Details
-
Enhancement
-
Resolution: Done
-
Major
-
None
-
None
Description
Authorization should be enabled OOTB in the server.
- out-of-the-box, authorization would apply only at the cache manager level. Caches would not have authz enabled by default (the performance cost is non-negligible)
- the current small set of permissions which can be combined to form roles is not flexible enough. We would need to have named roles, possibly mapping to the REST resource names (e.g. /v2/logging/loggers, /v2/caches/cacheName) and map permissions to verbs (GET/HEAD = READ, POST,PUT,DELETE = WRITE). We might want to use resource prefixes to provide coarser management
- users upgrading from older versions will need to add the roles to their existing users.
To make use of authorization less cumbersome we should also have some defaults.
Adding the empty <authorization> element should enable authorization with a set of default predefined roles
A proposed list of these roles:
- admin superuser, allowed to do everything
- application allowed to perform all read/write ops, but not allowed to create/remove caches, schemas, scripts
- deployer allowed to create/remove caches, schemas, scripts
- observer a read-only role. Can use the CLI/console but all write ops are forbidden
In terms of org.infinispan.security.AuthorizationPermission add the following permission:
CREATE which would allow create/remove of caches, counters, schemas, scripts
Attachments
Issue Links
- relates to
-
ISPN-12874 Authorization: add a MONITOR permission and default role
- Closed