Just some thoughts, does geode have a callback or init function before the server join the cluster? So server can use this to decrypt the password and then send it to locator? Because gfsh and pulse use plain text to authenticate to locator, if the server can send plain text password, then in all cases, security manager gets plain text password. Is such a callback available?
Nan From: Jens Deppe [mailto:[email protected]] Sent: Friday, January 19, 2018 10:05 AM To: [email protected] Subject: Re: Component in SecurityManager.authenticate method I know this is very hacky, but would it be possible to have the unencrypted passwords include some kind of special prefix so that the SecurityManager could identify those and strip it off and/or then perform encryption before validating the password? So, for example a Pulse or gfsh user would enter his password as ###topsecret (here '###' is a special prefix) and then the SM would be able to check that and do something appropriate. --Jens On Thu, Jan 18, 2018 at 2:22 PM, Sudhir Babu Pothineni <[email protected]<mailto:[email protected]>> wrote: Hi Jens, I need to keep the password in a configuration file for SecurityManager, but company policy won't allow to keep the password in a plain text, so I need to encrypt the password and put it in the configuration file. but now I need to decrypt it inside SecurityManager.authenticate Pulse and gfsh will come into same method with normal password. Now my problem is all components working for normal password and encrypted password, so there is no point of encryption. I am doing something wrong. I am just wondering if I know the component inside SecurityManager.authenticate I can decide to decrypt or encrypt? or is there any work around for it. Thanks Sudhir On Thu, Jan 18, 2018 at 3:36 PM, Jens Deppe <[email protected]<mailto:[email protected]>> wrote: Hi Sudhir, At the moment we don't expose that. Can you give an example of how you'd want to use it. An underlying question would be under what circumstances would you allow different access, to the same entity, from different contexts? --Jens On Thu, Jan 18, 2018 at 12:47 PM, Sudhir Babu Pothineni <[email protected]<mailto:[email protected]>> wrote: How can I get which Component (gfsh, pulse, client, server) inside SecurityManager.authenticate method? ---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
