Configuring User Authorization
When you enable user authorizations, GemFire XD verifies that a user has been granted permission to access a schema, database object, or a SQL action.
- Connection Authorization and SQL Standard Authorization
- User Authorization Properties
- Changing Connection Authorization Settings
Connection Authorization and SQL Standard Authorization
There are two types of user authorization in GemFire XD: connection authorization and SQL standard authorization. Connection authorization specifies the basic access that users have when they connect to the distributed system. SQL authorization controls the permissions that users have on database objects or for SQL actions. You set the user authorization properties in GemFire XD as system-level properties, either at the command line or connection string when booting GemFire XD members, or in the gemfirexd.properties file.
User Authorization Properties
You can set properties to control user authorizations for GemFire XD. Some properties set the default access mode for all users. Other properties set the default level of access for specific user IDs.
- gemfirexd.authz-default-connection-mode—Sets the access mode for all users, overriding any fine-grained privileges that you may have granted using the GRANT statement. Configure this property only if you want to override the access mode for all users.
properties specify one or more user IDs that have read-write access and
read-only access to the distributed system as a whole. Note: You must define the access list property gemfirexd.authz-full-access-users at the command line when starting GemFire XD, rather than in the gemfirexd.properties file.
- gemfirexd.sql-authorization —Enables SQL standard authorization. Use gemfirexd.sql-authorization to control whether object owners can grant and revoke permission for other users to perform SQL actions on their database objects. The default setting for gemfirexd.sql-authorization is FALSE. However, if you start a GemFire XD member with gfxd and you include the -auth-provider option to specify a client authentication mechanism, then SQL authorization is enabled by default. When SQL authorization, object owners can use the GRANT and REVOKE SQL statements to set the user permissions for specific database objects or for specific SQL actions.
If you do not configure user authorizations for a specific user ID, the user ID inherits whatever authorization is set as the default user authorization for the GemFire XD member (gemfirexd.authz-default-connection-mode).
How User Authorization Properties Work Together
- When the gemfirexd.sql-authorization property is FALSE, the ability to read from or write to database objects is determined by the setting for the gemfirexd.authz-default-connection-mode property. If gemfirexd.authz-default-connection-mode is set to readOnlyAccess, users can access all of the database objects but they cannot update or drop those objects.
- When gemfirexd.sql-authorization is TRUE, the ability to read from or write to database objects is initially restricted to the owner of those database objects. The owner must explicitly grant permission for others to access the database objects. No one but the owner of an object or the JVM owner can drop the object.
- The access mode specified for the gemfirexd.authz-default-connection-mode property overrides the permissions that are granted by the owner of a database object. For example, if a user is granted INSERT privileges on a table but the user only has read-only connection authorization, the user cannot insert data into the table.
Changing Connection Authorization Settings
Connection authorization properties are fixed for the duration of a connection. Establish a new connection in order to change authorization properties.