SSL settings and the new UDP dhAlgo setting can't be in the cluster
config. The cluster config is received over TCP/IP so you would have to
use unsecured information to retrieve the settings, and you'd have to do
it before the cache is created.
Does the security-manager have any role to play prior to the cache being
created? For instance, is it involved in authenticating the receipt of
a new membership view or a join request in GMSAuthenticator? If so you
can't store it in the cluster config, which is only retrieved later on
during cache creation.
Le 9/23/2016 à 11:57 AM, Michael Stolz a écrit :
I am in favor of keeping the SSL thoughts separate from the RBAC thoughts,
but I don't see any reason they couldn't share the same repository.
That said though, does putting it all into the Cluster Configuration
Manager (CCM) make it so that you can only have security if you are using
CCM for configuration?
--
Mike Stolz
Principal Engineer, GemFire Product Manager
Mobile: 631-835-4771
On Fri, Sep 23, 2016 at 1:48 PM, Jinmei Liao <jil...@pivotal.io> wrote:
Hi, All,
I am working on this ticket:
https://issues.apache.org/jira/browse/GEODE-1659. Basically, currently,
any
member(locator or server) needs to specify its own security-manager in
order to protect its data which could leads to misconfiguration and data
leak. So we would like to put it into the cluster configuration so any
member who wants to join the cluster will need to apply the same security
measures.
Now Here is my question, should we only put the "security-manager" and
"security-post-processor" in the cluster config or any "security-*"
settings, which include SSL settings as well.
Thanks!
--
Cheers
Jinmei
