Infinispan uses Role-Based Access Control for authorization.
Security realms integrate Infinispan Server deployments with the network protocols and infrastructure in your environment that control access and verify user identities.
Infinispan integrates with Kerberos, LDAP, Trust stores and token-based authentication such as OpenID Connect providers such as Keycloak.
Infinispan 15.0 simplifies understanding authentication and authorization through a visual interface.
Make sure you have the latest version of the Infinispan Server 15.0 image by pulling it locally.
In Infinispan, the default security realm relies on properties.
Infinispan doesn't maintain user authentication through a session management system in the server for its REST API. The REST API operates in a stateless manner, and authentication, as well as role-based access control, is facilitated through the AUTHENTICATION header when interacting with the REST API. The console is built using the REST API. DIGEST mechanism is part of the supported mechanism, so the browser will ask for user/password using the native browser authentication mechanism.
Implicit RBAC. Infinispan safeguards operations by specifying various permissions to operations such as creating caches, resetting statistics, uploading data schemas, and more.
Implicit authorization is enabled by default, providing predefined roles to which users can be assigned, granting them the ability to execute specific actions.
Starting from Infinispan 15, a new feature in the console allows users to view these roles, their corresponding permissions, and descriptions.
To start Infinispan locally with multiple users and distinct roles, we can employ an identities batch that is passed to the container during startup.
To simplify matters, we have established a straightforward one-to-one mapping between user names and roles.
Those users are now available and listed in the Infinispan Web Console.
In Infinispan, it's possible to create caches with data manipulation permissions restricted to specific roles.
As the monitor role is designed solely for monitoring and not data creation, only data associated with the cache metrics will be accessible.
For users lacking the admin or monitor role, accessing the cache from the console is not possible.
In this article, you've explored the interplay of permissions, roles, Infinispan Security, and the fundamentals of secured caches.
Beyond these, Infinispan Security management offers a range of additional capabilities.
These include features like data encryption and advanced security, such as providing access to an entire group of users managed by systems like LDAP. This is achieved through a Principal Role Mapper, which establishes a connection between all these users and a specific role.
Infinispan supports many authentication mechanisms, such as token-based authentication, which can be handled with Keycloak.
This Cyber News was published on feeds.dzone.com. Publication date: Mon, 08 Jan 2024 17:13:07 +0000