Hi,
Thanks John for reference links! I gave a try using security-shiro-init
property in locator.properties.
But it's not able to find out Apache commons library even after giving all
classpath references.
Am I missing anything?
gfsh>start locator --name=locator1 --properties-file=locator1.properties
--classpath=/home/dharam/Downloads/apache-geode/locator1:lib
gfsh>start locator --name=locator1 --properties-file=locator1.properties
--classpath=/home/dharam/Downloads/apache-geode/locator1:./lib/*
Exception :
Starting a Geode Locator in /home/dharam/Downloads/apache-geode/locator1...
The Locator process terminated unexpectedly with exit status 1. Please refer to
the log file in /home/dharam/Downloads/apache-geode/locator1 for full details.
Jun 09, 2017 8:42:10 AM org.apache.geode.distributed.LocatorLauncher failOnStart
INFO: locator is exiting due to an exception
java.lang.NoClassDefFoundError: org/apache/commons/beanutils/PropertyUtil
at
org.apache.shiro.config.ReflectionBuilder.isTypedProperty(ReflectionBuilder.java:409)
at
org.apache.shiro.config.ReflectionBuilder.applyProperty(ReflectionBuilder.java:702)
at
org.apache.shiro.config.ReflectionBuilder.applySingleProperty(ReflectionBuilder.java:364)
at
org.apache.shiro.config.ReflectionBuilder.applyProperty(ReflectionBuilder.java:325)
at
org.apache.shiro.config.ReflectionBuilder$AssignmentStatement.doExecute(ReflectionBuilder.java:955)
at
org.apache.shiro.config.ReflectionBuilder$Statement.execute(ReflectionBuilder.java:887)
at
org.apache.shiro.config.ReflectionBuilder$BeanConfigurationProcessor.execute(ReflectionBuilder.java:765)
at
org.apache.shiro.config.ReflectionBuilder.buildObjects(ReflectionBuilder.java:260)
at
org.apache.shiro.config.IniSecurityManagerFactory.buildInstances(IniSecurityManagerFactory.java:167)
at
org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:130)
at
org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:108)
at
org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:94)
at
org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:46)
at
org.apache.shiro.config.IniFactorySupport.createInstance(IniFactorySupport.java:123)
at
org.apache.shiro.util.AbstractFactory.getInstance(AbstractFactory.java:47)
at
org.apache.geode.internal.security.IntegratedSecurityService.initSecurity(IntegratedSecurityService.java:322)
at
org.apache.geode.internal.cache.GemFireCacheImpl.initialize(GemFireCacheImpl.java:1208)
at
org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate(GemFireCacheImpl.java:798)
at
org.apache.geode.internal.cache.GemFireCacheImpl.create(GemFireCacheImpl.java:783)
at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178)
at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218)
at
org.apache.geode.distributed.internal.InternalLocator.startCache(InternalLocator.java:767)
at
org.apache.geode.distributed.internal.InternalLocator.startDistributedSystem(InternalLocator.java:752)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:357)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:315)
at
org.apache.geode.distributed.LocatorLauncher.start(LocatorLauncher.java:630)
at
org.apache.geode.distributed.LocatorLauncher.run(LocatorLauncher.java:532)
at
org.apache.geode.distributed.LocatorLauncher.main(LocatorLauncher.java:174)
Caused by: java.lang.ClassNotFoundException:
org.apache.commons.beanutils.PropertyUtil at
java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 28 more
Exception in thread "main" java.lang.NoClassDefFoundError:
org/apache/commons/beanutils/PropertyUtil at
org.apache.shiro.config.ReflectionBuilder.isTypedProperty(ReflectionBuilder.java:409)
at
org.apache.shiro.config.ReflectionBuilder.applyProperty(ReflectionBuilder.java:702)
at
org.apache.shiro.config.ReflectionBuilder.applySingleProperty(ReflectionBuilder.java:364)
at
org.apache.shiro.config.ReflectionBuilder.applyProperty(ReflectionBuilder.java:325)
at
org.apache.shiro.config.ReflectionBuilder$AssignmentStatement.doExecute(ReflectionBuilder.java:955)
at
org.apache.shiro.config.ReflectionBuilder$Statement.execute(ReflectionBuilder.java:887)
at
org.apache.shiro.config.ReflectionBuilder$BeanConfigurationProcessor.execute(ReflectionBuilder.java:765)
at
org.apache.shiro.config.ReflectionBuilder.buildObjects(ReflectionBuilder.java:260)
at
org.apache.shiro.config.IniSecurityManagerFactory.buildInstances(IniSecurityManagerFactory.java:167)
at
org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:130)
at
