[infinispan-dev] Infinispan security?
Pete Muir
pmuir at redhat.com
Fri Sep 2 07:31:01 EDT 2011
Regarding fine grained security it might be interesting to see if we can't leverage the work Shane has done with Seam Security 3, as it has a lot of parallels.
I'm not sure how separate the Seam Security model is from JPA?
On 2 Sep 2011, at 11:01, Joni Hahkala wrote:
>
> Hi,
>
> Just a couple of ideas fron the top of my head. Sorry for the long mail,
> your mail covers a lot of things. :)
>
> the easiest off the shelf solution of course is SSL everything. But this
> would probably have some significant performance hit, even with mostly
> keep-alive connections. Also there would be the overhead of getting a
> certificate from some certificate authority whenever a new service
> instance (VM) is created.
>
> In this system the parts you mention would be covered by:
> 1) wire encrytion - SSL does this
> 2) inter-node comm authn - could use the host cert to authenticate to
> other services. Somebody would need to add the nodes to the ACL and
> distribute it or distribute the addition message.
> 3) remote client authn - the remote clients are usually services too,
> right? then they would probably also have a host certificate available
> and could use that for authentication. Somebody would need to add the
> clients to the ACLs.
> 4) in-VM authentication - would this be really necessary? Separating the
> services into different user accounts and then using authentication when
> they talk to eachother would add security, and in principle is a good
> thing, but careful cost-benefit analysis should be done. Probably
> something to keep in mind, plan and implement later?
> 5) ACLs for data - entire named cache level, yes definitely should do.
> Individual entries or key patterns: this is a bit tricky, the
> performance hit and need should be evaluated. Could be easier to just
> deploy another pool of infinispan servers than partition the keys by
> ACLs. The fine grained access to the data is also often pretty
> application specific, for example in facebook the privacy controls etc
> seem to change every other month. So, the fine grained access could be
> better left to the applications? Do you have some use case in mind?
>
> I would also add:
> 6) authorization in general - ACLs probably, but who manages these? For
> example automatic provisioning of additional servers when load increases
> could be a bit complicated. (obtain certificate, put into the server,
> add to the ACLs - by gossip?)
>
>
> Another, probably more performant, flexible and interesting way would be
> to just use encryption keys and just send encrypted messages allowing
> more asynchronous kind of communication, more flexible node provisioning
> etc.
>
> In this system the points would be as follows:
> 1) wire encrytion - each message is encrypted.
> 2) inter-node comm authn - each host would have a key for encryption and
> authentication to other services (created during creation of the
> service). Somebody would need to add the keys to the ACL and distribute
> it or distribute the addition message.
> 3) remote client authn - remote clients would have keys too (generated
> like ssh keys at server creation). Somebody would need to add the client
> keys to the ACLs.
> 4) in-VM authentication - same as above.
> 5) ACLs for data - same as above
> 6) authorization - same as above, but no need to obtain certificates,
> just generate a key and add it to the ACLs.
>
>
> Then there is the question whether the data stored in the infinispan
> even needs to be cleartext. AFAIK it's just a data blob and thus could
> be encrypted data. This way only the clients with proper encryption keys
> could see the actual data and in case of break-in in the infinispan the
> loss would be less.
>
> Cheers,
> Joni
>
> On 31/08/11 10:57, Manik Surtani wrote:
>> Hi Joni
>>
>> There are no plans as such at this stage, however we realise this is an area we'd like to address. Specifically, what is interesting to me is:
>>
>> * Encrypting wire protocols: both inter-node communication (JGroups) as well as client/server comms (mainly Hot Rod)
>> * Authentication for inter-node comms (JGroups)
>> * Authentication for remote client connections (mainly Hot Rod again)
>> * Authentication for in-VM connections (via embedded API)
>> * ACLs for actual data. Perhaps read/write/update/delete permissions. Haven't thought too hard about granularity here (individual entries, entire named caches, or even a pattern of keys).
>>
>> So fairly hazy at this stage, perhaps with your background in grid security you could propose something? :-)
>>
>> Cheers
>> Manik
>>
>> PS: cc'ing Darran Lofthouse who may have an opinion here to share as well. :)
>>
>>
>> On 22 Aug 2011, at 15:33, Joni Hahkala wrote:
>>
>>> Hi,
>>>
>>> I was reading and watching presentations of Infinispan and it seems that
>>> currently it is intended for use in secure environment, like data center
>>> behind a firewall with other datacenters connected through secure links,
>>> if I understood correctly. But deploying it in more open environment,
>>> e.g. public cloud, could pose security risks. Manik said in a
>>> presentation that the underlying Jgroups uses certificates (or can be
>>> configured to use), and I would assume SSL. So, there is at least some
>>> security in the Infinispan joins, leaves etc. Manik also told that there
>>> has been some talk/plans already about the security in general.
>>>
>>> I would be interested in hearing about these plans for security and to
>>> see if there is possibilities for cooperation. I'm currently searching
>>> for a PhD subject, I have background in grid security, and this work
>>> sounds like it could be useful and interesting.
>>>
>>> Cheers,
>>> Joni
>>> _______________________________________________
>>> infinispan-dev mailing list
>>> infinispan-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>> --
>> Manik Surtani
>> manik at jboss.org
>> twitter.com/maniksurtani
>>
>> Lead, Infinispan
>> http://www.infinispan.org
>>
>>
>>
>>
>> _______________________________________________
>> infinispan-dev mailing list
>> infinispan-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
More information about the infinispan-dev
mailing list