Ok, I'll plan to change GMSAuthenticator (and GMSAuthenticatorJUnitTest) to use the DistributionConfig then. That'll be more consistent and correct.
Thanks, Kirk On Tue, Jul 12, 2016 at 4:19 PM, Bruce Schuchardt <[email protected]> wrote: > I think we should get rid of that. It's a hack that the engineer who > implemented the old AUTH protocol used because he didn't know how to get > hold of the DistributionConfig. GMSAuthenticator can get at the config > through services.getConfig().getDistributionConfig(). > > > > Le 7/12/2016 à 2:36 PM, Hitesh Khamesra a écrit : > >> It seems InternalDistributedSystem(DistributedConfigImpl) sets system >> property while creating ds. >> >> if (securityPeerAuthInit != null && securityPeerAuthInit.length() > >> 0) { >> System.setProperty(SECURITY_SYSTEM_PREFIX + >> SECURITY_PEER_AUTH_INIT, >> securityPeerAuthInit); >> } >> if (securityPeerAuthenticator != null >> && securityPeerAuthenticator.length() > 0) { >> System.setProperty(SECURITY_SYSTEM_PREFIX >> + SECURITY_PEER_AUTHENTICATOR, securityPeerAuthenticator); >> } >> >> >> >> From: Kirk Lund <[email protected]> >> To: geode <[email protected]>; Hitesh Khamesra < >> [email protected]> >> Sent: Tuesday, July 12, 2016 2:24 PM >> Subject: Re: GMSAuthenticator >> I still don't see DistributionConfig or Properties ever being passed >> into >> GMSAuthenticator. >> >> The following method is for testing only so gemfire properties are never >> passed in by product code: >> >> /** >> * For testing only. >> */ >> Properties getCredentials(DistributedMember member, Properties secProps) { >> >> The following method is the only one used by the product but it doesn't >> pass any config in: >> >> /** >> * Get credential object for the given GemFire distributed member. >> * >> * @param member >> * the target distributed member >> * @return the credential object >> */ >> @Override >> public Object getCredentials(InternalDistributedMember member) { >> try { >> return getCredentials(member, securityProps); >> >> So the only source of config seems to be that securityProps variable, and >> the declaration is the ONLY place where securityProps is ever set (and >> nothing ever modifies it): >> >> private Properties securityProps = getSecurityProps(); >> >> You can see that getSecurityProps() only ever reads from system >> properties: >> >> Properties getSecurityProps() { >> Properties props = new Properties(); >> Set keys = System.getProperties().keySet(); >> for (Object key: keys) { >> String propKey = (String) key; >> if (propKey.startsWith(secPrefix)) { >> props.setProperty(propKey.substring(gemfireSysPrefixLen), >> System.getProperty(propKey)); >> } >> } >> return props; >> } >> >> It would appear to me that the only way to successfully provide gemfire >> security- propertes to GMSAuthenticator is via System properties. >> >> -Kirk >> >> On Tue, Jul 12, 2016 at 1:56 PM, Hitesh Khamesra < >> [email protected]> wrote: >> >> One can specify following in gemfire.properties file >>> /** >>> * The static String definition of the >>> <i>"security-peer-authenticator"</i> >>> * property >>> */ >>> String SECURITY_PEER_AUTHENTICATOR = SECURITY_PREFIX + >>> "peer-authenticator"; >>> >>> >>> From: Kirk Lund <[email protected]> >>> To: geode <[email protected]> >>> Sent: Tuesday, July 12, 2016 11:56 AM >>> Subject: GMSAuthenticator >>> >>> We're looking into modifying peer authentication to work with >>> org.apache.geode.security.SecurityManager as well as the deprecated >>> Authenticator and AccessControl. >>> >>> GMSAuthenticator appears to only work with Security Properties that are >>> specified as System Properties with "gemfire." prefix. The other areas of >>> the product that perform authentication appear to work whether the >>> Security >>> Properties are specified with either System Properties or a Properties >>> instance passed into connect. >>> >>> The online documentation for enabling peer authentication says to use >>> gemfire.properties, but from what I can tell the GMSAuthenticator won't >>> work with gemfire.properties and will instead require you to specify >>> System >>> properties ala >>> -Dgemfire.security-peer-authenticator=MyAuthenticator.create. >>> >>> Am I missing some code path that supports non-System properties in >>> GMSAuthenticator? Or is peer authentication limited to only working with >>> System properties? >>> >>> Thanks, >>> Kirk >>> >>> >>> >>> >>> >> >> > >
