Thanks Jinmei and John! But could you guide us with some steps how we can include that shiro config file with locator startup and joining peer locator or server from gfsh?
Regards, Dharam Sent with BlackBerry Work (www.blackberry.com) ________________________________ From: John Blum <[email protected]> Sent: Jun 8, 2017 22:21 To: [email protected] Subject: Re: FW: ExampleSecurityManager in Apache geode Cc: "Thacker, Dharam" <[email protected]> Dharam- ... or use Apache Shiro, which provides tooling [1] to handle securing credentials [2]. Shiro also handles encryption [3]. Although it is not well spelled in the Apache Geode documentation [4], Apache Geode does integrate with Apache Shiro for security as well. As any FYI, in Spring Data Geode, I provided first-class support for Apache Geode when using Apache Shiro. I blogged about this [5] (see section starting with "Security!"). So, my recommendation, in addition to Jinmei's option #1 below, is to use Apache Shiro over implementing your own Apache Geode SecurityManager interface. Hope this helps! -John [1] https://shiro.apache.org/command-line-hasher.html [2] https://shiro.apache.org/command-line-hasher.html#common-scenarios [3] https://shiro.apache.org/cryptography-features.html [4] http://geode.apache.org/docs/guide/11/managing/security/chapter_overview.html [5] https://spring.io/blog/2016/11/10/spring-data-geode-1-0-0-incubating-release-released On Thu, Jun 8, 2017 at 6:37 AM, Jinmei Liao <[email protected]<mailto:[email protected]>> wrote: SampleSecurityManager doesn't do encryption/decryption. It's meant only as an example. There are multiple ways to protect your password: 1) read-protect your security.json so that only a certain user can read it. 2) implement your own security-manager to decrypt the password using a secret key. (but here again you will need to find a way to protect this key in your corporation. In my opinion, it's simply changing the subject, but the problem is still there). We usually recommend the first approach, but in some situations, 2nd one might be an option too. On Thu, Jun 8, 2017 at 1:11 AM, Thacker, Dharam <[email protected]<mailto:[email protected]>> wrote: Hi Jinmei, Is there any way to encrypt password in security.json file with Geode 1.1.1? I tried below but it did not work for me, "users": [ { "name": "admin", "password": "encrypted(0859A0F6C68B9785)", "roles": ["ADMIN"] … }, Thanks & Regards, Dharam From: Thacker, Dharam Sent: Wednesday, June 07, 2017 11:26 AM To: '[email protected]<mailto:[email protected]>'; '[email protected]<mailto:[email protected]>' Subject: RE: FW: ExampleSecurityManager in Apache geode Thanks Jinmei for quick reply! >> It did not work for me when I used [--classpath] and >> [--security-properties-file] even though my classpath contains security.json >> file [That’s strange] start locator –name=locator2 --locators=localhost[10334],localhost[10335] --security-properties-file=gfsecurity.properties --classpath=C:\Users\GeodeWorkDir\locator2 FAILED >> It worked for me when I used --J=-Dgemfire.security-username=admin >> --J=-Dgemfire.security-password=admin [SUCCESS] start locator –name=locator2 --locators=localhost[10334],localhost[10335] --J=-Dgemfire.security-username=admin --J=-Dgemfire.security-password=admin --classpath=C:\Users\GeodeWorkDir\locator2 SUCCESS Thanks & Regards, Dharam From: Jinmei Liao [mailto:[email protected]] Sent: Wednesday, June 07, 2017 11:12 AM To: [email protected]<mailto:[email protected]> Subject: Re: FW: ExampleSecurityManager in Apache geode I tried using the SampleSecurityManager, and either one of the following command to start the 2nd locator is working: (I executed these commands while connected to the first locator, so I don't need to provide the --locators option, it knows which locator to join) 1> start locator --name=locator2 --port=10335 --classpath=/Users/jiliao/my_geode/security --security-properties-file=locator2.properties // locator2.properties only contains "security-username" and "security-password" properties. 