GridGain with Active Directory: Multiple Groups for a Single User
Several months ago I wrote about how GridGain Enterprise Edition can be integrated with Active Directory to enable authentication and authorization on a cluster: https://medium.com/@valentin.kulichenko/role-based-authorization-with-active-directory-for-gridgain-eaad394ba173
While working on that blog, I stumbled upon one significant limitation of the existing integration: there was no way to assign a user to multiple groups.
Let’s say you have your security groups set up in AD as described in the previous blog. I.e., you’ve got the following groups:
- GG_CacheReadOnlyUsers for read-only access to caches.
- GG_CacheReadWriteUsers for read-write access to caches.
- GG_WebConsoleUsers for access to the Web Console.
- GG_SuperUsers for unrestricted access.
Now, what if you want to create a user that has read-only access to caches AND is able to use the Web Console? The natural solution here is to make sure this user is a member of both GG_CacheReadOnlyUsers and GG_WebConsoleUsers groups. Unfortunately, with older versions of GridGain, this is not going to work. Instead, the user would get permissions based on only one of those two groups (whichever comes first in the JAAS configuration file).
Of course, you could create a new group for this purpose and name it something like GG_CacheReadOnlyAndWebConsoleUsers… But that looks really cumbersome, and how many groups like that are you going to have to configure going forward?
Good News!
Luckily, starting with GridGain 8.7.8, this is no longer an issue. The only change you need to make compared to the configuration we had previously, is to convert all login modules in the jaas.config file from SUFFICIENT to OPTIONAL. Here is how it should look like now:
This will instruct JAAS to not stop after the first successful module, but rather continue going through the list and collect all authorization identities applicable to the user. Upgraded GridGain then will do its new magic and merge all corresponding permissions together providing the expected behavior.
The updated example project is here: https://github.com/vkulichenko/gridgain-jaas-ad/tree/update-gg-8.7.8
With the recent updates, GridGain allows for much better flexibility when configuring security via Active Directory. Kudos to the GridGain team for improving the usability!