Bug 819688 - Add information about securing REST interface with authentication
Add information about securing REST interface with authentication
Status: CLOSED CURRENTRELEASE
Product: JBoss Data Grid 6
Classification: JBoss
Component: Documentation (Show other bugs)
6.0.0
All All
high Severity high
: ---
: ---
Assigned To: Misha H. Ali
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-07 21:20 EDT by Misha H. Ali
Modified: 2012-08-15 10:45 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-23 02:15:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Misha H. Ali 2012-05-07 21:20:04 EDT
Description of problem:

JDG Beta documentation requires information about an authentication issue identified by the SRT. David Jorm is the SRT engineer assigned to JBoss Data Grid and the person who identified the issue.

Context: https://bugzilla.redhat.com/show_bug.cgi?id=818031

To be documented as soon as possible for a Beta rolling release.
Comment 1 Tristan Tarrant 2012-05-10 02:12:39 EDT
Since ER8 the <rest-connector> element now has two additional attributes: security-domain and auth-method.

security-domain specifies that the specified domain, declared in the security subsystem, should be used to authenticate access to the REST endpoint.
auth-method specifies the type of method to use to retrieve credentials for the endpoint (can be any of the supported EAP authentication methods: BASIC, DIGEST, CLIENT-CERT, defaults to BASIC. Other methods such as SPNEGO will be supported in the next ER of JDG).

The following steps describe how to enable security using the example standalone-rest-auth.xml distributed in the docs/example/configs.

1. Verify that the rest endpoint declares a valid security-domain and auth-method:

<subsystem xmlns="urn:jboss:domain:datagrid:1.0">
            <rest-connector virtual-server="default-host" cache-container="local" security-domain="other" auth-method="BASIC"/>
        </subsystem>

2. Verify that the security subsystem has the corresponding security-domain declaration (refer to the EAP/AS7 docs on how these are setup).

3. Run the bin/adduser.sh (bin/adduser.bat on Windows) and choose to add an "Application User". Accept the default realm (ApplicationRealm), specify a username and a password and add the "REST" role. The following is a transcription of the procedure:

# bin/add-user.sh 

What type of user do you wish to add? 
 a) Management User (mgmt-users.properties) 
 b) Application User (application-users.properties)
(a): b

Enter the details of the new user to add.
Realm (ApplicationRealm) : 
Username : user1
Password : 
Re-enter Password : 
What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]: REST
About to add user 'user1' for realm 'ApplicationRealm'
Is this correct yes/no? yes
Added user 'user1' to file '/opt/jboss-datagrid-server-6.0.0/standalone/configuration/application-users.properties'
Added user 'user1' with roles REST to file '/opt/jboss-datagrid-server-6.0.0/standalone/configuration/application-roles.properties'

4. Verify that the files standalone/configuration/application-users.properties and standalone/configuration/application-roles.properties are configured correctly

application-users.properties:
user1=2dc3eacfed8cf95a4a31159167b936fc

application-roles.properties:
user1=REST

5. Start the server and attempt to access the REST endpoint:

http://localhost:9990/namedCache/1

The browser BASIC authentication dialog should be presented to the user.
Comment 2 David Jorm 2012-05-10 23:15:28 EDT
Thanks Tristan, this process works for me on ER8.1. Just one minor modification:

5. Start the server and attempt to access the REST endpoint:

http://localhost:8080/namedCache/1

Misha, is this sufficient info to develop the content?
Comment 3 Misha H. Ali 2012-05-10 23:21:54 EDT
Looks good to me. I'll develop the content and send it to you both for any further review/additions.
Comment 4 Misha H. Ali 2012-05-17 21:13:43 EDT
Need SME ACK/Feedback for the following topic:

http://documentation-stage.bne.redhat.com/docs/en-US/JBoss_Data_Grid/6/html-single/Beta_User_Guide/index.html#Enable_Security_for_the_REST_Endpoint

Setting a NEEDINFO for DJorm to verify if this topic is sufficient to address the security concern.

Further topics related to this bug, but dealing with configuration have been SME ACK'd by TTarrant and are moving to QA. These include:

* JBoss Data Grid Connectors
* Configure REST Connectors
* REST Connector Attributes
* Configure Hot Rod Connectors
* Hot Rod Connector Attributes
* Configure Memcached Connectors
* Memcached Connector Attributes
* Publish REST Endpoints as a Public Interface
* Publish Hot Rod Endpoints as a Public Interface
* Publish Memcached Endpoints as a Public Interface
Comment 5 David Jorm 2012-05-17 21:34:13 EDT
Two changes required:

1) The user must copy the authentication sample config to the config dir for it to have effect. From $JDGHOME: cp docs/examples/configs/standalone-rest-auth.xml standalone/configuration/standalone.xml 

2) The URL to test should be: http://localhost:8080/rest/namedCache

When testing with a GET request, a 405 message indicates authentication has occurred successfully and is to be expected.
Comment 6 Misha H. Ali 2012-05-18 00:58:16 EDT
The updated version of this topic is available here:

http://documentation-stage.bne.redhat.com/docs/en-US/JBoss_Data_Grid/6/html-single/Beta_User_Guide/index.html#Enable_Security_for_the_REST_Endpoint

Adding DJorm for SME ACK once again.
Comment 7 David Jorm 2012-05-18 01:41:56 EDT
SME Approved
Comment 8 Misha H. Ali 2012-05-23 02:15:29 EDT
New topics are now public:

http://docs.redhat.com/docs/en-US/JBoss_Data_Grid/6/html/Beta_Documentation/index.html

Note You need to log in before you can comment on or make changes to this bug.