org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:108)
at
org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:94)
at
org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:46)
at
org.apache.shiro.config.IniFactorySupport.createInstance(IniFactorySupport.java:123)
at
org.apache.shiro.util.AbstractFactory.getInstance(AbstractFactory.java:47)
at
org.apache.geode.internal.security.IntegratedSecurityService.initSecurity(IntegratedSecurityService.java:322)
at
org.apache.geode.internal.cache.GemFireCacheImpl.initialize(GemFireCacheImpl.java:1208)
at
org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate(GemFireCacheImpl.java:798)
at
org.apache.geode.internal.cache.GemFireCacheImpl.create(GemFireCacheImpl.java:783)
at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178)
at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218)
at
org.apache.geode.distributed.internal.InternalLocator.startCache(InternalLocator.java:767)
at
org.apache.geode.distributed.internal.InternalLocator.startDistributedSystem(InternalLocator.java:752)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:357)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:315)
at
org.apache.geode.distributed.LocatorLauncher.start(LocatorLauncher.java:630)
at
org.apache.geode.distributed.LocatorLauncher.run(LocatorLauncher.java:532)
at
org.apache.geode.distributed.LocatorLauncher.main(LocatorLauncher.java:174)
Caused by: java.lang.ClassNotFoundException:
org.apache.commons.beanutils.PropertyUtil at
java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 28 more
Thanks,
- Dharam Thacker
Sent with BlackBerry Work (www.blackberry.com)
________________________________
From: John Blum <[email protected]>
Sent: Jun 8, 2017 10:55 PM
To: [email protected]
Subject: Re: FW: ExampleSecurityManager in Apache geode
Hi Dharam-
I admit, I have not actually used Apache Shiro to secure a Locator yet. I
cannot think of any reason off the top of my head why this would not work.
Apache Geode has a security property to specify an Apache Shiro INI file...
security-shiro-init
The support in Spring Data Geode makes this brain dead simple to do [1].
Most of the decision making about which Security Provider will be used in
Apache Geode's Integrated Security Framework is done here [2]. SDG is aware of
this, and using the Annotations, makes the appropriate decision based on the
configuration.
Also +1 to Udo's comment.
-John
[1]
https://github.com/spring-projects/spring-data-geode/blob/master/src/main/java/org/springframework/data/gemfire/config/annotation/EnableSecurity.java#L107-L113
[2]
https://github.com/apache/geode/blob/develop/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java#L286-L334
On Thu, Jun 8, 2017 at 10:12 AM, Udo Kohlmeyer
<[email protected]<mailto:[email protected]>> wrote:
In addition to this, Jinmei's #2 can be easily achieved using a KMIP like
HashiCorp Vault. https://www.vaultproject.io/
On 6/8/17 09:51, John Blum wrote:
Dharam-
... or use Apache Shiro, which provides tooling [1] to handle securing
credentials [2]. Shiro also handles encryption [3]. Although it is not well
spelled in the Apache Geode documentation [4], Apache Geode does integrate with
Apache Shiro for security as well.
As any FYI, in Spring Data Geode, I provided first-class support for Apache
Geode when using Apache Shiro. I blogged about this [5] (see section starting
with "Security!").
So, my recommendation, in addition to Jinmei's option #1 below, is to use
Apache Shiro over implementing your own Apache Geode SecurityManager interface.
Hope this helps!
-John
[1] https://shiro.apache.org/command-line-hasher.html
[2] https://shiro.apache.org/command-line-hasher.html#common-scenarios
[3] https://shiro.apache.org/cryptography-features.html
[4]
http://geode.apache.org/docs/guide/11/managing/security/chapter_overview.html
[5]
https://spring.io/blog/2016/11/10/spring-data-geode-1-0-0-incubating-release-released
On Thu, Jun 8, 2017 at 6:37 AM, Jinmei Liao
<[email protected]<mailto:[email protected]>> wrote:
SampleSecurityManager doesn't do encryption/decryption. It's meant only as an
example.
There are multiple ways to protect your password:
1) read-protect your security.json so that only a certain user can read it.
2) implement your own security-manager to decrypt the password using a secret
key. (but here again you will need to find a way to protect this key in your
corporation. In my opinion, it's simply changing the subject, but the problem
is still there).
