SecurityManager and the old AccessControl can't work together. The
postprocessor is supposed to cover field level security, but due to
GEODE-2153, we need to enhance post-processor to include more information
(either what field the query is accessing or the entire query string) in
order to truly support that.
On Thu, Jun 22, 2017 at 4:18 PM, Kirk Lund <kl...@apache.org> wrote:

> You cannot use SecurityManager AND AccessControl/Authenticator at the same
> time. It's either SecurityManager or the old callbacks but not both.
>
> The authorizeOperation callback is specific to OperationContext.
> OperationContext is deprecated in favor of ResourcePermission which
> reorganizes everything as Resource (NULL, CLUSTER, DATA), Operation (NULL,
> MANAGE, WRITE, READ) and Target (ALL, DISK, GATEWAY, QUERY, JAR).
>
> On Thu, Jun 22, 2017 at 3:11 PM, John Blum <jb...@pivotal.io> wrote:
>
> > We should also keep in mind this may not be possible when using an
> actual,
> > robust security framework like *Apache Shiro*, or *Shiro* may provide
> > different callbacks/mechanisms/extensions.
> >
> > This should be taken into account in the "solution" since most sensible
> > users will use a well-known, proven security framework when securing
> their
> > Geode deployment.
> >
> > -j
> >
> > On Thu, Jun 22, 2017 at 2:34 PM, Michael Stolz <mst...@pivotal.io>
> wrote:
> >
> > > The old security framework had an authorizeOperation method that had
> > enough
> > > information to be able to inspect and modify an OQL string before it
> > would
> > > be executed. That whole framework is now deprecated, but I feel like
> > it's a
> > > really powerful feature being able to modify OQL in such a way as to
> > > support adding some kind of security column to the where clause so you
> > can
> > > implement row-level security on queries.
> > >
> > > My question is, are the new securityManager and the old AccessControl
> > > interface able to both be used together or are they mutually exclusive?
> > >
> > > --
> > > Mike Stolz
> > > Principal Engineer, GemFire Product Manager
> > > Mobile: +1-631-835-4771
> > >
> >
> >
> >
> > --
> > -John
> > john.blum10101 (skype)
> >
>



-- 
Cheers

Jinmei

Reply via email to