<div dir="ltr"><div><div><div>I would think a "switch" can have other impacts as you need to check it in the code - and might have security leaks here<br><br></div>So what is wrong with some configurations which are the default and secured.<br></div>and a "*-dev or *-unsecure" configuration to start easy.<br></div>Also this can be used in production if there is no need for security<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 13, 2017 at 4:13 PM, Sebastian Laskawiec <span dir="ltr"><<a href="mailto:slaskawi@redhat.com" target="_blank">slaskawi@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I still think it would be better to create an extra switch to run infinispan in "development mode". This means no authentication, no encryption, possibly with JGroups stack tuned for fast discovery (especially in Kubernetes) and a big warning saying "You are in development mode, do not use this in production".<div><br></div><div>Just something very easy to get you going.</div></div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Thu, Apr 13, 2017 at 12:16 PM Galder Zamarreño <<a href="mailto:galder@redhat.com" target="_blank">galder@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
--<br>
Galder Zamarreño<br>
Infinispan, Red Hat<br>
<br>
> On 13 Apr 2017, at 09:50, Gustavo Fernandes <<a href="mailto:gustavo@infinispan.org" target="_blank">gustavo@infinispan.org</a>> wrote:<br>
><br>
> On Thu, Apr 13, 2017 at 6:38 AM, Galder Zamarreño <<a href="mailto:galder@redhat.com" target="_blank">galder@redhat.com</a>> wrote:<br>
> Hi all,<br>
><br>
> As per some discussions we had yesterday on IRC w/ Tristan, Gustavo and Sebastian, I've created a docker image snapshot that reverts the change stop protected caches from requiring security enabled [1].<br>
><br>
> In other words, I've removed [2]. The reason for temporarily doing that is because with the change as is, the changes required for a default server distro require that the entire cache manager's security is enabled. This is in turn creates a lot of problems with health and running checks used by Kubernetes/OpenShift amongst other things.<br>
><br>
> Judging from our discussions on IRC, the idea is for such change to be present in 9.0.1, but I'd like to get final confirmation from Tristan et al.<br>
><br>
><br>
> +1<br>
><br>
> Regarding the "security by default" discussion, I think we should ship configurations cloud.xml, clustered.xml and standalone.xml with security enabled and disabled variants, and let users<br>
> decide which one to pick based on the use case.<br>
<br>
I think that's a better idea.<br>
<br>
We could by default have a secured one, but switching to an insecure configuration should be doable with minimal effort, e.g. just switching config file.<br>
<br>
As highlighted above, any secured configuration should work out-of-the-box with our docker images, e.g. WRT healthy/running checks.<br>
<br>
Cheers,<br>
<br>
><br>
> Gustavo.<br>
><br>
><br>
> Cheers,<br>
><br>
> [1] <a href="https://hub.docker.com/r/galderz/infinispan-server/tags/" rel="noreferrer" target="_blank">https://hub.docker.com/r/<wbr>galderz/infinispan-server/<wbr>tags/</a> (9.0.1-SNAPSHOT tag for anyone interested)<br>
> [2] <a href="https://github.com/infinispan/infinispan/blob/master/server/hotrod/src/main/java/org/infinispan/server/hotrod/CacheDecodeContext.java#L114-L118" rel="noreferrer" target="_blank">https://github.com/infinispan/<wbr>infinispan/blob/master/server/<wbr>hotrod/src/main/java/org/<wbr>infinispan/server/hotrod/<wbr>CacheDecodeContext.java#L114-<wbr>L118</a><br>
> --<br>
> Galder Zamarreño<br>
> Infinispan, Red Hat<br>
><br>
> > On 30 Mar 2017, at 14:25, Tristan Tarrant <<a href="mailto:ttarrant@redhat.com" target="_blank">ttarrant@redhat.com</a>> wrote:<br>
> ><br>
> > Dear all,<br>
> ><br>
> > after a mini chat on IRC, I wanted to bring this to everybody's attention.<br>
> ><br>
> > We should make the Hot Rod endpoint require authentication in the<br>
> > out-of-the-box configuration.<br>
> > The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL<br>
> > mechanism against the ApplicationRealm and require users to run the<br>
> > add-user script.<br>
> > This would achieve two goals:<br>
> > - secure out-of-the-box configuration, which is always a good idea<br>
> > - access to the "protected" schema and script caches which is prevented<br>
> > when not on loopback on non-authenticated endpoints.<br>
> ><br>
> > Tristan<br>
> > --<br>
> > Tristan Tarrant<br>
> > Infinispan Lead<br>
> > JBoss, a division of Red Hat<br>
> > ______________________________<wbr>_________________<br>
> > infinispan-dev mailing list<br>
> > <a href="mailto:infinispan-dev@lists.jboss.org" target="_blank">infinispan-dev@lists.jboss.org</a><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/infinispan-<wbr>dev</a><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> infinispan-dev mailing list<br>
> <a href="mailto:infinispan-dev@lists.jboss.org" target="_blank">infinispan-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/infinispan-<wbr>dev</a><br>
><br>
> ______________________________<wbr>_________________<br>
> infinispan-dev mailing list<br>
> <a href="mailto:infinispan-dev@lists.jboss.org" target="_blank">infinispan-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/infinispan-<wbr>dev</a><br>
<br>
<br>
______________________________<wbr>_________________<br>
infinispan-dev mailing list<br>
<a href="mailto:infinispan-dev@lists.jboss.org" target="_blank">infinispan-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/infinispan-<wbr>dev</a></blockquote></div></div></div><span class="HOEnZb"><font color="#888888"><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr"><p class="m_7268036363616906075inbox-inbox-fullname-container" style="box-sizing:border-box;color:rgb(0,0,0);font-family:overpass,sans-serif;font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span class="m_7268036363616906075inbox-inbox-firstname-container" style="box-sizing:border-box">SEBASTIAN</span><span class="m_7268036363616906075inbox-inbox-Apple-converted-space"> </span><span class="m_7268036363616906075inbox-inbox-lastname-container" style="box-sizing:border-box">ŁASKAWIEC</span></p><p class="m_7268036363616906075inbox-inbox-position-container" style="box-sizing:border-box;color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span class="m_7268036363616906075inbox-inbox-position" style="box-sizing:border-box">INFINISPAN DEVELOPER</span></p><p class="m_7268036363616906075inbox-inbox-legal-container" style="box-sizing:border-box;font-family:overpass,sans-serif;margin:0px;font-size:10px;color:rgb(153,153,153)"><a class="m_7268036363616906075inbox-inbox-redhat-anchor" href="https://www.redhat.com/" style="box-sizing:border-box;color:rgb(0,136,206);margin:0px;text-decoration:none" target="_blank">Red Hat<span class="m_7268036363616906075inbox-inbox-Apple-converted-space"> </span><span style="box-sizing:border-box">EMEA</span></a></p><table style="box-sizing:border-box;color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:medium" border="0"><tbody style="box-sizing:border-box"><tr style="box-sizing:border-box"><td style="box-sizing:border-box" width="100px"><a href="https://red.ht/sig" style="box-sizing:border-box" target="_blank"><img style="box-sizing:border-box" height="auto" width="90"></a></td></tr></tbody></table></div></div>
</font></span><br>______________________________<wbr>_________________<br>
infinispan-dev mailing list<br>
<a href="mailto:infinispan-dev@lists.jboss.org">infinispan-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/infinispan-<wbr>dev</a><br></blockquote></div><br></div>