Enable User Authentication

To enable user authentication with GemFire XD, you must use a GemFire XD locator for member discovery. GemFire XD uses mutual authentication between the GemFire XD locator and subsequent GemFire XD members that boot and join the distributed system. User authentication is not supported if you use multicast for member discovery.

Procedure

  1. For each member of the GemFire XD cluster (servers, locators, and accessors), set the gemfirexd.auth-provider property to enable user authentication and to specify the mechanism that GemFire XD uses to authenticate users.

    For servers and locators, specify -auth-provider=provider_name at the command line, or define the gemfirexd.auth-provider=provider_name property in the gemfirexd.properties file.

    For development and testing only, specify BUILTIN as the provider name to use the GemFire XD built-in authentication mechanism. For production purposes, specify LDAP to use an existing LDAP repository, or specify the name of a custom provider class that implements the UserAuthenticator interface.

  2. Configure user credentials in your specified authentication provider. See Using BUILTIN Authentication or Using LDAP Directory Service.
    Note: If you start a GemFire XD system with user authentication enabled but without defining at least one user, you will not be able to shut down the system at once with gfxd shut-down-all. To create users, see Using BUILTIN Authentication or Using LDAP Directory Service.
  3. Start one or more GemFire XD locators with the authorization configuration, before starting any additional GemFire XD data stores or accessors.

    When using BUILTIN authentication, the locator must define all system user accounts as well as the authentication provider for the distributed system as a whole. GemFire XD uses the specified provider and users to perform mutual authentication when new members attempt to join the distributed system.

  4. When shutting down the distributed system, use shut-down-all with authenticated user credentials. By default this command shuts down all servers and accessors, but leaves standalone locator members running. Always leave at least one locator running in the distributed system, until all data stores have finished shutting down.

Example

The following gemfirexd.properties entries show a GemFire XD member that is configured to use GemFire XD built-in authentication:
gemfirexd.auth-provider=BUILTIN
mcast-port=0

The mcast-port=0 entry indicates that multicast is not used in the GemFire XD distributed system. Valid locator properties would need to be supplied when starting the GemFire XD server, as well as the credentials for a GemFire XD user as described in Using BUILTIN Authentication.