[
https://issues.apache.org/jira/browse/GEODE-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Juan Ramos updated GEODE-9494:
------------------------------
Description:
In order to configure authentication and authorization, the geode cache must be
configured with either the {{security-client-auth-init}} or
{{security-peer-auth-init}} properties.
The implementation of the {{AuthInitialize}} interface is supposed to obtain
credentials for a client or peer and, in practice, it should be able to connect
to an external data source or use some extra configuration as to know where to
retrieve the actual credentials from. The {{AuthInitialize.getCredentials()}}
method receives all gemfire properties configured with the prefix {{security-}}
and its expected to use them in order to configure itself.
The {{AbstractCache}} class, however, prevents the user from configuring any
property not returned by the {{AbstractDistributionConfig._getAttNames()}}
method, and this does not include those properties starting with {{security-}}:
{noformat}
public void setProperty(String name, String value) {
// TODO Look at fake attributes
if (name.equals("className")) {
return;
}
// Determine the validity of the input property
boolean validProperty = false;
// TODO: AbstractDistributionConfig is internal and _getAttNames is
designed for testing.
for (String gemfireProperty : AbstractDistributionConfig._getAttNames()) {
if (name.equals(gemfireProperty)) {
validProperty = true;
break;
}
}
...
}
{noformat}
The above, in turn, makes almost impossible for users to correctly implement
{{AuthInitialize}} without leveraging system properties or hardcoded paths for
external configuration.
---
As a side note, {{security-username}} and {{security-password}} are not
"formal" distributed system properties, so they also can't be used when
configuring the Tomcat session state module:
{noformat}
<Listener
className="org.apache.geode.modules.session.catalina.ClientServerCacheLifecycleListener"
security-username="myUser"
security-password="myPassword"/>
{noformat}
{noformat}
10-Aug-2021 12:15:57.118 WARNING [main]
org.apache.geode.modules.session.bootstrap.AbstractCache.setProperty The input
property named security-username is not a valid GemFire property. It is being
ignored.
10-Aug-2021 12:15:57.123 WARNING [main]
org.apache.geode.modules.session.bootstrap.AbstractCache.setProperty The input
property named security-password is not a valid GemFire property. It is being
ignored.
{noformat}
was:
In order to configure authentication and authorization, the geode cache must be
configured with either the {{security-client-auth-init}} or
{{security-peer-auth-init}} properties.
The implementation of the {{AuthInitialize}} interface is supposed to obtain
credentials for a client or peer and, in practice, it should be able to connect
to an external data source or use some extra configuration as to know where to
retrieve the actual credentials from. The {{AuthInitialize.getCredentials()}}
method receives all gemfire properties configured with the prefix {{security-}}
and its expected to use them in order to configure itself.
The {{AbstractCache}} class, however, prevents the user from configuring any
property not returned by the {{AbstractDistributionConfig._getAttNames()}}
method, and this does not include those properties starting with {{security-}}:
{noformat}
public void setProperty(String name, String value) {
// TODO Look at fake attributes
if (name.equals("className")) {
return;
}
// Determine the validity of the input property
boolean validProperty = false;
// TODO: AbstractDistributionConfig is internal and _getAttNames is
designed for testing.
for (String gemfireProperty : AbstractDistributionConfig._getAttNames()) {
if (name.equals(gemfireProperty)) {
validProperty = true;
break;
}
}
...
}
{noformat}
The above, in turn, makes almost impossible for users to correctly implement
{{AuthInitialize}} without leveraging system properties or hardcoded paths for
external configuration.
> Tomcat Session State Module - Security Properties
> -------------------------------------------------
>
> Key: GEODE-9494
> URL: https://issues.apache.org/jira/browse/GEODE-9494
> Project: Geode
> Issue Type: Bug
> Components: http session
> Reporter: Juan Ramos
> Assignee: Juan Ramos
> Priority: Major
>
> In order to configure authentication and authorization, the geode cache must
> be configured with either the {{security-client-auth-init}} or
> {{security-peer-auth-init}} properties.
> The implementation of the {{AuthInitialize}} interface is supposed to obtain
> credentials for a client or peer and, in practice, it should be able to
> connect to an external data source or use some extra configuration as to know
> where to retrieve the actual credentials from. The
> {{AuthInitialize.getCredentials()}} method receives all gemfire properties
> configured with the prefix {{security-}} and its expected to use them in
> order to configure itself.
> The {{AbstractCache}} class, however, prevents the user from configuring any
> property not returned by the {{AbstractDistributionConfig._getAttNames()}}
> method, and this does not include those properties starting with
> {{security-}}:
> {noformat}
> public void setProperty(String name, String value) {
> // TODO Look at fake attributes
> if (name.equals("className")) {
> return;
> }
> // Determine the validity of the input property
> boolean validProperty = false;
> // TODO: AbstractDistributionConfig is internal and _getAttNames is
> designed for testing.
> for (String gemfireProperty : AbstractDistributionConfig._getAttNames()) {
> if (name.equals(gemfireProperty)) {
> validProperty = true;
> break;
> }
> }
> ...
> }
> {noformat}
> The above, in turn, makes almost impossible for users to correctly implement
> {{AuthInitialize}} without leveraging system properties or hardcoded paths
> for external configuration.
> ---
> As a side note, {{security-username}} and {{security-password}} are not
> "formal" distributed system properties, so they also can't be used when
> configuring the Tomcat session state module:
> {noformat}
> <Listener
> className="org.apache.geode.modules.session.catalina.ClientServerCacheLifecycleListener"
> security-username="myUser"
> security-password="myPassword"/>
> {noformat}
> {noformat}
> 10-Aug-2021 12:15:57.118 WARNING [main]
> org.apache.geode.modules.session.bootstrap.AbstractCache.setProperty The
> input property named security-username is not a valid GemFire property. It is
> being ignored.
> 10-Aug-2021 12:15:57.123 WARNING [main]
> org.apache.geode.modules.session.bootstrap.AbstractCache.setProperty The
> input property named security-password is not a valid GemFire property. It is
> being ignored.
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
