It seems InternalDistributedSystem(DistributedConfigImpl) sets system property
while creating ds.
if (securityPeerAuthInit != null && securityPeerAuthInit.length() > 0) {
System.setProperty(SECURITY_SYSTEM_PREFIX + SECURITY_PEER_AUTH_INIT,
securityPeerAuthInit);
}
if (securityPeerAuthenticator != null
&& securityPeerAuthenticator.length() > 0) {
System.setProperty(SECURITY_SYSTEM_PREFIX
+ SECURITY_PEER_AUTHENTICATOR, securityPeerAuthenticator);
}
From: Kirk Lund <[email protected]>
To: geode <[email protected]>; Hitesh Khamesra
<[email protected]>
Sent: Tuesday, July 12, 2016 2:24 PM
Subject: Re: GMSAuthenticator
I still don't see DistributionConfig or Properties ever being passed into
GMSAuthenticator.
The following method is for testing only so gemfire properties are never
passed in by product code:
/**
* For testing only.
*/
Properties getCredentials(DistributedMember member, Properties secProps) {
The following method is the only one used by the product but it doesn't
pass any config in:
/**
* Get credential object for the given GemFire distributed member.
*
* @param member
* the target distributed member
* @return the credential object
*/
@Override
public Object getCredentials(InternalDistributedMember member) {
try {
return getCredentials(member, securityProps);
So the only source of config seems to be that securityProps variable, and
the declaration is the ONLY place where securityProps is ever set (and
nothing ever modifies it):
private Properties securityProps = getSecurityProps();
You can see that getSecurityProps() only ever reads from system properties:
Properties getSecurityProps() {
Properties props = new Properties();
Set keys = System.getProperties().keySet();
for (Object key: keys) {
String propKey = (String) key;
if (propKey.startsWith(secPrefix)) {
props.setProperty(propKey.substring(gemfireSysPrefixLen),
System.getProperty(propKey));
}
}
return props;
}
It would appear to me that the only way to successfully provide gemfire
security- propertes to GMSAuthenticator is via System properties.
-Kirk
On Tue, Jul 12, 2016 at 1:56 PM, Hitesh Khamesra <
[email protected]> wrote:
> One can specify following in gemfire.properties file
> /**
> * The static String definition of the
> <i>"security-peer-authenticator"</i>
> * property
> */
> String SECURITY_PEER_AUTHENTICATOR = SECURITY_PREFIX +
> "peer-authenticator";
>
>
> From: Kirk Lund <[email protected]>
> To: geode <[email protected]>
> Sent: Tuesday, July 12, 2016 11:56 AM
> Subject: GMSAuthenticator
>
> We're looking into modifying peer authentication to work with
> org.apache.geode.security.SecurityManager as well as the deprecated
> Authenticator and AccessControl.
>
> GMSAuthenticator appears to only work with Security Properties that are
> specified as System Properties with "gemfire." prefix. The other areas of
> the product that perform authentication appear to work whether the Security
> Properties are specified with either System Properties or a Properties
> instance passed into connect.
>
> The online documentation for enabling peer authentication says to use
> gemfire.properties, but from what I can tell the GMSAuthenticator won't
> work with gemfire.properties and will instead require you to specify System
> properties ala
> -Dgemfire.security-peer-authenticator=MyAuthenticator.create.
>
> Am I missing some code path that supports non-System properties in
> GMSAuthenticator? Or is peer authentication limited to only working with
> System properties?
>
> Thanks,
> Kirk
>
>
>
>
