Actually, I looked into the the config settings, these are the list of settings that begin with security-. SSL settings are not there. The security-client-* and security-peer-* are deprecated, so they don't need to be in the cluster config. What about the udp-dhalgo and log-file and log-level? Does it hurt to put them in the cluster-config?
"security-client-authenticator"; "security-client-accessor"; "security-client-accessor-pp"; "security-client-auth-init"; "security-client-dhalgo"; "security-peer-auth-init"; "security-peer-authenticator"; "security-peer-verifymember-timeout"; "security-udp-dhalgo"; "security-log-file"; "security-log-level"; "security-manager"; "security-post-processor"; On Fri, Sep 23, 2016 at 12:41 PM, Bruce Schuchardt <bschucha...@pivotal.io> wrote: > SSL settings and the new UDP dhAlgo setting can't be in the cluster > config. The cluster config is received over TCP/IP so you would have to > use unsecured information to retrieve the settings, and you'd have to do it > before the cache is created. > > Does the security-manager have any role to play prior to the cache being > created? For instance, is it involved in authenticating the receipt of a > new membership view or a join request in GMSAuthenticator? If so you can't > store it in the cluster config, which is only retrieved later on during > cache creation. > > > > Le 9/23/2016 à 11:57 AM, Michael Stolz a écrit : > >> I am in favor of keeping the SSL thoughts separate from the RBAC thoughts, >> but I don't see any reason they couldn't share the same repository. >> >> That said though, does putting it all into the Cluster Configuration >> Manager (CCM) make it so that you can only have security if you are using >> CCM for configuration? >> >> >> -- >> Mike Stolz >> Principal Engineer, GemFire Product Manager >> Mobile: 631-835-4771 >> >> On Fri, Sep 23, 2016 at 1:48 PM, Jinmei Liao <jil...@pivotal.io> wrote: >> >> Hi, All, >>> >>> I am working on this ticket: >>> https://issues.apache.org/jira/browse/GEODE-1659. Basically, currently, >>> any >>> member(locator or server) needs to specify its own security-manager in >>> order to protect its data which could leads to misconfiguration and data >>> leak. So we would like to put it into the cluster configuration so any >>> member who wants to join the cluster will need to apply the same security >>> measures. >>> >>> Now Here is my question, should we only put the "security-manager" and >>> "security-post-processor" in the cluster config or any "security-*" >>> settings, which include SSL settings as well. >>> >>> Thanks! >>> >>> -- >>> Cheers >>> >>> Jinmei >>> >>> > -- Cheers Jinmei
