Dharam-
... or use *Apache Shiro*, which provides tooling [1] to handle
securing credentials [2]. Shiro also handles encryption [3].
Although it is not well spelled in the Apache Geode documentation [4],
Apache Geode does integrate with Apache Shiro for security as well.
As any FYI, in /Spring Data Geode/, I provided first-class support for
Apache Geode when using Apache Shiro. I blogged about this [5] (see
section starting with "Security!").
So, my recommendation, in addition to Jinmei's option #1 below, is to
use Apache Shiro over implementing your own Apache Geode
SecurityManager interface.
Hope this helps!
-John
[1] https://shiro.apache.org/command-line-hasher.html
[2] https://shiro.apache.org/command-line-hasher.html#common-scenarios
[3] https://shiro.apache.org/cryptography-features.html
[4]
http://geode.apache.org/docs/guide/11/managing/security/chapter_overview.html
[5]
https://spring.io/blog/2016/11/10/spring-data-geode-1-0-0-incubating-release-released
On Thu, Jun 8, 2017 at 6:37 AM, Jinmei Liao <[email protected]
<mailto:[email protected]>> wrote:
SampleSecurityManager doesn't do encryption/decryption. It's meant
only as an example.
There are multiple ways to protect your password:
1) read-protect your security.json so that only a certain user can
read it.
2) implement your own security-manager to decrypt the password
using a secret key. (but here again you will need to find a way to
protect this key in your corporation. In my opinion, it's simply
changing the subject, but the problem is still there).
We usually recommend the first approach, but in some situations,
2nd one might be an option too.
On Thu, Jun 8, 2017 at 1:11 AM, Thacker, Dharam
<[email protected] <mailto:[email protected]>>
wrote:
Hi Jinmei,
Is there any way to encrypt password in security.json file
with Geode 1.1.1? I tried below but it did not work for me,
"users": [
{
"name": "admin",
"password": "encrypted(0859A0F6C68B9785)",
"roles": ["ADMIN"]
…
},
Thanks & Regards,
Dharam
*From:*Thacker, Dharam
*Sent:* Wednesday, June 07, 2017 11:26 AM
*To:* '[email protected] <mailto:[email protected]>';
'[email protected] <mailto:[email protected]>'
*Subject:* RE: FW: ExampleSecurityManager in Apache geode
Thanks Jinmei for quick reply!
>> It did not work for me when I used [*--classpath]* and
[*--security-properties-file] *even though my classpath
contains security.json file*[**That’s strange**]*
start locator –name=locator2
--locators=localhost[10334],localhost[10335]
--*security-properties-file*=gfsecurity.properties
--*classpath*=C:\Users\GeodeWorkDir\locator2
FAILED
>> It worked for me when I used
--J=-Dgemfire.security-username=admin
--J=-Dgemfire.security-password=admin[*SUCCESS*]
start locator –name=locator2
--locators=localhost[10334],localhost[10335]
--J=-*Dgemfire.security-username*=admin
--J=-*Dgemfire.security-password*=admin
--*classpath*=C:\Users\GeodeWorkDir\locator2
SUCCESS
Thanks & Regards,
Dharam
**
*From:*Jinmei Liao [mailto:[email protected]]
*Sent:* Wednesday, June 07, 2017 11:12 AM
*To:* [email protected] <mailto:[email protected]>
*Subject:* Re: FW: ExampleSecurityManager in Apache geode
I tried using the SampleSecurityManager, and either one of the
following command to start the 2nd locator is working: (I
executed these commands while connected to the first locator,
so I don't need to provide the --locators option, it knows
which locator to join)
1> start locator --name=locator2 --port=10335
--classpath=/Users/jiliao/my_geode/security
--security-properties-file=locator2.properties
// locator2.properties only contains "security-username" and
"security-password" properties.
2> start locator --name=locator2 --port=10335
--locators=jiliao-mbpro.lan[10334]
--classpath=/Users/jiliao/my_geode/security/
--J=-Dgemfire.security-username=admin
--J=-Dgemfire.security-password=admin
I suspect that the reason one of your commands did not work is
because of the locator2 can't find a security.json in its
classpath, not because you did not provide the
username/password. One of the complication of using our
SampleSecurityManager is that it will need a security.json in
it's classpath which complicates the issue. We should have a
simpler security manager in the sample that's easier for users
to experiment with.
