When you enable user authorizations, GemFire XD verifies that a user has been granted
permission to access a schema, database object, or a SQL action.
Connection Authorization and SQL Standard Authorization
There are two types of user authorization in GemFire XD:
connection authorization and
SQL standard authorization.
Connection authorization specifies the basic access that
users have when they connect to the distributed system.
SQL authorization controls the permissions that users have
on database objects or for SQL actions. You set the user authorization
properties in GemFire XD as system-level properties, either at the command line or
connection string when booting GemFire XD members, or in the
User Authorization Properties
You can set properties to control user authorizations for GemFire XD.
Some properties set the default access mode for all users. Other properties set
the default level of access for specific user IDs.
The properties that affect authorization are:
If you do not configure user authorizations for a specific user ID,
the user ID inherits whatever authorization is set as the default user
authorization for the GemFire XD member
Tip: If you set the gemfirexd.authz-default-connection-mode property
to noAccess or readOnlyAccess, you should
allow at least one user read-write access. Otherwise, depending on the default
connection authorization that you specify, your system may contain database objects
that cannot be accessed or changed. You must specify that the user has access by
on the command line when starting GemFire XD; you cannot define the property in
How User Authorization Properties Work Together
properties work together.
The default settings for these properties allow anyone to access and drop the
database objects that they create. You can change the default access mode by
specifying different settings for these properties.
- When the
gemfirexd.sql-authorization property is
FALSE, the ability to read from or write to
database objects is determined by the setting for the
gemfirexd.authz-default-connection-mode property. If
gemfirexd.authz-default-connection-mode is set to
readOnlyAccess, users can access all of the
database objects but they cannot update or drop those objects.
TRUE, the ability to read from or write to
database objects is initially restricted to the owner of those database
objects. The owner must explicitly grant permission for others to access the
database objects. No one but the owner of an object or the JVM owner can drop
- The access mode specified
overrides the permissions that are granted by the owner of a database object.
For example, if a user is granted INSERT privileges on a table but the user
only has read-only connection authorization, the user cannot insert data into
Changing Connection Authorization Settings
Connection authorization properties are fixed for the duration of a
connection. Establish a new connection in order to change authorization