
Here is how this problems solved with GridGain. Let me firstly note that we are not solving any security issues here, but simply trying to facilitate proper usage of resources within a trusted environment.
Now, let's state the problem:
Lets assume that we have grid users Tom and Jim. Let's also assume the following grid topology:In GridGain this is solved purely by configuration without touching user's code. Let's assume that Tom's user name is 'tom' and Jim's user name is 'jim'. Let's also assume that public nodes are started from account 'publicuser'.In GridGain all system properties are available on every node as attributes. Since user name is available in Java as system property 'user.name', we can get it as follows:
- Nodes NodeP1 and NodeP2 are public and can be used by everyone.
- Node NodeT1 and NodeT2 are private nodes that should only be used for tasks executed by Tom. Tom can start execution of his tasks from any of these nodes.
- Node NodeJ1 and NodeJ2 are private nodes that should only be used for tasks executed by Jim. Jim can start execution of his tasks from any of these nodes.
So the problem at hand is how does Tim ensure that his tasks run on his private nodes and public nodes, but do not run on Jim's private nodes?
GridNode localNode = GridFactory.getGrid().getLocalNode();
String userName = localNode.getAttribute("user.name");
We need to ensure that tasks started by Tom are only executed on public nodes and Tom's private nodes. For this we have to configure GridNodeFilterTopologySpi to only include required nodes. GridGain comes with a special node filter, GridJexlNodeFilter, based on Apache JEXL, which allows us to specify node inclusion rules in one-liner JEXL expression:
<bean id="grid.custom.cfg"
class="org.gridgain.grid.GridConfigurationAdapter"
singleton="true">
...
<bean
class="org.gridgain.grid.spi.topology.nodefilter.GridNodeFilterTopologySpi">
<![CDATA[
node.attributes['user.name'] == 'tom' ||
node.attributes['user.name'] == 'publicuser'
]]>
</bean>
...
</bean>
Consequently, JEXL expression for Jim would look like follows:
...
<![CDATA[
node.attributes['user.name'] == 'jim' ||
node.attributes['user.name'] == 'publicuser'
]]>
...
The above configuration ensures that Tom's tasks will never run on Jim's nodes and vice versa. Now all we have to do is to bring up the all the nodes from proper user accounts and we are good to go.
I invite you to download GridGain and try it for yourself. Of watch a set of online demos here.
Add a comment