On Tue, Jun 6, 2017 at 10:03 PM, Thacker, Dharam
<[email protected]
<mailto:[email protected]>> wrote:
I am able to start server with –user and –password to join
existing secure locator. But I am not able to start another
locator to join the existing secure locator. Could someone
guide me here?
start locator --name=locator1
--locators=localhost[10334],localhost[10335]
--properties-file=locator.properties
--classpath=C:\Users\GeodeWorkDir\locator1
SUCCESS
start locator –name=locator2
--locators=localhost[10334],localhost[10335]
--properties-file=locator.properties
--classpath=C:\Users\GeodeWorkDir\locator2
FAILED
start locator –name=locator2
--locators=localhost[10334],localhost[10335]
--security-properties-file=gfsecurity.properties
[gfsecurity.properties ----
security-username=clusteruser security-password=****]
FAILED
start locator –name=locator2
--locators=localhost[10334],localhost[10335]
--security-properties-file=gfsecurity.properties
--classpath=C:\Users\GeodeWorkDir\locator2
FAILED
**
**
*Jun 07, 2017 10:27:06 AM
org.apache.geode.distributed.LocatorLauncher failOnStart*
*INFO: locator is exiting due to an exception*
**
*org.apache.geode.security.AuthenticationRequiredException:
Failed to find credentials from
[X.X.X.X(locator2:19416:locator)<ec>:1025]*
*at
org.apache.geode.distributed.internal.membership.gms.membership.GMSJoinLeave.attemptToJoin(GMSJoinLeave.java:424)*
*at
org.apache.geode.distributed.internal.membership.gms.membership.GMSJoinLeave.join(GMSJoinLeave.java:318)*
*at
org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.join(GMSMembershipManager.java:656)*
*at
org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.joinDistributedSystem(GMSMembershipManager.java:745)*
*at
org.apache.geode.distributed.internal.membership.gms.Services.start(Services.java:181)*
**
*Thanks & Regards,*
*Dharam*
**
*From:*Thacker, Dharam
*Sent:* Tuesday, June 06, 2017 3:41 PM
*To:* [email protected] <mailto:[email protected]>
*Cc:* [email protected] <mailto:[email protected]>
*Subject:* RE: ExampleSecurityManager in Apache geode
Thank you Nilkanth!
Classpath worked!
start locator --name=locator1
--properties-file=locator.properties
--classpath=C:\Users\GeodeWorkDir\locator1
*_security-json file location:_*
C:\Users\GeodeWorkDir\locator1\security.json
Thanks & Regards,
Dharam
*From:*Nilkanth Patel [mailto:[email protected]
<mailto:[email protected]>]
*Sent:* Tuesday, June 06, 2017 3:35 PM
*To:* [email protected] <mailto:[email protected]>
*Cc:* [email protected] <mailto:[email protected]>
*Subject:* Re: ExampleSecurityManager in Apache geode
Dharam,
Try out something like bellow, "security.json" is kept into
/work/code/oss/geode/locator1 dir.
gfsh>start locator --name=/work/code/oss/geode/locator1
--security-properties-file=/work/code/oss/geode/locator1/locator.properties
--classpath=/work/code/oss/geode/locator1
Additional checks,
1. specify classpath while starting locator as shown in above
command.
2. check the file permission for security.json.
Nilkanth.
On Tue, Jun 6, 2017 at 3:21 PM, Thacker, Dharam
<[email protected]
<mailto:[email protected]>> wrote:
Hi Nilkanth,
Thanks for the reply! I tried below one but it’s still not
taking security.json file. Do you suggest anything different?
*_My Current Directory:_*
C:\Users\GeodeWorkDir
*_Locator Directory:_*
C:\Users\GeodeWorkDir\locator1
*_security-json file location [Tried both locations]:_*
C:\Users\GeodeWorkDir\locator1\security.json
C:\Users\GeodeWorkDir\security.json
Thanks & Regards,
Dharam
**
**
*From:*Nilkanth Patel [mailto:[email protected]
<mailto:[email protected]>]
*Sent:* Tuesday, June 06, 2017 3:07 PM
*To:* [email protected] <mailto:[email protected]>
*Cc:* [email protected] <mailto:[email protected]>
*Subject:* Re: ExampleSecurityManager in Apache geode
Dharam,
I believe following will be helpful to you.
IMO with the existing implementation, "security.json" file
has to be kept in a locator/server directory. In your case you
need to be keep it in a locator director (l1) and should work.
Hope this helps.
Nilkanth Patel.
On Tue, Jun 6, 2017 at 2:40 PM, Thacker, Dharam
<[email protected]
<mailto:[email protected]>> wrote:
Hi Jinmei & Team,
I was going through “New Security In Apache Geode” video. I
also tried to start locator with ExampleSecurityManager and
ExamplePostProcessor as shown below,
*_locator.proprties_*
mcast-port=0
security-manager=org.apache.ge
<http://org.apache.ge>ode.examples.security.ExampleSecurityManager
security-post-processor=org.apache.geode.examples.security.ExamplePostProcessor
> dir
locator.properties
security.json
security-config.jar
My security-config.jar has following structure,
--- resources -> security.json
--- META-INF -> MANIFEST.MF
Could you guide me with below error?
gfsh>start locator --name=locator1
--properties-file=locator.properties
--classpath=C:\Users\GeodeWorkDir\security-config.jar
Starting a Geode Locator in C:\Users\GeodeWorkDir\locator1...
