<div dir="ltr">On Thu, Apr 13, 2017 at 6:38 AM, Galder Zamarreño <span dir="ltr"><<a href="mailto:galder@redhat.com" target="_blank">galder@redhat.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all,<br>
<br>
As per some discussions we had yesterday on IRC w/ Tristan, Gustavo and Sebastian, I've created a docker image snapshot that reverts the change stop protected caches from requiring security enabled [1].<br>
<br>
In other words, I've removed [2]. The reason for temporarily doing that is because with the change as is, the changes required for a default server distro require that the entire cache manager's security is enabled. This is in turn creates a lot of problems with health and running checks used by Kubernetes/OpenShift amongst other things. <br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Judging from our discussions on IRC, the idea is for such change to be present in 9.0.1, but I'd like to get final confirmation from Tristan et al.<br>
<br></blockquote><div><br></div><div>+1<br><br></div><div>Regarding the "security by default" discussion, I think we should ship configurations cloud.xml, clustered.xml and standalone.xml with security enabled and disabled variants, and let users<br></div><div>decide which one to pick based on the use case.<br></div><div><br>Gustavo.<br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Cheers,<br>
<br>
[1] <a href="https://hub.docker.com/r/galderz/infinispan-server/tags/" rel="noreferrer" target="_blank">https://hub.docker.com/r/<wbr>galderz/infinispan-server/<wbr>tags/</a> (9.0.1-SNAPSHOT tag for anyone interested)<br>
[2] <a href="https://github.com/infinispan/infinispan/blob/master/server/hotrod/src/main/java/org/infinispan/server/hotrod/CacheDecodeContext.java#L114-L118" rel="noreferrer" target="_blank">https://github.com/infinispan/<wbr>infinispan/blob/master/server/<wbr>hotrod/src/main/java/org/<wbr>infinispan/server/hotrod/<wbr>CacheDecodeContext.java#L114-<wbr>L118</a><br>
--<br>
Galder Zamarreño<br>
Infinispan, Red Hat<br>
<div class="gmail-HOEnZb"><div class="gmail-h5"><br>
> On 30 Mar 2017, at 14:25, Tristan Tarrant <<a href="mailto:ttarrant@redhat.com">ttarrant@redhat.com</a>> wrote:<br>
><br>
> Dear all,<br>
><br>
> after a mini chat on IRC, I wanted to bring this to everybody's attention.<br>
><br>
> We should make the Hot Rod endpoint require authentication in the<br>
> out-of-the-box configuration.<br>
> The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL<br>
> mechanism against the ApplicationRealm and require users to run the<br>
> add-user script.<br>
> This would achieve two goals:<br>
> - secure out-of-the-box configuration, which is always a good idea<br>
> - access to the "protected" schema and script caches which is prevented<br>
> when not on loopback on non-authenticated endpoints.<br>
><br>
> Tristan<br>
> --<br>
> Tristan Tarrant<br>
> Infinispan Lead<br>
> JBoss, a division of Red Hat<br>
> ______________________________<wbr>_________________<br>
> infinispan-dev mailing list<br>
> <a href="mailto:infinispan-dev@lists.jboss.org">infinispan-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/infinispan-<wbr>dev</a><br>
<br>
<br>
______________________________<wbr>_________________<br>
infinispan-dev mailing list<br>
<a href="mailto:infinispan-dev@lists.jboss.org">infinispan-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/infinispan-<wbr>dev</a></div></div></blockquote></div><br></div></div>