I want to use security-peer-auth-init for peer/servers authentication, but it is marked as deprecated. SecurityManager for pulse and gfsh. Any suggestion in that direction?
Sent from my iPhone > On Jan 19, 2018, at 12:59 PM, Xu, Nan <[email protected]> wrote: > > Just some thoughts, does geode have a callback or init function before the > server join the cluster? So server can use this to decrypt the password and > then send it to locator? Because gfsh and pulse use plain text to > authenticate to locator, if the server can send plain text password, then in > all cases, security manager gets plain text password. Is such a callback > available? > > Nan > > From: Jens Deppe [mailto:[email protected]] > Sent: Friday, January 19, 2018 10:05 AM > To: [email protected] > Subject: Re: Component in SecurityManager.authenticate method > > I know this is very hacky, but would it be possible to have the unencrypted > passwords include some kind of special prefix so that the SecurityManager > could identify those and strip it off and/or then perform encryption before > validating the password? > > So, for example a Pulse or gfsh user would enter his password as ###topsecret > (here '###' is a special prefix) and then the SM would be able to check that > and do something appropriate. > > --Jens > > On Thu, Jan 18, 2018 at 2:22 PM, Sudhir Babu Pothineni > <[email protected]> wrote: > Hi Jens, I need to keep the password in a configuration file for > SecurityManager, but company policy won't allow to keep the password in a > plain text, so I need to encrypt the password and put it in the configuration > file. but now I need to decrypt it inside SecurityManager.authenticate > > Pulse and gfsh will come into same method with normal password. Now my > problem is all components working for normal password and encrypted password, > so there is no point of encryption. I am doing something wrong. I am just > wondering if I know the component inside SecurityManager.authenticate I can > decide to decrypt or encrypt? or is there any work around for it. > > Thanks > Sudhir > > On Thu, Jan 18, 2018 at 3:36 PM, Jens Deppe <[email protected]> wrote: > Hi Sudhir, > > At the moment we don't expose that. Can you give an example of how you'd want > to use it. An underlying question would be under what circumstances would you > allow different access, to the same entity, from different contexts? > > --Jens > > On Thu, Jan 18, 2018 at 12:47 PM, Sudhir Babu Pothineni > <[email protected]> wrote: > How can I get which Component (gfsh, pulse, client, server) inside > SecurityManager.authenticate method? > > > > This message, and any attachments, is for the intended recipient(s) only, may > contain information that is privileged, confidential and/or proprietary and > subject to important terms and conditions available at > http://www.bankofamerica.com/emaildisclaimer. If you are not the intended > recipient, please delete this message.
