]
Tristan Tarrant updated ISPN-7811:
----------------------------------
Fix Version/s: 9.4.8.Final
(was: 9.4.7.Final)
Improve out-of-the-box server security in cloud
-----------------------------------------------
Key: ISPN-7811
URL:
https://issues.jboss.org/browse/ISPN-7811
Project: Infinispan
Issue Type: Enhancement
Components: Security, Server
Affects Versions: 9.0.0.Final
Reporter: Galder ZamarreƱo
Assignee: Galder ZamarreƱo
Priority: Major
Fix For: 9.4.8.Final
When running Infinispan 9.0.0.Final in a cloud env, the default security code
enforcements are causing issues when trying to register a proto file.
The "___protobuf_metadata" cache cannot be written remotely any more. Accessing
this cache to add protofile descriptors to server. The default configuration throws this
error:
{code}
[datagrid-1-akxoi]
[datagrid-1-akxoi] 12:15:56,602 ERROR [org.infinispan.server.hotrod.CacheDecodeContext]
(HotRod-ServerWorker-4-2) ISPN005003: Exception reported:
org.infinispan.server.hotrod.RequestParsingException: Remote requests are allowed to
protected caches only over loopback or if authorization is enabled. Do no send remote
requests to cache '___protobuf_metadata'
[datagrid-1-akxoi] at
org.infinispan.server.hotrod.CacheDecodeContext.obtainCache(CacheDecodeContext.java:116)
[datagrid-1-akxoi] at
org.infinispan.server.hotrod.HotRodDecoder.decodeHeader(HotRodDecoder.java:162)
[datagrid-1-akxoi] at
org.infinispan.server.hotrod.HotRodDecoder.decode(HotRodDecoder.java:93)
{code}
The code in CacheDecodeContext that enables this check does the following:
{code}
if (!cacheManager.getCacheManagerConfiguration().security().authorization().enabled()...
{code}
In order to have better out-of-the-box experience in cloud but still be secured, the
following should be done:
* Remove the code check for authorization in CacheDecodeContext.
* Server's default configuration should require authentication.
* Docker image allows passing in APP_USER and APP_PASS as env variables easily, but it
provides default usernames and passwords for both APP and MGMT. These defaults should be
removed since they're a security risk.
* Docker image should have the possibility to set APP_GROUPS so that we can pass in
optionally the role groups associated with a user. This is handy for making it easier in
the future for users to add authorization on top of authentication.
I will create JIRA subtasks for these so that the work can be divided.