Configuring User Authorization

When you enable user authorizations, GemFire XD verifies that a user has been granted permission to access a schema, database object, or a SQL action.

Connection Authorization and SQL Standard Authorization

There are two types of user authorization in GemFire XD: connection authorization and SQL standard authorization. Connection authorization specifies the basic access that users have when they connect to the distributed system. SQL authorization controls the permissions that users have on database objects or for SQL actions. You set the user authorization properties in GemFire XD as system-level properties, either at the command line or connection string when booting GemFire XD members, or in the gemfirexd.properties file.

User Authorization Properties

You can set properties to control user authorizations for GemFire XD. Some properties set the default access mode for all users. Other properties set the default level of access for specific user IDs.

The properties that affect authorization are:
  • gemfirexd.authz-default-connection-mode—Sets the access mode for all users, overriding any fine-grained privileges that you may have granted using the GRANT statement. Configure this property only if you want to override the access mode for all users.
  • gemfirexd.authz-full-access-users and gemfirexd.authz-read-only-access-users —These properties specify one or more user IDs that have read-write access and read-only access to the distributed system as a whole.
    Note: You must define the access list property gemfirexd.authz-full-access-users at the command line when starting GemFire XD, rather than in the gemfirexd.properties file.
  • gemfirexd.sql-authorization —Enables SQL standard authorization. Use gemfirexd.sql-authorization to control whether object owners can grant and revoke permission for other users to perform SQL actions on their database objects. The default setting for gemfirexd.sql-authorization is FALSE. However, if you start a GemFire XD member with gfxd and you include the -auth-provider option to specify a client authentication mechanism, then SQL authorization is enabled by default. When SQL authorization, object owners can use the GRANT and REVOKE SQL statements to set the user permissions for specific database objects or for specific SQL actions.

If you do not configure user authorizations for a specific user ID, the user ID inherits whatever authorization is set as the default user authorization for the GemFire XD member (gemfirexd.authz-default-connection-mode).

Tip: If you set the gemfirexd.authz-default-connection-mode property to noAccess or readOnlyAccess, you should allow at least one user read-write access. Otherwise, depending on the default connection authorization that you specify, your system may contain database objects that cannot be accessed or changed. You must specify that the user has access by specifying gemfirexd.authz-full-access-users=username on the command line when starting GemFire XD; you cannot define the property in gemfirexd.properties.

How User Authorization Properties Work Together

The gemfirexd.authz-default-connection-mode and gemfirexd.sql-authorization properties work together. The default settings for these properties allow anyone to access and drop the database objects that they create. You can change the default access mode by specifying different settings for these properties.
  • When the gemfirexd.sql-authorization property is FALSE, the ability to read from or write to database objects is determined by the setting for the gemfirexd.authz-default-connection-mode property. If gemfirexd.authz-default-connection-mode is set to readOnlyAccess, users can access all of the database objects but they cannot update or drop those objects.
  • When gemfirexd.sql-authorization is TRUE, the ability to read from or write to database objects is initially restricted to the owner of those database objects. The owner must explicitly grant permission for others to access the database objects. No one but the owner of an object or the JVM owner can drop the object.
  • The access mode specified for the gemfirexd.authz-default-connection-mode property overrides the permissions that are granted by the owner of a database object. For example, if a user is granted INSERT privileges on a table but the user only has read-only connection authorization, the user cannot insert data into the table.

Changing Connection Authorization Settings

Connection authorization properties are fixed for the duration of a connection. Establish a new connection in order to change authorization properties.