[infinispan-dev] Hot Rod secured by default
Gustavo Fernandes
gustavo at infinispan.org
Thu Apr 13 03:50:37 EDT 2017
On Thu, Apr 13, 2017 at 6:38 AM, Galder Zamarreño <galder at redhat.com> wrote:
> Hi all,
>
> As per some discussions we had yesterday on IRC w/ Tristan, Gustavo and
> Sebastian, I've created a docker image snapshot that reverts the change
> stop protected caches from requiring security enabled [1].
>
> In other words, I've removed [2]. The reason for temporarily doing that is
> because with the change as is, the changes required for a default server
> distro require that the entire cache manager's security is enabled. This is
> in turn creates a lot of problems with health and running checks used by
> Kubernetes/OpenShift amongst other things.
>
> Judging from our discussions on IRC, the idea is for such change to be
> present in 9.0.1, but I'd like to get final confirmation from Tristan et al.
>
>
+1
Regarding the "security by default" discussion, I think we should ship
configurations cloud.xml, clustered.xml and standalone.xml with security
enabled and disabled variants, and let users
decide which one to pick based on the use case.
Gustavo.
> Cheers,
>
> [1] https://hub.docker.com/r/galderz/infinispan-server/tags/
> (9.0.1-SNAPSHOT tag for anyone interested)
> [2] https://github.com/infinispan/infinispan/blob/master/server/
> hotrod/src/main/java/org/infinispan/server/hotrod/
> CacheDecodeContext.java#L114-L118
> --
> Galder Zamarreño
> Infinispan, Red Hat
>
> > On 30 Mar 2017, at 14:25, Tristan Tarrant <ttarrant at redhat.com> wrote:
> >
> > Dear all,
> >
> > after a mini chat on IRC, I wanted to bring this to everybody's
> attention.
> >
> > We should make the Hot Rod endpoint require authentication in the
> > out-of-the-box configuration.
> > The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL
> > mechanism against the ApplicationRealm and require users to run the
> > add-user script.
> > This would achieve two goals:
> > - secure out-of-the-box configuration, which is always a good idea
> > - access to the "protected" schema and script caches which is prevented
> > when not on loopback on non-authenticated endpoints.
> >
> > Tristan
> > --
> > Tristan Tarrant
> > Infinispan Lead
> > JBoss, a division of Red Hat
> > _______________________________________________
> > infinispan-dev mailing list
> > infinispan-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
>
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/infinispan-dev/attachments/20170413/d05c8e61/attachment.html
More information about the infinispan-dev
mailing list