2> start locator --name=locator2 --port=10335 --locators=jiliao-mbpro.lan[10334] --classpath=/Users/jiliao/my_geode/security/ --J=-Dgemfire.security-username=admin --J=-Dgemfire.security-password=admin I suspect that the reason one of your commands did not work is because of the locator2 can't find a security.json in its classpath, not because you did not provide the username/password. One of the complication of using our SampleSecurityManager is that it will need a security.json in it's classpath which complicates the issue. We should have a simpler security manager in the sample that's easier for users to experiment with. On Tue, Jun 6, 2017 at 10:03 PM, Thacker, Dharam <[email protected]<mailto:[email protected]>> wrote: I am able to start server with –user and –password to join existing secure locator. But I am not able to start another locator to join the existing secure locator. Could someone guide me here? start locator --name=locator1 --locators=localhost[10334],localhost[10335] --properties-file=locator.properties --classpath=C:\Users\GeodeWorkDir\locator1 SUCCESS start locator –name=locator2 --locators=localhost[10334],localhost[10335] --properties-file=locator.properties --classpath=C:\Users\GeodeWorkDir\locator2 FAILED start locator –name=locator2 --locators=localhost[10334],localhost[10335] --security-properties-file=gfsecurity.properties [gfsecurity.properties ---- security-username=clusteruser security-password=****] FAILED start locator –name=locator2 --locators=localhost[10334],localhost[10335] --security-properties-file=gfsecurity.properties --classpath=C:\Users\GeodeWorkDir\locator2 FAILED Jun 07, 2017 10:27:06 AM org.apache.geode.distributed.LocatorLauncher failOnStart INFO: locator is exiting due to an exception org.apache.geode.security.AuthenticationRequiredException: Failed to find credentials from [X.X.X.X(locator2:19416:locator)<ec>:1025] at org.apache.geode.distributed.internal.membership.gms.membership.GMSJoinLeave.attemptToJoin(GMSJoinLeave.java:424) at org.apache.geode.distributed.internal.membership.gms.membership.GMSJoinLeave.join(GMSJoinLeave.java:318) at org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.join(GMSMembershipManager.java:656) at org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.joinDistributedSystem(GMSMembershipManager.java:745) at org.apache.geode.distributed.internal.membership.gms.Services.start(Services.java:181) Thanks & Regards, Dharam From: Thacker, Dharam Sent: Tuesday, June 06, 2017 3:41 PM To: [email protected]<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]> Subject: RE: ExampleSecurityManager in Apache geode Thank you Nilkanth! Classpath worked! start locator --name=locator1 --properties-file=locator.properties --classpath=C:\Users\GeodeWorkDir\locator1 security-json file location: C:\Users\GeodeWorkDir\locator1\security.json Thanks & Regards, Dharam From: Nilkanth Patel [mailto:[email protected]] Sent: Tuesday, June 06, 2017 3:35 PM To: [email protected]<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]> Subject: Re: ExampleSecurityManager in Apache geode Dharam, Try out something like bellow, "security.json" is kept into /work/code/oss/geode/locator1 dir. gfsh>start locator --name=/work/code/oss/geode/locator1 --security-properties-file=/work/code/oss/geode/locator1/locator.properties --classpath=/work/code/oss/geode/locator1 Additional checks, 1. specify classpath while starting locator as shown in above command. 2. check the file permission for security.json. Nilkanth. On Tue, Jun 6, 2017 at 3:21 PM, Thacker, Dharam <[email protected]<mailto:[email protected]>> wrote: Hi Nilkanth, Thanks for the reply! I tried below one but it’s still not taking security.json file. Do you suggest anything different? My Current Directory: C:\Users\GeodeWorkDir Locator Directory: C:\Users\GeodeWorkDir\locator1 security-json file location [Tried both locations]: C:\Users\GeodeWorkDir\locator1\security.json C:\Users\GeodeWorkDir\security.json Thanks & Regards, Dharam From: Nilkanth Patel [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, June 06, 2017 3:07 PM To: [email protected]<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]> Subject: Re: ExampleSecurityManager in Apache geode Dharam, I believe following will be helpful to you. IMO with the existing implementation, "security.json" file has to be kept in a locator/server directory. In your case you need to be keep it in a locator director (l1) and should work. Hope this helps. Nilkanth Patel. On Tue, Jun 6, 2017 at 2:40 PM, Thacker, Dharam <[email protected]<mailto:[email protected]>> wrote: Hi Jinmei & Team, I was going through “New Security In Apache Geode” video. I also tried to start locator with ExampleSecurityManager