Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1067730

Summary: RFE: JDG Security Authorization
Product: [JBoss] JBoss Data Grid 6 Reporter: Misha H. Ali <mhusnain>
Component: DocumentationAssignee: gsheldon
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 6.2.0CC: dmehra, gsheldon, jdg-bugs, lcarlon, mgencur, ttarrant, vjuranek
Target Milestone: GA   
Target Release: 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-21 02:14:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1092056    

Description Misha H. Ali 2014-02-20 23:59:52 UTC
Document $SUBJECT

Comment 10 gsheldon 2014-05-27 23:11:45 UTC
Adding mgencur as needinfo for a final ack from QE.

Comment 12 Divya Mehra 2014-06-03 03:06:11 UTC
https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Data_Grid/6.3/html/Developer_Guide/chap-Security_for_Cluster_Traffic.html#sect-Node_Authentication_and_Authorization

9.1  The Node Authentication and Authorization section appears to document only the Client-Server mode. How is node authentication/Aurthorization done in Library mode ?

Comment 13 gsheldon 2014-06-03 03:53:09 UTC
(In reply to Divya Mehra from comment #12)
> https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Data_Grid/6.
> 3/html/Developer_Guide/chap-Security_for_Cluster_Traffic.html#sect-
> Node_Authentication_and_Authorization
> 
> 9.1  The Node Authentication and Authorization section appears to document
> only the Client-Server mode. How is node authentication/Aurthorization done
> in Library mode ?

Hey Diyva,

Thanks for the review! I'll move this comment over th BZ#1067744 for ease of tracking.

Thanks,

Gemma.

Comment 14 Martin Gencur 2014-06-09 11:37:31 UTC
I'd defer to Vojtech

Comment 15 Vojtech Juranek 2014-06-12 14:39:14 UTC
Requested node authentication info was provided under BZ #1067744.

Comment 27 Tristan Tarrant 2014-06-23 08:25:43 UTC
For completeness add a role mapper to the Example 8.1:

Example 8.1. CacheManager Authorization (Declarative Configuration)

<cache-container name="local" default-cache="default">
        <security>
           <authorization>
             <identity-role-mapper />
             <role name="admin" permissions="ALL"/>
             <role name="reader" permissions="READ"/>
             <role name="writer" permissions="WRITE"/>
             <role name="supervisor" permissions="ALL_READ ALL_WRITE"/>
           </authorization>
        </security>
</cache-container>

Comment 28 Tristan Tarrant 2014-06-23 08:30:54 UTC
The management realm in JDG 6.3 now has an authorization section, so example 8.9 should be:

Example 8.9. Configuring Security Realms Declaratively
<security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                    <local default-user="$local" skip-group-loading="true"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization map-groups-to-roles="false">
                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
            <security-realm name="ApplicationRealm">
                <authentication>
                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
        </security-realms>

Comment 29 Tristan Tarrant 2014-06-23 08:37:09 UTC
Procedure 8.4. Configure SASL GSSAPI/Kerberos Authentication

In bullet b. QOP stands for Quality of Protection (not Production).
I would also add some explanation:

The qop attribute specifies the SASL Quality of Protection value for the configuration. Supported values for this attribute are auth (authentication), auth-int (authentication and integrity, which means that messages are verified against checksums to detect tampering), and auth-conf (authentication, integrity and confidentiality which means that messages are also encrypted).
Multiple values can be specified (e.g. "auth-int auth-conf") and the ordering implies preference, i.e. the first value which matches both the client and server's preference is chosen.

Comment 30 gsheldon 2014-06-23 11:54:37 UTC
Thanks for your feedback Tristan.

I have updated the topics with comments 27-29, they should appear in the working build shortly.

Comment 35 Tristan Tarrant 2014-06-30 12:46:55 UTC
The JDG Server (although based on EAP) does not require the use of a SecurityManager. For the application connecting to the JDG Server (let's use JDG Client), the SecurityManager configuration is ininfluential.
In library mode, setting the SecurityManager and policy is usually done by configuring the JVM (regardless of the container, if any, in use). However, containers such as EAP, might need special attention/configuration/etc.

Comment 38 Tristan Tarrant 2014-07-02 08:07:41 UTC
I wrote *ininfluential* not *influential*.


a) No. Forget that JDG server is based on EAP. We don't want users to run it under a SecurityManager, although we might provide a configuration to do so for 6.4.

b) Those topics are specifically for library mode. If the user wishes to use the SecurityManager, she will need to configure the JVM and/or container to enable it before deploying the application. This is where linking to the EAP security manager docs is relevant.

Comment 39 gsheldon 2014-07-04 03:53:40 UTC
(In reply to Tristan Tarrant from comment #38)
> I wrote *ininfluential* not *influential*.
> 
> 
> a) No. Forget that JDG server is based on EAP. We don't want users to run it
> under a SecurityManager, although we might provide a configuration to do so
> for 6.4.
> 
> b) Those topics are specifically for library mode. If the user wishes to use
> the SecurityManager, she will need to configure the JVM and/or container to
> enable it before deploying the application. This is where linking to the EAP
> security manager docs is relevant.

In that case, I suggest leaving these topics exactly where they are.

Setting this bug to ON QA.

Comment 40 Misha H. Ali 2014-07-21 02:14:47 UTC
Now available on access.redhat.com under the JBoss Data Grid 6.3 documentation label.