I think we should get rid of that. It's a hack that the engineer who
implemented the old AUTH protocol used because he didn't know how to get
hold of the DistributionConfig. GMSAuthenticator can get at the config
through services.getConfig().getDistributionConfig().
Le 7/12/2016 à 2:36 PM, Hitesh Khamesra a écrit :
It seems InternalDistributedSystem(DistributedConfigImpl) sets system property
while creating ds.
if (securityPeerAuthInit != null && securityPeerAuthInit.length() > 0) {
System.setProperty(SECURITY_SYSTEM_PREFIX + SECURITY_PEER_AUTH_INIT,
securityPeerAuthInit);
}
if (securityPeerAuthenticator != null
&& securityPeerAuthenticator.length() > 0) {
System.setProperty(SECURITY_SYSTEM_PREFIX
+ SECURITY_PEER_AUTHENTICATOR, securityPeerAuthenticator);
}
From: Kirk Lund <[email protected]>
To: geode <[email protected]>; Hitesh Khamesra
<[email protected]>
Sent: Tuesday, July 12, 2016 2:24 PM
Subject: Re: GMSAuthenticator
I still don't see DistributionConfig or Properties ever being passed into
GMSAuthenticator.
The following method is for testing only so gemfire properties are never
passed in by product code:
/**
* For testing only.
*/
Properties getCredentials(DistributedMember member, Properties secProps) {
The following method is the only one used by the product but it doesn't
pass any config in:
/**
* Get credential object for the given GemFire distributed member.
*
* @param member
* the target distributed member
* @return the credential object
*/
@Override
public Object getCredentials(InternalDistributedMember member) {
try {
return getCredentials(member, securityProps);
So the only source of config seems to be that securityProps variable, and
the declaration is the ONLY place where securityProps is ever set (and
nothing ever modifies it):
private Properties securityProps = getSecurityProps();
You can see that getSecurityProps() only ever reads from system properties:
Properties getSecurityProps() {
Properties props = new Properties();
Set keys = System.getProperties().keySet();
for (Object key: keys) {
String propKey = (String) key;
if (propKey.startsWith(secPrefix)) {
props.setProperty(propKey.substring(gemfireSysPrefixLen),
System.getProperty(propKey));
}
}
return props;
}
It would appear to me that the only way to successfully provide gemfire
security- propertes to GMSAuthenticator is via System properties.
-Kirk
On Tue, Jul 12, 2016 at 1:56 PM, Hitesh Khamesra <
[email protected]> wrote:
One can specify following in gemfire.properties file
/**
* The static String definition of the
<i>"security-peer-authenticator"</i>
* property
*/
String SECURITY_PEER_AUTHENTICATOR = SECURITY_PREFIX +
"peer-authenticator";
From: Kirk Lund <[email protected]>
To: geode <[email protected]>
Sent: Tuesday, July 12, 2016 11:56 AM
Subject: GMSAuthenticator
We're looking into modifying peer authentication to work with
org.apache.geode.security.SecurityManager as well as the deprecated
Authenticator and AccessControl.
GMSAuthenticator appears to only work with Security Properties that are
specified as System Properties with "gemfire." prefix. The other areas of
the product that perform authentication appear to work whether the Security
Properties are specified with either System Properties or a Properties
instance passed into connect.
The online documentation for enabling peer authentication says to use
gemfire.properties, but from what I can tell the GMSAuthenticator won't
work with gemfire.properties and will instead require you to specify System
properties ala
-Dgemfire.security-peer-authenticator=MyAuthenticator.create.
Am I missing some code path that supports non-System properties in
GMSAuthenticator? Or is peer authentication limited to only working with
System properties?
Thanks,
Kirk