The Locator process terminated unexpectedly with exit status
1. Please refer to the log file in
C:\Users\GeodeWorkDir\locator1 for full details.
Jun 06, 2017 2:19:50 PM
org.apache.geode.distributed.LocatorLauncher failOnStart
INFO: locator is exiting due to an exception
org.apache.geode.security.AuthenticationFailedException:
ExampleSecurityManager: unable to find json resource
"security.json" as specified by [security-json].
at
org.apache.geode.examples.security.ExampleSecurityManager.init(ExampleSecurityManager.java:132)
at
org.apache.geode.internal.security.IntegratedSecurityService.initSecurity(IntegratedSecurityService.java:332)
at
org.apache.geode.internal.cache.GemFireCacheImpl.initialize(GemFireCacheImpl.java:1208)
at
org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate(GemFireCacheImpl.java:798)
at
org.apache.geode.internal.cache.GemFireCacheImpl.create(GemFireCacheImpl.java:783)
at
org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178)
at
org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218)
at
org.apache.geode.distributed.internal.InternalLocator.startCache(InternalLocator.java:767)
at
org.apache.geode.distributed.internal.InternalLocator.startDistributedSystem(InternalLocator.java:752)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:357)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:315)
at
org.apache.geode.distributed.LocatorLauncher.start(LocatorLauncher.java:630)
at
org.apache.geode.distributed.LocatorLauncher.run(LocatorLauncher.java:532)
at
org.apache.geode.distributed.LocatorLauncher.main(LocatorLauncher.java:174)
Exception in thread "main"
org.apache.geode.security.AuthenticationFailedException:
ExampleSecurityManager: unable to find json resource
"security.json" as specified by [security-json].
at
org.apache.geode.examples.security.ExampleSecurityManager.init(ExampleSecurityManager.java:132)
at
org.apache.geode.internal.security.IntegratedSecurityService.initSecurity(IntegratedSecurityService.java:332)
at
org.apache.geode.internal.cache.GemFireCacheImpl.initialize(GemFireCacheImpl.java:1208)
at
org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate(GemFireCacheImpl.java:798)
at
org.apache.geode.internal.cache.GemFireCacheImpl.create(GemFireCacheImpl.java:783)
at
org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178)
at
org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218)
at
org.apache.geode.distributed.internal.InternalLocator.startCache(InternalLocator.java:767)
at
org.apache.geode.distributed.internal.InternalLocator.startDistributedSystem(InternalLocator.java:752)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:357)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:315)
at
org.apache.geode.distributed.LocatorLauncher.start(LocatorLauncher.java:630)
at
org.apache.geode.distributed.LocatorLauncher.run(LocatorLauncher.java:532)
at
org.apache.geode.distributed.LocatorLauncher.main(LocatorLauncher.java:174)
Thanks & Regards,
Dharam
This message is confidential and subject to terms at:
http://www.jpmorgan.com/emaildisclaimer
<http://www.jpmorgan.com/emaildisclaimer> including on
confidentiality, legal privilege, viruses and monitoring of
electronic messages. If you are not the intended recipient,
please delete this message and notify the sender immediately.
Any unauthorized use is strictly prohibited.
This message is confidential and subject to terms at:
http://www.jpmorgan.com/emaildisclaimer
<http://www.jpmorgan.com/emaildisclaimer> including on
confidentiality, legal privilege, viruses and monitoring of
electronic messages. If you are not the intended recipient,
please delete this message and notify the sender immediately.
Any unauthorized use is strictly prohibited.
This message is confidential and subject to terms at:
http://www.jpmorgan.com/emaildisclaimer
<http://www.jpmorgan.com/emaildisclaimer> including on
confidentiality, legal privilege, viruses and monitoring of
electronic messages. If you are not the intended recipient,
please delete this message and notify the sender immediately.
Any unauthorized use is strictly prohibited.
This message is confidential and subject to terms at:
http://www.jpmorgan.com/emaildisclaimer
<http://www.jpmorgan.com/emaildisclaimer> including on
confidentiality, legal privilege, viruses and monitoring of
electronic messages. If you are not the intended recipient,
please delete this message and notify the sender immediately.
Any unauthorized use is strictly prohibited.
--
Cheers
Jinmei
This message is confidential and subject to terms at:
http://www.jpmorgan.com/emaildisclaimer
<http://www.jpmorgan.com/emaildisclaimer> including on
confidentiality, legal privilege, viruses and monitoring of
electronic messages. If you are not the intended recipient,
please delete this message and notify the sender immediately.
Any unauthorized use is strictly prohibited.
--
Cheers
Jinmei
--
-John
john.blum10101 (skype)
