SecurityManager and the old AccessControl can't work together. The postprocessor is supposed to cover field level security, but due to GEODE-2153, we need to enhance post-processor to include more information (either what field the query is accessing or the entire query string) in order to truly support that.
On Thu, Jun 22, 2017 at 4:18 PM, Kirk Lund <kl...@apache.org> wrote: > You cannot use SecurityManager AND AccessControl/Authenticator at the same > time. It's either SecurityManager or the old callbacks but not both. > > The authorizeOperation callback is specific to OperationContext. > OperationContext is deprecated in favor of ResourcePermission which > reorganizes everything as Resource (NULL, CLUSTER, DATA), Operation (NULL, > MANAGE, WRITE, READ) and Target (ALL, DISK, GATEWAY, QUERY, JAR). > > On Thu, Jun 22, 2017 at 3:11 PM, John Blum <jb...@pivotal.io> wrote: > > > We should also keep in mind this may not be possible when using an > actual, > > robust security framework like *Apache Shiro*, or *Shiro* may provide > > different callbacks/mechanisms/extensions. > > > > This should be taken into account in the "solution" since most sensible > > users will use a well-known, proven security framework when securing > their > > Geode deployment. > > > > -j > > > > On Thu, Jun 22, 2017 at 2:34 PM, Michael Stolz <mst...@pivotal.io> > wrote: > > > > > The old security framework had an authorizeOperation method that had > > enough > > > information to be able to inspect and modify an OQL string before it > > would > > > be executed. That whole framework is now deprecated, but I feel like > > it's a > > > really powerful feature being able to modify OQL in such a way as to > > > support adding some kind of security column to the where clause so you > > can > > > implement row-level security on queries. > > > > > > My question is, are the new securityManager and the old AccessControl > > > interface able to both be used together or are they mutually exclusive? > > > > > > -- > > > Mike Stolz > > > Principal Engineer, GemFire Product Manager > > > Mobile: +1-631-835-4771 > > > > > > > > > > > -- > > -John > > john.blum10101 (skype) > > > -- Cheers Jinmei
