[infinispan-issues] [JBoss JIRA] (ISPN-7811) Improve out-of-the-box server security in cloud

Ryan Emerson (JIRA) issues at jboss.org
Tue May 23 10:47:00 EDT 2017 

     [ https://issues.jboss.org/browse/ISPN-7811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ryan Emerson updated ISPN-7811:
-------------------------------
    Fix Version/s:     (was: 9.0.1.Final)


> Improve out-of-the-box server security in cloud
> -----------------------------------------------
>
>                 Key: ISPN-7811
>                 URL: https://issues.jboss.org/browse/ISPN-7811
>             Project: Infinispan
>          Issue Type: Enhancement
>          Components: Security, Server
>    Affects Versions: 9.0.0.Final
>            Reporter: Galder ZamarreƱo
>            Assignee: Galder ZamarreƱo
>             Fix For: 9.1.0.Final
>
>
> When running Infinispan 9.0.0.Final in a cloud env, the default security code enforcements are causing issues when trying to register a proto file.
> The "___protobuf_metadata" cache cannot be written remotely any more. Accessing this cache to add protofile descriptors to server. The default configuration throws this error:
> {code}
> [datagrid-1-akxoi]
> [datagrid-1-akxoi] 12:15:56,602 ERROR [org.infinispan.server.hotrod.CacheDecodeContext] (HotRod-ServerWorker-4-2) ISPN005003: Exception reported: org.infinispan.server.hotrod.RequestParsingException: Remote requests are allowed to protected caches only over loopback or if authorization is enabled. Do no send remote requests to cache '___protobuf_metadata'
> [datagrid-1-akxoi] at org.infinispan.server.hotrod.CacheDecodeContext.obtainCache(CacheDecodeContext.java:116)
> [datagrid-1-akxoi] at org.infinispan.server.hotrod.HotRodDecoder.decodeHeader(HotRodDecoder.java:162)
> [datagrid-1-akxoi] at org.infinispan.server.hotrod.HotRodDecoder.decode(HotRodDecoder.java:93)
> {code}
> The code in CacheDecodeContext that enables this check does the following:
> {code}
> if (!cacheManager.getCacheManagerConfiguration().security().authorization().enabled()...
> {code}
> In order to have better out-of-the-box experience in cloud but still be secured, the following should be done:
> * Remove the code check for authorization in CacheDecodeContext.
> * Server's default configuration should require authentication.
> * Docker image allows passing in APP_USER and APP_PASS as env variables easily, but it provides default usernames and passwords for both APP and MGMT. These defaults should be removed since they're a security risk.
> * Docker image should have the possibility to set APP_GROUPS so that we can pass in optionally the role groups associated with a user. This is handy for making it easier in the future for users to add authorization on top of authentication.
> I will create JIRA subtasks for these so that the work can be divided.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the infinispan-issues mailing list