[infinispan-dev] Infinispan Security
Tristan Tarrant
ttarrant at redhat.com
Fri Nov 22 13:57:27 EST 2013
On 11/22/2013 04:47 PM, Pedro Ruivo wrote:
> * About the permissions
>
> It would be good to describe what is the relation between the
> permissions. For example, answer the following question: can a
> user/group/role have READ permission over a cache without ACCESS
> permission? Can it have WRITE permission without READ (write operation
> returns the old value)?
Well, the default is to not return values, so it does make sense.
> and EXEC? does it makes sense to have EXEC
> without READ and/or WRITE?
Yes, you can certainly have an EXEC with READ only permissions.
> Since we have a BULK permission (that it is a READ) why not split the
> WRITE? like MODIFY(put* replace*), DELETE(remove*) and CLEAR(clear)?
BULK is also for WRITEs (putAll ?).
> Other thing that is not clear to me is if it is possible to specify
> default permissions. I assuming that if you define the roles in the
> <default> cache, they will be passed to the <namedCache> if nothing is
> specified, right?
Yes, this is the behaviour for all other configuration items.
> Is the secure cache protected against the ComponentRegistry? I meant, it
> is possible to do cache.getAdvancedCache().getDataContainer().clear()
> and skip any authentication?
Yes, the SecureCache is not just a dumb decorator. We also need to
return a special type of SecureAdvancedCache which only allows access to
certain underlying bits (such as DataContainer) if I have ADMIN role.
Obviously, protection from reflection needs to be handled by the
security policy installed in the JVM.
> * About the Interceptors
>
> IMO, bad idea. I think we should have a SecureCache interface and
> implementation (SecureCacheImpl). As suggested in the wiki, this
> SecureCacheImpl will throw a SecurityException in any invocation byut it
> would have a method /.as(Subject)/ that would return a decorate
> SecureCache with the correct permissions.
The interceptor is a further layer of authorization which works in
concert with the above, so that it can allow/deny access based on the
key/value. My idea is to provide an AuthorizationInterceptor which can
be subclassed by the developers to implement their own data-dependent
security policies.
>
> About the encryption I think the application should be responsible to do
> it and not the Cache. However, if it is really necessary I would do it
Yes, I also think that encryption should be handled at the application
level. We just need to secure the transports (JGroups, HotRod, etc).
> * HotRod security
>
> In the design document, it does not refer anything to encrypt the
> communication between the clients and the server. is it a gap?
HotRod already has TLS. What we need to add here is EXTERNAL
authentication (i.e. obtain the Subject from the certificate used to
encrypt the transport).
>
> * Finally, some minor typos:
> ** the embedded configuration title is in the middle of the embedded API
> text
> ** the lists are all in the same line in embedded encryption and hot rod
> security
> ** Memcached Security is not "titlefied"
>
Thanks Pedro,
I will fix those and clear up the "ambiguous" bits above.
Tristan
More information about the infinispan-dev
mailing list