On Thu, Apr 13, 2017 at 6:38 AM, Galder Zamarreño <galder(a)redhat.com> wrote:
Hi all,
As per some discussions we had yesterday on IRC w/ Tristan, Gustavo and
Sebastian, I've created a docker image snapshot that reverts the change
stop protected caches from requiring security enabled [1].
In other words, I've removed [2]. The reason for temporarily doing that is
because with the change as is, the changes required for a default server
distro require that the entire cache manager's security is enabled. This is
in turn creates a lot of problems with health and running checks used by
Kubernetes/OpenShift amongst other things.
Judging from our discussions on IRC, the idea is for such change to
be
present in 9.0.1, but I'd like to get final confirmation from Tristan et al.
+1
Regarding the "security by default" discussion, I think we should ship
configurations cloud.xml, clustered.xml and standalone.xml with security
enabled and disabled variants, and let users
decide which one to pick based on the use case.
Gustavo.
Cheers,
[1]
https://hub.docker.com/r/galderz/infinispan-server/tags/
(9.0.1-SNAPSHOT tag for anyone interested)
[2]
https://github.com/infinispan/infinispan/blob/master/server/
hotrod/src/main/java/org/infinispan/server/hotrod/
CacheDecodeContext.java#L114-L118
--
Galder Zamarreño
Infinispan, Red Hat
> On 30 Mar 2017, at 14:25, Tristan Tarrant <ttarrant(a)redhat.com> wrote:
>
> Dear all,
>
> after a mini chat on IRC, I wanted to bring this to everybody's
attention.
>
> We should make the Hot Rod endpoint require authentication in the
> out-of-the-box configuration.
> The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL
> mechanism against the ApplicationRealm and require users to run the
> add-user script.
> This would achieve two goals:
> - secure out-of-the-box configuration, which is always a good idea
> - access to the "protected" schema and script caches which is prevented
> when not on loopback on non-authenticated endpoints.
>
> Tristan
> --
> Tristan Tarrant
> Infinispan Lead
> JBoss, a division of Red Hat
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/infinispan-dev
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev