[jboss-jira] [JBoss JIRA] (WFWIP-229) Configuring JGroups encryption protocols produces deprecated configuration
Yeray Borges (Jira)
issues at jboss.org
Fri Oct 11 09:32:00 EDT 2019
[ https://issues.jboss.org/browse/WFWIP-229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13798082#comment-13798082 ]
Yeray Borges commented on WFWIP-229:
------------------------------------
[~mjurc] We have created the required changes to allow the uses of the non-deprecated version of ASYM_ENCRYPT JGroups protocol.
For ASYM_ENCRYPT now we have two possibilities in CD18:
1) Configure org.jgroups.protocols.ASYM_ENCRYPT (*deprecated version*):
{noformat}
docker run -it --rm --label working --network host \
-e CLI_DEBUG=true \
-e JGROUPS_ENCRYPT_PROTOCOL=ASYM_ENCRYPT \
-e JGROUPS_CLUSTER_PASSWORD=P at assw0rd \
jboss-eap-7-tech-preview/eap-cd-openshift-rhel8:18.0
{noformat}
If this configuration is used, in CD18 now we issue a WARN message:
{{"WARN Detected missing JGroups encryption configuration for ASYM_ENCRYPT, the communication within the cluster will be encrypted using a deprecated version of ASYM_ENCRYPT protocol. You need to set all of these variables to configure ASYM_ENCRYPT using the Elytron keysore: JGROUPS_ENCRYPT_SECRET, JGROUPS_ENCRYPT_NAME, JGROUPS_ENCRYPT_PASSWORD, JGROUPS_ENCRYPT_KEYSTORE."}}
In CD17 there is no alternative configuration; only the deprecated version of ASYM_ENCRYPT is available on the configuration. We considerate it as a bug fixed here.
2) ASYM_ENCRYPT (*non-deprecated version*). Only available in CD18. It uses Keystore configured in Elytron:
{noformat}
docker run -it --rm --label working --network host \
-e CLI_DEBUG=true \
-e JGROUPS_ENCRYPT_PROTOCOL="ASYM_ENCRYPT" \
-e JGROUPS_ENCRYPT_SECRET="encrypt_secret" \
-e JGROUPS_ENCRYPT_NAME="encrypt_name" \
-e JGROUPS_ENCRYPT_PASSWORD="encrypt_password" \
-e JGROUPS_ENCRYPT_KEYSTORE="encrypt_keystore" \
-e JGROUPS_CLUSTER_PASSWORD="cluster_password" \
jboss-eap-7-tech-preview/eap-cd-openshift-rhel8:18.0
{noformat}
Currently, if we use the same configuration in CD17, the following WARN is issued:
{{WARN The specified JGroups configuration properties (JGROUPS_ENCRYPT_SECRET, JGROUPS_ENCRYPT_NAME, JGROUPS_ENCRYPT_PASSWORD, JGROUPS_ENCRYPT_KEYSTORE_DIR JGROUPS_ENCRYPT_KEYSTORE) will be ignored when using JGROUPS_ENCRYPT_PROTOCOL=ASYM_ENCRYPT. Only JGROUPS_CLUSTER_PASSWORD is used.}}
That means the ignored variables used in CD17 are now used to configure the Elytron Keystore for the ASYM_ENCRYPT protocol in CD18, allowing us the configuration of the non-deprecated version of ASYM_ENCRYPT.
In CD18, SYM_ENCRYPT and ASYM_ENCRYPT are now configured the same way to generate a non-deprecated versions. This possibility was not available before.
> Configuring JGroups encryption protocols produces deprecated configuration
> --------------------------------------------------------------------------
>
> Key: WFWIP-229
> URL: https://issues.jboss.org/browse/WFWIP-229
> Project: WildFly WIP
> Issue Type: Bug
> Components: OpenShift
> Environment: The example has been produced with the following S2I environment variables:
> {code}
> OPENSHIFT_DNS_PING_SERVICE_NAME=ping-service
> JGROUPS_ENCRYPT_PROTOCOL=ASYM_ENCRYPT
> JGROUPS_CLUSTER_PASSWORD=foobar123
> OPENSHIFT_DNS_PING_SERVICE_PORT=8888
> JGROUPS_PING_PROTOCOL=dns.DNS_PING
> SCRIPT_DEBUG=true
> {code}
> Reporter: Michal Jurc
> Assignee: Yeray Borges
> Priority: Critical
>
> Any S2I configuration of ping protocols utilising encryption for protocols will result in deprecated configuration. S2I should not configure runtime to deprecated configuration by default, unless the user chooses to.
> {code:title=Example JGroups ASYM_ENCRYPT configuration}
> [standalone at localhost:9990 /] /subsystem=jgroups/stack=tcp/protocol=org.jgroups.protocols.ASYM_ENCRYPT:read-resource-description
> {
> "outcome" => "success",
> "result" => {
> "description" => "The configuration of a protocol within a protocol stac
> k.",
> "capabilities" => [{
> "name" => "org.wildfly.clustering.jgroups.protocol",
> "dynamic" => true,
> "dynamic-elements" => [
> "stack",
> "protocol"
> ]
> }],
> "deprecated" => {
> "since" => "5.0.0",
> "reason" => "Deprecated. Use protocol=ASYM_ENCRYPT instead."
> },
> "attributes" => {
> "module" => {
> "type" => STRING,
> "description" => "The module with which to resolve the protocol
> type.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "default" => "org.jgroups",
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "resource-services"
> },
> "properties" => {
> "type" => OBJECT,
> "description" => "The properties of this protocol.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "value-type" => STRING,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "resource-services"
> },
> "socket-binding" => {
> "type" => STRING,
> "description" => "Defines the bind address/port used of the serv
> er socket used to receive messages from other cluster members.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "deprecated" => {
> "since" => "5.0.0",
> "reason" => "Deprecated. Supports EAP 7.0 slaves."
> },
> "access-type" => "read-only",
> "storage" => "configuration"
> },
> "statistics-enabled" => {
> "type" => BOOLEAN,
> "description" => "Indicates whether or not this protocol will co
> llect statistics overriding stack configuration.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "resource-services"
> }
> },
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {"property" => {
> "description" => "A JGroups protocol property.",
> "model-description" => undefined
> }}
> }
> }
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list