Bug 1067744
| Summary: | RFE: Security Between Nodes | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Data Grid 6 | Reporter: | Misha H. Ali <mhusnain> |
| Component: | Documentation | Assignee: | gsheldon |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.2.0 | CC: | gsheldon, jdg-bugs, mgencur, ttarrant, vjuranek |
| Target Milestone: | GA | ||
| Target Release: | 6.3.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-07-21 02:14:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1092056 | ||
|
Description
Misha H. Ali
2014-02-21 00:28:10 UTC
Possibly incorporates https://bugzilla.redhat.com/show_bug.cgi?id=1013853 Previously drafted topics:
Chapter: Security for Cluster Traffic [24247]
Section: The JGroups AUTH Protocol [24249]
The AuthToken [24246]
SecurityException Failure Example [24245]
Configuring AUTH [24251]
Creating an AUTH Module [24253]
Section: JGroups ENCRYPT [24250]
ENCRYPT Configured with a secretKey in a Key Store [24248]
ENCRYPT Using a Key Store [24252]
ENCRYPT Configured with Algorithms and Key Sizes [24244]
ENCRYPT Configuration Parameters [24254]
There's still some development required before this feature is ready for JDG 6.3. We need to wait a bit more. Currently, the documentation describes AUTH and ENCRYPT protocols. The AUTH protocol won't be used and will be replaced by SASL protocol. The ENCRYPT protocol needs some enhancements. Adding Needinfo for Tristan. Tristan do you have anything to add to the above? I am able to find some information about SASL in community with regards to Hot Rod security, but not between nodes and cluster traffic. Adding mgencur for QE ack of these topics in the security guide. *** Bug 1013856 has been marked as a duplicate of this bug. *** From Divya: https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Data_Grid/6.3/html/Developer_Guide/chap-Security_for_Cluster_Traffic.html#sect-Node_Authentication_and_Authorization 9.1 The Node Authentication and Authorization section appears to document only the Client-Server mode. How is node authentication/Aurthorization done in Library mode ? I'd defer to Vojtech. Hi, node authentication in library mode is configured directly in jgroups config. You have to place SASL protocol *before* GMS protocol to authentication takes effect. Example configurations for dicgest MD5 as well as for GSSAPI can be seen in PR #2611 [1]. In case of MD5 server and client callback have to be specified so that server as well as client knows how to obtain the credentials. In case of GSSAPI one has to spefici login_module_name instread of callback. This login module (typically kerberos login module configure withing underlying EAP) will be used to obtain valid kerberos ticket and thus authenticate itself to the server (similar has to be for server as server communicates with kerberos server as well). Besides that in case of GSSAPI server_name has to be specified, as the principal which server queries for is created as "jgroups/$server_name@REALM" [1] https://github.com/infinispan/infinispan/pull/2611/files Now available on access.redhat.com under the JBoss Data Grid 6.3 documentation label. |