Ah, thank you Hitesh! I didn't realize InternalDistributedSystem was doing that with the security properties.
-Kirk On Tue, Jul 12, 2016 at 2:36 PM, Hitesh Khamesra < [email protected]> wrote: > It seems InternalDistributedSystem(DistributedConfigImpl) sets system > property while creating ds. > > if (securityPeerAuthInit != null && securityPeerAuthInit.length() > 0) > { > System.setProperty(SECURITY_SYSTEM_PREFIX + SECURITY_PEER_AUTH_INIT, > securityPeerAuthInit); > } > if (securityPeerAuthenticator != null > && securityPeerAuthenticator.length() > 0) { > System.setProperty(SECURITY_SYSTEM_PREFIX > + SECURITY_PEER_AUTHENTICATOR, securityPeerAuthenticator); > } > > > > From: Kirk Lund <[email protected]> > To: geode <[email protected]>; Hitesh Khamesra < > [email protected]> > Sent: Tuesday, July 12, 2016 2:24 PM > Subject: Re: GMSAuthenticator > > I still don't see DistributionConfig or Properties ever being passed into > GMSAuthenticator. > > The following method is for testing only so gemfire properties are never > passed in by product code: > > /** > * For testing only. > */ > Properties getCredentials(DistributedMember member, Properties secProps) { > > The following method is the only one used by the product but it doesn't > pass any config in: > > /** > * Get credential object for the given GemFire distributed member. > * > * @param member > * the target distributed member > * @return the credential object > */ > @Override > public Object getCredentials(InternalDistributedMember member) { > try { > return getCredentials(member, securityProps); > > So the only source of config seems to be that securityProps variable, and > the declaration is the ONLY place where securityProps is ever set (and > nothing ever modifies it): > > private Properties securityProps = getSecurityProps(); > > You can see that getSecurityProps() only ever reads from system properties: > > Properties getSecurityProps() { > Properties props = new Properties(); > Set keys = System.getProperties().keySet(); > for (Object key: keys) { > String propKey = (String) key; > if (propKey.startsWith(secPrefix)) { > props.setProperty(propKey.substring(gemfireSysPrefixLen), > System.getProperty(propKey)); > } > } > return props; > } > > It would appear to me that the only way to successfully provide gemfire > security- propertes to GMSAuthenticator is via System properties. > > -Kirk > > On Tue, Jul 12, 2016 at 1:56 PM, Hitesh Khamesra < > [email protected]> wrote: > > > One can specify following in gemfire.properties file > > /** > > * The static String definition of the > > <i>"security-peer-authenticator"</i> > > * property > > */ > > String SECURITY_PEER_AUTHENTICATOR = SECURITY_PREFIX + > > "peer-authenticator"; > > > > > > From: Kirk Lund <[email protected]> > > To: geode <[email protected]> > > Sent: Tuesday, July 12, 2016 11:56 AM > > Subject: GMSAuthenticator > > > > We're looking into modifying peer authentication to work with > > org.apache.geode.security.SecurityManager as well as the deprecated > > Authenticator and AccessControl. > > > > GMSAuthenticator appears to only work with Security Properties that are > > specified as System Properties with "gemfire." prefix. The other areas of > > the product that perform authentication appear to work whether the > Security > > Properties are specified with either System Properties or a Properties > > instance passed into connect. > > > > The online documentation for enabling peer authentication says to use > > gemfire.properties, but from what I can tell the GMSAuthenticator won't > > work with gemfire.properties and will instead require you to specify > System > > properties ala > > -Dgemfire.security-peer-authenticator=MyAuthenticator.create. > > > > Am I missing some code path that supports non-System properties in > > GMSAuthenticator? Or is peer authentication limited to only working with > > System properties? > > > > Thanks, > > Kirk > > > > > > > > > > > >
