Re: [infinispan-dev] Hot Rod secured by default
Hi all,
As per some discussions we had yesterday on IRC w/ Tristan, Gustavo and Sebastian,
I've created a docker image snapshot that reverts the change stop protected caches
from requiring security enabled [1].
In other words, I've removed [2]. The reason for temporarily doing that is because
with the change as is, the changes required for a default server distro require that the
entire cache manager's security is enabled. This is in turn creates a lot of problems
with health and running checks used by Kubernetes/OpenShift amongst other things.
Judging from our discussions on IRC, the idea is for such change to be present in 9.0.1,
but I'd like to get final confirmation from Tristan et al.
Cheers,
[1] https://hub.docker.com/r/galderz/infinispan-server/tags/ (9.0.1-SNAPSHOT tag for
anyone interested)
[2]
https://github.com/infinispan/infinispan/blob/master/server/hotrod/src/ma...
--
Galder Zamarreño
Infinispan, Red Hat
On 30 Mar 2017, at 14:25, Tristan Tarrant <ttarrant(a)redhat.com>
wrote:
Dear all,
after a mini chat on IRC, I wanted to bring this to everybody's attention.
We should make the Hot Rod endpoint require authentication in the
out-of-the-box configuration.
The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL
mechanism against the ApplicationRealm and require users to run the
add-user script.
This would achieve two goals:
- secure out-of-the-box configuration, which is always a good idea
- access to the "protected" schema and script caches which is prevented
when not on loopback on non-authenticated endpoints.
Tristan
--
Tristan Tarrant
Infinispan Lead
JBoss, a division of Red Hat
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev