Hi Dharam- I admit, I have not actually used Apache Shiro to secure a Locator yet. I cannot think of any reason off the top of my head why this would not work.
Apache Geode has a security property to specify an Apache Shiro INI file... security-shiro-init The support in *Spring Data Geode* makes this brain dead simple to do [1]. Most of the decision making about which Security Provider will be used in Apache Geode's Integrated Security Framework is done here [2]. SDG is aware of this, and using the Annotations, makes the appropriate decision based on the configuration. Also +1 to *Udo's* comment. -John [1] https://github.com/spring-projects/spring-data-geode/blob/master/src/main/java/org/springframework/data/gemfire/config/annotation/EnableSecurity.java#L107-L113 [2] https://github.com/apache/geode/blob/develop/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java#L286-L334 On Thu, Jun 8, 2017 at 10:12 AM, Udo Kohlmeyer <[email protected]> wrote: > In addition to this, Jinmei's #2 can be easily achieved using a KMIP like > HashiCorp Vault. https://www.vaultproject.io/ > > On 6/8/17 09:51, John Blum wrote: > > Dharam- > > ... or use *Apache Shiro*, which provides tooling [1] to handle securing > credentials [2]. Shiro also handles encryption [3]. Although it is not > well spelled in the Apache Geode documentation [4], Apache Geode does > integrate with Apache Shiro for security as well. > > As any FYI, in *Spring Data Geode*, I provided first-class support for > Apache Geode when using Apache Shiro. I blogged about this [5] (see > section starting with "Security!"). > > So, my recommendation, in addition to Jinmei's option #1 below, is to use > Apache Shiro over implementing your own Apache Geode SecurityManager > interface. > > Hope this helps! > > -John > > > [1] https://shiro.apache.org/command-line-hasher.html > [2] https://shiro.apache.org/command-line-hasher.html#common-scenarios > [3] https://shiro.apache.org/cryptography-features.html > [4] http://geode.apache.org/docs/guide/11/managing/ > security/chapter_overview.html > [5] https://spring.io/blog/2016/11/10/spring-data-geode- > 1-0-0-incubating-release-released > > > On Thu, Jun 8, 2017 at 6:37 AM, Jinmei Liao <[email protected]> wrote: > >> SampleSecurityManager doesn't do encryption/decryption. It's meant only >> as an example. >> >> There are multiple ways to protect your password: >> 1) read-protect your security.json so that only a certain user can read >> it. >> 2) implement your own security-manager to decrypt the password using a >> secret key. (but here again you will need to find a way to protect this key >> in your corporation. In my opinion, it's simply changing the subject, but >> the problem is still there). >> >> We usually recommend the first approach, but in some situations, 2nd one >> might be an option too. >> >> >> On Thu, Jun 8, 2017 at 1:11 AM, Thacker, Dharam < >> [email protected]> wrote: >> >>> Hi Jinmei, >>> >>> >>> >>> Is there any way to encrypt password in security.json file with Geode >>> 1.1.1? I tried below but it did not work for me, >>> >>> >>> >>> "users": [ >>> >>> { >>> >>> "name": "admin", >>> >>> "password": "encrypted(0859A0F6C68B9785)", >>> >>> "roles": ["ADMIN"] >>> >>> … >>> >>> }, >>> >>> >>> >>> Thanks & Regards, >>> >>> Dharam >>> >>> >>> >>> *From:* Thacker, Dharam >>> *Sent:* Wednesday, June 07, 2017 11:26 AM >>> *To:* '[email protected]'; '[email protected]' >>> *Subject:* RE: FW: ExampleSecurityManager in Apache geode >>> >>> >>> >>> Thanks Jinmei for quick reply! >>> >>> >>> >>> >> It did not work for me when I used [*--classpath]* and >>> >> [*--security-properties-file] >>> *even though my classpath contains security.json file* [**That’s >>> strange**]* >>> >>> >>> >>> start locator –name=locator2 --locators=localhost[10334],localhost[10335] >>> --*security-properties-file*=gfsecurity.properties --*classpath* >>> =C:\Users\GeodeWorkDir\locator2 >>> >>> FAILED >>> >>> >>> >>> >> It worked for me when I used --J=-Dgemfire.security-username=admin >>> --J=-Dgemfire.security-password=admin [*SUCCESS*] >>> >>> >>> >>> start locator –name=locator2 --locators=localhost[10334],localhost[10335] >>> --J=-*Dgemfire.security-username*=admin --J=- >>> *Dgemfire.security-password*=admin --*classpath*=C:\Users\GeodeWor >>> kDir\locator2 >>> >>> SUCCESS >>> >>> >>> >>> Thanks & Regards, >>> >>> Dharam >>> >>> >>> >>> *From:* Jinmei Liao [mailto:[email protected] <[email protected]>] >>> *Sent:* Wednesday, June 07, 2017 11:12 AM >>> *To:* [email protected] >>> *Subject:* Re: FW: ExampleSecurityManager in Apache geode >>> >>> >>> >>> I tried using the SampleSecurityManager, and either one of the following >>> command to start the 2nd locator is working: (I executed these commands >>> while connected to the first locator, so I don't need to provide the >>> --locators option, it knows which locator to join) >>> >>> >>> >>> 1> start locator --name=locator2 --port=10335 >>> --classpath=/Users/jiliao/my_geode/security >>> --security-properties-file=locator2.properties >>> >>> // locator2.properties only contains "security-username" and >>> "security-password" properties. >>> >>> >>> >>> 2> start locator --name=locator2 --port=10335 >>> --locators=jiliao-mbpro.lan[10334] >>> --classpath=/Users/jiliao/my_geode/security/ >>> --J=-Dgemfire.security-username=admin --J=-Dgemfire.security-passwor >>> d=admin >>> >>> >>> >>> >>> >>> I suspect that the reason one of your commands did not work is because >>> of the locator2 can't find a security.json in its classpath, not because >>> you did not provide the username/password. One of the complication of using >>> our SampleSecurityManager is that it will need a security.json in it's >>> classpath which complicates the issue. We should have a simpler security >>> manager in the sample that's easier for users to experiment with. >>> >>> >>> >>> >>> >>> >>> >>> On Tue, Jun 6, 2017 at 10:03 PM, Thacker, Dharam < >>> [email protected]> wrote: >>> >>> I am able to start server with –user and –password to join existing >>> secure locator. But I am not able to start another locator to join the >>> existing secure locator. Could someone guide me here? >>> >>> >>> >>> start locator --name=locator1 --locators=localhost[10334],localhost[10335] >>> --properties-file=locator.properties >>> --classpath=C:\Users\GeodeWorkDir\locator1 >>> >>> >>> SUCCESS >>> >>> >>> >>> start locator –name=locator2 --locators=localhost[10334],localhost[10335] >>> --properties-file=locator.properties --classpath=C:\Users\GeodeWork >>> Dir\locator2 >>> >>> FAILED >>> >>> >>> >>> start locator –name=locator2 --locators=localhost[10334],localhost[10335] >>> --security-properties-file=gfsecurity.properties >>> [gfsecurity.properties ---- security-username=clusteruser >>> security-password=****] >>> >>> FAILED >>> >>> >>> >>> start locator –name=locator2 --locators=localhost[10334],localhost[10335] >>> --security-properties-file=gfsecurity.properties >>> --classpath=C:\Users\GeodeWorkDir\locator2 >>> >>> FAILED >>> >>> >>> >>> >>> >>> *Jun 07, 2017 10:27:06 AM org.apache.geode.distributed.LocatorLauncher >>> failOnStart* >>> >>> *INFO: locator is exiting due to an exception* >>> >>> >>> >>> *org.apache.geode.security.AuthenticationRequiredException: Failed to >>> find credentials from [X.X.X.X(locator2:19416:locator)<ec>:1025]* >>> >>> * at >>> org.apache.geode.distributed.internal.membership.gms.membership.GMSJoinLeave.attemptToJoin(GMSJoinLeave.java:424)* >>> >>> * at >>> org.apache.geode.distributed.internal.membership.gms.membership.GMSJoinLeave.join(GMSJoinLeave.java:318)* >>> >>> * at >>> org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.join(GMSMembershipManager.java:656)* >>> >>> * at >>> org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.joinDistributedSystem(GMSMembershipManager.java:745)* >>> >>> * at >>> org.apache.geode.distributed.internal.membership.gms.Services.start(Services.java:181)* >>> >>> >>> >>> *Thanks & Regards,* >>> >>> *Dharam* >>> >>> >>> >>> *From:* Thacker, Dharam >>> *Sent:* Tuesday, June 06, 2017 3:41 PM >>> *To:* [email protected] >>> *Cc:* [email protected] >>> *Subject:* RE: ExampleSecurityManager in Apache geode >>> >>> >>> >>> Thank you Nilkanth! >>> >>> >>> >>> Classpath worked! >>> >>> >>> >>> start locator --name=locator1 --properties-file=locator.properties >>> --classpath=C:\Users\GeodeWorkDir\locator1 >>> >>> *security-json file location:* >>> >>> C:\Users\GeodeWorkDir\locator1\security.json >>> >>> Thanks & Regards, >>> >>> Dharam >>> >>> >>> >>> *From:* Nilkanth Patel [mailto:[email protected] >>> <[email protected]>] >>> *Sent:* Tuesday, June 06, 2017 3:35 PM >>> *To:* [email protected] >>> *Cc:* [email protected] >>> *Subject:* Re: ExampleSecurityManager in Apache geode >>> >>> >>> >>> Dharam, >>> >>> >>> >>> Try out something like bellow, "security.json" is kept into >>> /work/code/oss/geode/locator1 dir. >>> >>> >>> >>> gfsh>start locator --name=/work/code/oss/geode/locator1 >>> --security-properties-file=/work/code/oss/geode/locator1/locator.properties >>> --classpath=/work/code/oss/geode/locator1 >>> >>> >>> >>> Additional checks, >>> >>> 1. specify classpath while starting locator as shown in above command. >>> >>> 2. check the file permission for security.json. >>> >>> >>> >>> Nilkanth. >>> >>> >>> >>> On Tue, Jun 6, 2017 at 3:21 PM, Thacker, Dharam < >>> [email protected]> wrote: >>> >>> Hi Nilkanth, >>> >>> >>> >>> Thanks for the reply! I tried below one but it’s still not taking >>> security.json file. Do you suggest anything different? >>> >>> >>> >>> *My Current Directory:* >>> >>> C:\Users\GeodeWorkDir >>> >>> >>> >>> *Locator Directory:* >>> >>> C:\Users\GeodeWorkDir\locator1 >>> >>> >>> >>> *security-json file location [Tried both locations]:* >>> >>> C:\Users\GeodeWorkDir\locator1\security.json >>> >>> C:\Users\GeodeWorkDir\security.json >>> >>> >>> >>> Thanks & Regards, >>> >>> Dharam >>> >>> >>> >>> >>> >>> *From:* Nilkanth Patel [mailto:[email protected]] >>> *Sent:* Tuesday, June 06, 2017 3:07 PM >>> *To:* [email protected] >>> *Cc:* [email protected] >>> *Subject:* Re: ExampleSecurityManager in Apache geode >>> >>> >>> >>> Dharam, >>> >>> >>> >>> I believe following will be helpful to you. >>> >>> >>> >>> IMO with the existing implementation, "security.json" file has to be >>> kept in a locator/server directory. In your case you need to be keep it in >>> a locator director (l1) and should work. >>> >>> >>> >>> Hope this helps. >>> >>> >>> >>> Nilkanth Patel. >>> >>> >>> >>> On Tue, Jun 6, 2017 at 2:40 PM, Thacker, Dharam < >>> [email protected]> wrote: >>> >>> Hi Jinmei & Team, >>> >>> >>> >>> I was going through “New Security In Apache Geode” video. I also tried >>> to start locator with ExampleSecurityManager and ExamplePostProcessor as >>> shown below, >>> >>> >>> >>> *locator.proprties* >>> >>> >>> >>> mcast-port=0 >>> >>> security-manager=org.apache.geode.examples.security.ExampleS >>> ecurityManager >>> >>> security-post-processor=org.apache.geode.examples.security.E >>> xamplePostProcessor >>> >>> >>> >>> > dir >>> >>> locator.properties >>> >>> security.json >>> >>> security-config.jar >>> >>> >>> >>> My security-config.jar has following structure, >>> >>> --- resources -> security.json >>> >>> --- META-INF -> MANIFEST.MF >>> >>> >>> >>> Could you guide me with below error? >>> >>> >>> >>> gfsh>start locator --name=locator1 --properties-file=locator.properties >>> --classpath=C:\Users\GeodeWorkDir\security-config.jar >>> >>> Starting a Geode Locator in C:\Users\GeodeWorkDir\locator1... >>> >>> The Locator process terminated unexpectedly with exit status 1. Please >>> refer to the log file in C:\Users\GeodeWorkDir\locator1 for full details. >>> >>> >>> >>> Jun 06, 2017 2:19:50 PM org.apache.geode.distributed.LocatorLauncher >>> failOnStart >>> >>> INFO: locator is exiting due to an exception >>> >>> org.apache.geode.security.AuthenticationFailedException: >>> ExampleSecurityManager: unable to find json resource "security.json" as >>> specified by [security-json]. >>> >>> at org.apache.geode.examples.security.ExampleSecurityManager.in >>> it(ExampleSecurityManager.java:132) >>> >>> at org.apache.geode.internal.security.IntegratedSecurityService >>> .initSecurity(IntegratedSecurityService.java:332) >>> >>> at org.apache.geode.internal.cache.GemFireCacheImpl.initialize( >>> GemFireCacheImpl.java:1208) >>> >>> at org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate >>> (GemFireCacheImpl.java:798) >>> >>> at org.apache.geode.internal.cache.GemFireCacheImpl.create(GemF >>> ireCacheImpl.java:783) >>> >>> at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178) >>> >>> at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218) >>> >>> at org.apache.geode.distributed.internal.InternalLocator.startC >>> ache(InternalLocator.java:767) >>> >>> at org.apache.geode.distributed.internal.InternalLocator.startD >>> istributedSystem(InternalLocator.java:752) >>> >>> at org.apache.geode.distributed.internal.InternalLocator.startL >>> ocator(InternalLocator.java:357) >>> >>> at org.apache.geode.distributed.internal.InternalLocator.startL >>> ocator(InternalLocator.java:315) >>> >>> at org.apache.geode.distributed.LocatorLauncher.start(LocatorLa >>> uncher.java:630) >>> >>> at org.apache.geode.distributed.LocatorLauncher.run(LocatorLaun >>> cher.java:532) >>> >>> at org.apache.geode.distributed.LocatorLauncher.main(LocatorLau >>> ncher.java:174) >>> >>> >>> >>> Exception in thread "main" >>> org.apache.geode.security.AuthenticationFailedException: >>> ExampleSecurityManager: unable to find json resource "security.json" as >>> specified by [security-json]. >>> >>> at org.apache.geode.examples.security.ExampleSecurityManager.in >>> it(ExampleSecurityManager.java:132) >>> >>> at org.apache.geode.internal.security.IntegratedSecurityService >>> .initSecurity(IntegratedSecurityService.java:332) >>> >>> at org.apache.geode.internal.cache.GemFireCacheImpl.initialize( >>> GemFireCacheImpl.java:1208) >>> >>> at org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate >>> (GemFireCacheImpl.java:798) >>> >>> at org.apache.geode.internal.cache.GemFireCacheImpl.create(GemF >>> ireCacheImpl.java:783) >>> >>> at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178) >>> >>> at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218) >>> >>> at org.apache.geode.distributed.internal.InternalLocator.startC >>> ache(InternalLocator.java:767) >>> >>> at org.apache.geode.distributed.internal.InternalLocator.startD >>> istributedSystem(InternalLocator.java:752) >>> >>> at org.apache.geode.distributed.internal.InternalLocator.startL >>> ocator(InternalLocator.java:357) >>> >>> at org.apache.geode.distributed.internal.InternalLocator.startL >>> ocator(InternalLocator.java:315) >>> >>> at org.apache.geode.distributed.LocatorLauncher.start(LocatorLa >>> uncher.java:630) >>> >>> at org.apache.geode.distributed.LocatorLauncher.run(LocatorLaun >>> cher.java:532) >>> >>> at org.apache.geode.distributed.LocatorLauncher.main(LocatorLau >>> ncher.java:174) >>> >>> >>> >>> Thanks & Regards, >>> >>> Dharam >>> >>> This message is confidential and subject to terms at: http:// >>> www.jpmorgan.com/emaildisclaimer including on confidentiality, legal >>> privilege, viruses and monitoring of electronic messages. If you are not >>> the intended recipient, please delete this message and notify the sender >>> immediately. Any unauthorized use is strictly prohibited. >>> >>> >>> >>> This message is confidential and subject to terms at: http:// >>> www.jpmorgan.com/emaildisclaimer including on confidentiality, legal >>> privilege, viruses and monitoring of electronic messages. If you are not >>> the intended recipient, please delete this message and notify the sender >>> immediately. Any unauthorized use is strictly prohibited. >>> >>> >>> >>> This message is confidential and subject to terms at: http:// >>> www.jpmorgan.com/emaildisclaimer including on confidentiality, legal >>> privilege, viruses and monitoring of electronic messages. If you are not >>> the intended recipient, please delete this message and notify the sender >>> immediately. Any unauthorized use is strictly prohibited. >>> >>> This message is confidential and subject to terms at: http:// >>> www.jpmorgan.com/emaildisclaimer including on confidentiality, legal >>> privilege, viruses and monitoring of electronic messages. If you are not >>> the intended recipient, please delete this message and notify the sender >>> immediately. Any unauthorized use is strictly prohibited. >>> >>> >>> >>> >>> >>> -- >>> >>> Cheers >>> >>> >>> >>> Jinmei >>> >>> This message is confidential and subject to terms at: http:// >>> www.jpmorgan.com/emaildisclaimer including on confidentiality, legal >>> privilege, viruses and monitoring of electronic messages. If you are not >>> the intended recipient, please delete this message and notify the sender >>> immediately. Any unauthorized use is strictly prohibited. >>> >> >> >> >> -- >> Cheers >> >> Jinmei >> > > > > -- > -John > john.blum10101 (skype) > > > -- -John john.blum10101 (skype)
