( stop server, alter runtime, etc) to require the more specific CLUSTER:MANAGE:MEMBER in order to avoid ambiguity. (This is not a breaking change since CLUSTER:MANAGE implies

Finer grained security

In our current security model, a user with DATA:MANAGE can create regions, create disk stores, WAN gateways etc. I think this is a very wide scope, because an administrator may want to give create region privilege to a developer, but not necessarily give them the ability to create disk stores or