Isn't cluster-configuration optional? If I restart a locator and it
doesn't have a persistent cluster configuration it is going to need to
know the DH algorithm in order to communicate with other members and
join the system.
If it's going to stop being optional then I think we could conceivably
move this setting to the cluster-configuration. It might be odd to have
that in cluster-config and SSL settings in the properties file though.
Both concern secure communications.
Le 9/27/2016 à 4:30 PM, Jinmei Liao a écrit :
for "security-udp-dhalgo" property, If "Each member needs to define this
property with the same algorithm", it would make sense to put that in the
cluster configuration.
On Tue, Sep 27, 2016 at 3:09 PM, Bruce Schuchardt <bschucha...@pivotal.io>
wrote:
security-udp-dhalgo is new and is described here:
https://cwiki.apache.org/confluence/display/GEODE/Secure+
UDP+Communication+in+Geode
Le 9/26/2016 à 11:23 AM, Swapnil Bawaskar a écrit :
Hi John,
security-manager and security-post-processor are discussed here:
https://cwiki.apache.org/confluence/display/GEODE/Geode+
Integrated+Security
On Mon, Sep 26, 2016 at 11:01 AM, Joey McAllister <jmcallis...@pivotal.io
wrote:
Hi John,
They are documented in the docs dev branch and will be published with the
next Geode release. Also, we're scheduled to donate the docs code to the
project later this week, so you'll be able to see the work in dev.
Best,
Joey
On Mon, Sep 26, 2016 at 10:41 AM John Blum <jb...@pivotal.io> wrote:
Jinmei-
Where are the following security-* properties documented?
security-udp-dhalgo
security-manager
security-post-processor
They certainly are not documented in the (Geode) User Docs, here
<
http://geode.docs.pivotal.io/docs/reference/topics/gemfire_
properties.html
[1].
Thanks!
John
[1]
http://geode.docs.pivotal.io/docs/reference/topics/gemfire_
properties.html
On Mon, Sep 26, 2016 at 8:42 AM, Jinmei Liao <jil...@pivotal.io> wrote:
Actually, I looked into the the config settings, these are the list of
settings that begin with security-. SSL settings are not there. The
security-client-* and security-peer-* are deprecated, so they don't
need
to
be in the cluster config. What about the udp-dhalgo and log-file and
log-level? Does it hurt to put them in the cluster-config?
"security-client-authenticator";
"security-client-accessor";
"security-client-accessor-pp";
"security-client-auth-init";
"security-client-dhalgo";
"security-peer-auth-init";
"security-peer-authenticator";
"security-peer-verifymember-timeout";
"security-udp-dhalgo";
"security-log-file";
"security-log-level";
"security-manager";
"security-post-processor";
On Fri, Sep 23, 2016 at 12:41 PM, Bruce Schuchardt <
bschucha...@pivotal.io
wrote:
SSL settings and the new UDP dhAlgo setting can't be in the cluster
config. The cluster config is received over TCP/IP so you would have
to
use unsecured information to retrieve the settings, and you'd have to
do
it
before the cache is created.
Does the security-manager have any role to play prior to the cache
being
created? For instance, is it involved in authenticating the receipt
of
a
new membership view or a join request in GMSAuthenticator? If so you
can't
store it in the cluster config, which is only retrieved later on
during
cache creation.
Le 9/23/2016 à 11:57 AM, Michael Stolz a écrit :
I am in favor of keeping the SSL thoughts separate from the RBAC
thoughts,
but I don't see any reason they couldn't share the same repository.
That said though, does putting it all into the Cluster Configuration
Manager (CCM) make it so that you can only have security if you are
using
CCM for configuration?
--
Mike Stolz
Principal Engineer, GemFire Product Manager
Mobile: 631-835-4771
On Fri, Sep 23, 2016 at 1:48 PM, Jinmei Liao <jil...@pivotal.io>
wrote:
Hi, All,
I am working on this ticket:
https://issues.apache.org/jira/browse/GEODE-1659. Basically,
currently,
any
member(locator or server) needs to specify its own security-manager
in
order to protect its data which could leads to misconfiguration and
data
leak. So we would like to put it into the cluster configuration so
any
member who wants to join the cluster will need to apply the same
security
measures.
Now Here is my question, should we only put the "security-manager"
and
"security-post-processor" in the cluster config or any "security-*"
settings, which include SSL settings as well.
Thanks!
--
Cheers
Jinmei
--
Cheers
Jinmei
--
-John
503-504-8657
john.blum10101 (skype)
