Dharam- ... or use *Apache Shiro*, which provides tooling [1] to handle securing credentials [2]. Shiro also handles encryption [3]. Although it is not well spelled in the Apache Geode documentation [4], Apache Geode does integrate with Apache Shiro for security as well.
As any FYI, in *Spring Data Geode*, I provided first-class support for Apache Geode when using Apache Shiro. I blogged about this [5] (see section starting with "Security!"). So, my recommendation, in addition to Jinmei's option #1 below, is to use Apache Shiro over implementing your own Apache Geode SecurityManager interface. Hope this helps! -John [1] https://shiro.apache.org/command-line-hasher.html [2] https://shiro.apache.org/command-line-hasher.html#common-scenarios [3] https://shiro.apache.org/cryptography-features.html [4] http://geode.apache.org/docs/guide/11/managing/security/chapter_overview.html [5] https://spring.io/blog/2016/11/10/spring-data-geode-1-0-0-incubating-release-released On Thu, Jun 8, 2017 at 6:37 AM, Jinmei Liao <[email protected]> wrote: > SampleSecurityManager doesn't do encryption/decryption. It's meant only as > an example. > > There are multiple ways to protect your password: > 1) read-protect your security.json so that only a certain user can read it. > 2) implement your own security-manager to decrypt the password using a > secret key. (but here again you will need to find a way to protect this key > in your corporation. In my opinion, it's simply changing the subject, but > the problem is still there). > > We usually recommend the first approach, but in some situations, 2nd one > might be an option too. > > > On Thu, Jun 8, 2017 at 1:11 AM, Thacker, Dharam < > [email protected]> wrote: > >> Hi Jinmei, >> >> >> >> Is there any way to encrypt password in security.json file with Geode >> 1.1.1? I tried below but it did not work for me, >> >> >> >> "users": [ >> >> { >> >> "name": "admin", >> >> "password": "encrypted(0859A0F6C68B9785)", >> >> "roles": ["ADMIN"] >> >> … >> >> }, >> >> >> >> Thanks & Regards, >> >> Dharam >> >> >> >> *From:* Thacker, Dharam >> *Sent:* Wednesday, June 07, 2017 11:26 AM >> *To:* '[email protected]'; '[email protected]' >> *Subject:* RE: FW: ExampleSecurityManager in Apache geode >> >> >> >> Thanks Jinmei for quick reply! >> >> >> >> >> It did not work for me when I used [*--classpath]* and >> >> [*--security-properties-file] >> *even though my classpath contains security.json file* [**That’s strange* >> *]* >> >> >> >> start locator –name=locator2 --locators=localhost[10334],localhost[10335] >> --*security-properties-file*=gfsecurity.properties --*classpath* >> =C:\Users\GeodeWorkDir\locator2 >> >> FAILED >> >> >> >> >> It worked for me when I used --J=-Dgemfire.security-username=admin >> --J=-Dgemfire.security-password=admin [*SUCCESS*] >> >> >> >> start locator –name=locator2 --locators=localhost[10334],localhost[10335] >> --J=-*Dgemfire.security-username*=admin >> --J=-*Dgemfire.security-password*=admin >> --*classpath*=C:\Users\GeodeWorkDir\locator2 >> >> SUCCESS >> >> >> >> Thanks & Regards, >> >> Dharam >> >> >> >> *From:* Jinmei Liao [mailto:[email protected] <[email protected]>] >> *Sent:* Wednesday, June 07, 2017 11:12 AM >> *To:* [email protected] >> *Subject:* Re: FW: ExampleSecurityManager in Apache geode >> >> >> >> I tried using the SampleSecurityManager, and either one of the following >> command to start the 2nd locator is working: (I executed these commands >> while connected to the first locator, so I don't need to provide the >> --locators option, it knows which locator to join) >> >> >> >> 1> start locator --name=locator2 --port=10335 >> --classpath=/Users/jiliao/my_geode/security >> --security-properties-file=locator2.properties >> >> // locator2.properties only contains "security-username" and >> "security-password" properties. >> >> >> >> 2> start locator --name=locator2 --port=10335 >> --locators=jiliao-mbpro.lan[10334] >> --classpath=/Users/jiliao/my_geode/security/ >> --J=-Dgemfire.security-username=admin --J=-Dgemfire.security-passwor >> d=admin >> >> >> >> >> >> I suspect that the reason one of your commands did not work is because of >> the locator2 can't find a security.json in its classpath, not because you >> did not provide the username/password. One of the complication of using our >> SampleSecurityManager is that it will need a security.json in it's >> classpath which complicates the issue. We should have a simpler security >> manager in the sample that's easier for users to experiment with. >> >> >> >> >> >> >> >> On Tue, Jun 6, 2017 at 10:03 PM, Thacker, Dharam < >> [email protected]> wrote: >> >> I am able to start server with –user and –password to join existing >> secure locator. But I am not able to start another locator to join the >> existing secure locator. Could someone guide me here? >> >> >> >> start locator --name=locator1 --locators=localhost[10334],localhost[10335] >> --properties-file=locator.properties >> --classpath=C:\Users\GeodeWorkDir\locator1 >> >> >> SUCCESS >> >> >> >> start locator –name=locator2 --locators=localhost[10334],localhost[10335] >> --properties-file=locator.properties --classpath=C:\Users\GeodeWork >> Dir\locator2 >> >> FAILED >> >> >> >> start locator –name=locator2 --locators=localhost[10334],localhost[10335] >> --security-properties-file=gfsecurity.properties >> [gfsecurity.properties ---- security-username=clusteruser >> security-password=****] >> >> FAILED >> >> >> >> start locator –name=locator2 --locators=localhost[10334],localhost[10335] >> --security-properties-file=gfsecurity.properties >> --classpath=C:\Users\GeodeWorkDir\locator2 >> >> FAILED >> >> >> >> >> >> *Jun 07, 2017 10:27:06 AM org.apache.geode.distributed.LocatorLauncher >> failOnStart* >> >> *INFO: locator is exiting due to an exception* >> >> >> >> *org.apache.geode.security.AuthenticationRequiredException: Failed to >> find credentials from [X.X.X.X(locator2:19416:locator)<ec>:1025]* >> >> * at >> org.apache.geode.distributed.internal.membership.gms.membership.GMSJoinLeave.attemptToJoin(GMSJoinLeave.java:424)* >> >> * at >> org.apache.geode.distributed.internal.membership.gms.membership.GMSJoinLeave.join(GMSJoinLeave.java:318)* >> >> * at >> org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.join(GMSMembershipManager.java:656)* >> >> * at >> org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.joinDistributedSystem(GMSMembershipManager.java:745)* >> >> * at >> org.apache.geode.distributed.internal.membership.gms.Services.start(Services.java:181)* >> >> >> >> *Thanks & Regards,* >> >> *Dharam* >> >> >> >> *From:* Thacker, Dharam >> *Sent:* Tuesday, June 06, 2017 3:41 PM >> *To:* [email protected] >> *Cc:* [email protected] >> *Subject:* RE: ExampleSecurityManager in Apache geode >> >> >> >> Thank you Nilkanth! >> >> >> >> Classpath worked! >> >> >> >> start locator --name=locator1 --properties-file=locator.properties >> --classpath=C:\Users\GeodeWorkDir\locator1 >> >> *security-json file location:* >> >> C:\Users\GeodeWorkDir\locator1\security.json >> >> Thanks & Regards, >> >> Dharam >> >> >> >> *From:* Nilkanth Patel [mailto:[email protected] >> <[email protected]>] >> *Sent:* Tuesday, June 06, 2017 3:35 PM >> *To:* [email protected] >> *Cc:* [email protected] >> *Subject:* Re: ExampleSecurityManager in Apache geode >> >> >> >> Dharam, >> >> >> >> Try out something like bellow, "security.json" is kept into >> /work/code/oss/geode/locator1 dir. >> >> >> >> gfsh>start locator --name=/work/code/oss/geode/locator1 >> --security-properties-file=/work/code/oss/geode/locator1/locator.properties >> --classpath=/work/code/oss/geode/locator1 >> >> >> >> Additional checks, >> >> 1. specify classpath while starting locator as shown in above command. >> >> 2. check the file permission for security.json. >> >> >> >> Nilkanth. >> >> >> >> On Tue, Jun 6, 2017 at 3:21 PM, Thacker, Dharam < >> [email protected]> wrote: >> >> Hi Nilkanth, >> >> >> >> Thanks for the reply! I tried below one but it’s still not taking >> security.json file. Do you suggest anything different? >> >> >> >> *My Current Directory:* >> >> C:\Users\GeodeWorkDir >> >> >> >> *Locator Directory:* >> >> C:\Users\GeodeWorkDir\locator1 >> >> >> >> *security-json file location [Tried both locations]:* >> >> C:\Users\GeodeWorkDir\locator1\security.json >> >> C:\Users\GeodeWorkDir\security.json >> >> >> >> Thanks & Regards, >> >> Dharam >> >> >> >> >> >> *From:* Nilkanth Patel [mailto:[email protected]] >> *Sent:* Tuesday, June 06, 2017 3:07 PM >> *To:* [email protected] >> *Cc:* [email protected] >> *Subject:* Re: ExampleSecurityManager in Apache geode >> >> >> >> Dharam, >> >> >> >> I believe following will be helpful to you. >> >> >> >> IMO with the existing implementation, "security.json" file has to be >> kept in a locator/server directory. In your case you need to be keep it in >> a locator director (l1) and should work. >> >> >> >> Hope this helps. >> >> >> >> Nilkanth Patel. >> >> >> >> On Tue, Jun 6, 2017 at 2:40 PM, Thacker, Dharam < >> [email protected]> wrote: >> >> Hi Jinmei & Team, >> >> >> >> I was going through “New Security In Apache Geode” video. I also tried to >> start locator with ExampleSecurityManager and ExamplePostProcessor as shown >> below, >> >> >> >> *locator.proprties* >> >> >> >> mcast-port=0 >> >> security-manager=org.apache.geode.examples.security.ExampleS >> ecurityManager >> >> security-post-processor=org.apache.geode.examples.security. >> ExamplePostProcessor >> >> >> >> > dir >> >> locator.properties >> >> security.json >> >> security-config.jar >> >> >> >> My security-config.jar has following structure, >> >> --- resources -> security.json >> >> --- META-INF -> MANIFEST.MF >> >> >> >> Could you guide me with below error? >> >> >> >> gfsh>start locator --name=locator1 --properties-file=locator.properties >> --classpath=C:\Users\GeodeWorkDir\security-config.jar >> >> Starting a Geode Locator in C:\Users\GeodeWorkDir\locator1... >> >> The Locator process terminated unexpectedly with exit status 1. Please >> refer to the log file in C:\Users\GeodeWorkDir\locator1 for full details. >> >> >> >> Jun 06, 2017 2:19:50 PM org.apache.geode.distributed.LocatorLauncher >> failOnStart >> >> INFO: locator is exiting due to an exception >> >> org.apache.geode.security.AuthenticationFailedException: >> ExampleSecurityManager: unable to find json resource "security.json" as >> specified by [security-json]. >> >> at org.apache.geode.examples.security.ExampleSecurityManager. >> init(ExampleSecurityManager.java:132) >> >> at org.apache.geode.internal.security.IntegratedSecurityService >> .initSecurity(IntegratedSecurityService.java:332) >> >> at org.apache.geode.internal.cache.GemFireCacheImpl.initialize( >> GemFireCacheImpl.java:1208) >> >> at org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate >> (GemFireCacheImpl.java:798) >> >> at org.apache.geode.internal.cache.GemFireCacheImpl.create(GemF >> ireCacheImpl.java:783) >> >> at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178) >> >> at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218) >> >> at org.apache.geode.distributed.internal.InternalLocator.startC >> ache(InternalLocator.java:767) >> >> at org.apache.geode.distributed.internal.InternalLocator.startD >> istributedSystem(InternalLocator.java:752) >> >> at org.apache.geode.distributed.internal.InternalLocator.startL >> ocator(InternalLocator.java:357) >> >> at org.apache.geode.distributed.internal.InternalLocator.startL >> ocator(InternalLocator.java:315) >> >> at org.apache.geode.distributed.LocatorLauncher.start(LocatorLa >> uncher.java:630) >> >> at org.apache.geode.distributed.LocatorLauncher.run(LocatorLaun >> cher.java:532) >> >> at org.apache.geode.distributed.LocatorLauncher.main(LocatorLau >> ncher.java:174) >> >> >> >> Exception in thread "main" >> org.apache.geode.security.AuthenticationFailedException: >> ExampleSecurityManager: unable to find json resource "security.json" as >> specified by [security-json]. >> >> at org.apache.geode.examples.security.ExampleSecurityManager. >> init(ExampleSecurityManager.java:132) >> >> at org.apache.geode.internal.security.IntegratedSecurityService >> .initSecurity(IntegratedSecurityService.java:332) >> >> at org.apache.geode.internal.cache.GemFireCacheImpl.initialize( >> GemFireCacheImpl.java:1208) >> >> at org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate >> (GemFireCacheImpl.java:798) >> >> at org.apache.geode.internal.cache.GemFireCacheImpl.create(GemF >> ireCacheImpl.java:783) >> >> at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178) >> >> at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218) >> >> at org.apache.geode.distributed.internal.InternalLocator.startC >> ache(InternalLocator.java:767) >> >> at org.apache.geode.distributed.internal.InternalLocator.startD >> istributedSystem(InternalLocator.java:752) >> >> at org.apache.geode.distributed.internal.InternalLocator.startL >> ocator(InternalLocator.java:357) >> >> at org.apache.geode.distributed.internal.InternalLocator.startL >> ocator(InternalLocator.java:315) >> >> at org.apache.geode.distributed.LocatorLauncher.start(LocatorLa >> uncher.java:630) >> >> at org.apache.geode.distributed.LocatorLauncher.run(LocatorLaun >> cher.java:532) >> >> at org.apache.geode.distributed.LocatorLauncher.main(LocatorLau >> ncher.java:174) >> >> >> >> Thanks & Regards, >> >> Dharam >> >> This message is confidential and subject to terms at: http:// >> www.jpmorgan.com/emaildisclaimer including on confidentiality, legal >> privilege, viruses and monitoring of electronic messages. If you are not >> the intended recipient, please delete this message and notify the sender >> immediately. Any unauthorized use is strictly prohibited. >> >> >> >> This message is confidential and subject to terms at: http:// >> www.jpmorgan.com/emaildisclaimer including on confidentiality, legal >> privilege, viruses and monitoring of electronic messages. If you are not >> the intended recipient, please delete this message and notify the sender >> immediately. Any unauthorized use is strictly prohibited. >> >> >> >> This message is confidential and subject to terms at: http:// >> www.jpmorgan.com/emaildisclaimer including on confidentiality, legal >> privilege, viruses and monitoring of electronic messages. If you are not >> the intended recipient, please delete this message and notify the sender >> immediately. Any unauthorized use is strictly prohibited. >> >> This message is confidential and subject to terms at: http:// >> www.jpmorgan.com/emaildisclaimer including on confidentiality, legal >> privilege, viruses and monitoring of electronic messages. If you are not >> the intended recipient, please delete this message and notify the sender >> immediately. Any unauthorized use is strictly prohibited. >> >> >> >> >> >> -- >> >> Cheers >> >> >> >> Jinmei >> >> This message is confidential and subject to terms at: http:// >> www.jpmorgan.com/emaildisclaimer including on confidentiality, legal >> privilege, viruses and monitoring of electronic messages. If you are not >> the intended recipient, please delete this message and notify the sender >> immediately. Any unauthorized use is strictly prohibited. >> > > > > -- > Cheers > > Jinmei > -- -John john.blum10101 (skype)