and ExamplePostProcessor as shown below, locator.proprties mcast-port=0 security-manager=org.apache.ge<http://org.apache.ge>ode.examples.security.ExampleSecurityManager security-post-processor=org.apache.geode.examples.security.ExamplePostProcessor > dir locator.properties security.json security-config.jar My security-config.jar has following structure, --- resources -> security.json --- META-INF -> MANIFEST.MF Could you guide me with below error? gfsh>start locator --name=locator1 --properties-file=locator.properties --classpath=C:\Users\GeodeWorkDir\security-config.jar Starting a Geode Locator in C:\Users\GeodeWorkDir\locator1... The Locator process terminated unexpectedly with exit status 1. Please refer to the log file in C:\Users\GeodeWorkDir\locator1 for full details. Jun 06, 2017 2:19:50 PM org.apache.geode.distributed.LocatorLauncher failOnStart INFO: locator is exiting due to an exception org.apache.geode.security.AuthenticationFailedException: ExampleSecurityManager: unable to find json resource "security.json" as specified by [security-json]. at org.apache.geode.examples.security.ExampleSecurityManager.init(ExampleSecurityManager.java:132) at org.apache.geode.internal.security.IntegratedSecurityService.initSecurity(IntegratedSecurityService.java:332) at org.apache.geode.internal.cache.GemFireCacheImpl.initialize(GemFireCacheImpl.java:1208) at org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate(GemFireCacheImpl.java:798) at org.apache.geode.internal.cache.GemFireCacheImpl.create(GemFireCacheImpl.java:783) at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178) at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218) at org.apache.geode.distributed.internal.InternalLocator.startCache(InternalLocator.java:767) at org.apache.geode.distributed.internal.InternalLocator.startDistributedSystem(InternalLocator.java:752) at org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:357) at org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:315) at org.apache.geode.distributed.LocatorLauncher.start(LocatorLauncher.java:630) at org.apache.geode.distributed.LocatorLauncher.run(LocatorLauncher.java:532) at org.apache.geode.distributed.LocatorLauncher.main(LocatorLauncher.java:174) Exception in thread "main" org.apache.geode.security.AuthenticationFailedException: ExampleSecurityManager: unable to find json resource "security.json" as specified by [security-json]. at org.apache.geode.examples.security.ExampleSecurityManager.init(ExampleSecurityManager.java:132) at org.apache.geode.internal.security.IntegratedSecurityService.initSecurity(IntegratedSecurityService.java:332) at org.apache.geode.internal.cache.GemFireCacheImpl.initialize(GemFireCacheImpl.java:1208) at org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate(GemFireCacheImpl.java:798) at org.apache.geode.internal.cache.GemFireCacheImpl.create(GemFireCacheImpl.java:783) at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178) at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218) at org.apache.geode.distributed.internal.InternalLocator.startCache(InternalLocator.java:767) at org.apache.geode.distributed.internal.InternalLocator.startDistributedSystem(InternalLocator.java:752) at org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:357) at org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:315) at org.apache.geode.distributed.LocatorLauncher.start(LocatorLauncher.java:630) at org.apache.geode.distributed.LocatorLauncher.run(LocatorLauncher.java:532) at org.apache.geode.distributed.LocatorLauncher.main(LocatorLauncher.java:174) Thanks & Regards, Dharam This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer<http://www.jpmorgan.com/emaildisclaimer> including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer<http://www.jpmorgan.com/emaildisclaimer> including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer<http://www.jpmorgan.com/emaildisclaimer> including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer<http://www.jpmorgan.com/emaildisclaimer> including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. -- Cheers Jinmei This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer<http://www.jpmorgan.com/emaildisclaimer> including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. -- Cheers Jinmei -- -John john.blum10101 (skype) This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited.