We usually recommend the first approach, but in some situations, 2nd one might
be an option too.
On Thu, Jun 8, 2017 at 1:11 AM, Thacker, Dharam
<[email protected]<mailto:[email protected]>> wrote:
Hi Jinmei,
Is there any way to encrypt password in security.json file with Geode 1.1.1? I
tried below but it did not work for me,
"users": [
{
"name": "admin",
"password": "encrypted(0859A0F6C68B9785)",
"roles": ["ADMIN"]
…
},
Thanks & Regards,
Dharam
From: Thacker, Dharam
Sent: Wednesday, June 07, 2017 11:26 AM
To: '[email protected]<mailto:[email protected]>';
'[email protected]<mailto:[email protected]>'
Subject: RE: FW: ExampleSecurityManager in Apache geode
Thanks Jinmei for quick reply!
>> It did not work for me when I used [--classpath] and
>> [--security-properties-file] even though my classpath contains security.json
>> file [That’s strange]
start locator –name=locator2 --locators=localhost[10334],localhost[10335]
--security-properties-file=gfsecurity.properties
--classpath=C:\Users\GeodeWorkDir\locator2
FAILED
>> It worked for me when I used --J=-Dgemfire.security-username=admin
>> --J=-Dgemfire.security-password=admin [SUCCESS]
start locator –name=locator2 --locators=localhost[10334],localhost[10335]
--J=-Dgemfire.security-username=admin --J=-Dgemfire.security-password=admin
--classpath=C:\Users\GeodeWorkDir\locator2
SUCCESS
Thanks & Regards,
Dharam
From: Jinmei Liao [mailto:[email protected]]
Sent: Wednesday, June 07, 2017 11:12 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: FW: ExampleSecurityManager in Apache geode
I tried using the SampleSecurityManager, and either one of the following
command to start the 2nd locator is working: (I executed these commands while
connected to the first locator, so I don't need to provide the --locators
option, it knows which locator to join)
1> start locator --name=locator2 --port=10335
--classpath=/Users/jiliao/my_geode/security
--security-properties-file=locator2.properties
// locator2.properties only contains "security-username" and
"security-password" properties.
2> start locator --name=locator2 --port=10335
--locators=jiliao-mbpro.lan[10334] --classpath=/Users/jiliao/my_geode/security/
--J=-Dgemfire.security-username=admin --J=-Dgemfire.security-password=admin
I suspect that the reason one of your commands did not work is because of the
locator2 can't find a security.json in its classpath, not because you did not
provide the username/password. One of the complication of using our
SampleSecurityManager is that it will need a security.json in it's classpath
which complicates the issue. We should have a simpler security manager in the
sample that's easier for users to experiment with.
On Tue, Jun 6, 2017 at 10:03 PM, Thacker, Dharam
<[email protected]<mailto:[email protected]>> wrote:
I am able to start server with –user and –password to join existing secure
locator. But I am not able to start another locator to join the existing secure
locator. Could someone guide me here?
start locator --name=locator1 --locators=localhost[10334],localhost[10335]
--properties-file=locator.properties --classpath=C:\Users\GeodeWorkDir\locator1
SUCCESS
start locator –name=locator2 --locators=localhost[10334],localhost[10335]
--properties-file=locator.properties --classpath=C:\Users\GeodeWorkDir\locator2
FAILED
start locator –name=locator2 --locators=localhost[10334],localhost[10335]
--security-properties-file=gfsecurity.properties [gfsecurity.properties
---- security-username=clusteruser security-password=****]
FAILED
start locator –name=locator2 --locators=localhost[10334],localhost[10335]
--security-properties-file=gfsecurity.properties
--classpath=C:\Users\GeodeWorkDir\locator2
FAILED
Jun 07, 2017 10:27:06 AM org.apache.geode.distributed.LocatorLauncher
failOnStart
INFO: locator is exiting due to an exception
org.apache.geode.security.AuthenticationRequiredException: Failed to find
credentials from [X.X.X.X(locator2:19416:locator)<ec>:1025]
at
org.apache.geode.distributed.internal.membership.gms.membership.GMSJoinLeave.attemptToJoin(GMSJoinLeave.java:424)
at
org.apache.geode.distributed.internal.membership.gms.membership.GMSJoinLeave.join(GMSJoinLeave.java:318)
at
org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.join(GMSMembershipManager.java:656)
at
org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.joinDistributedSystem(GMSMembershipManager.java:745)
at
org.apache.geode.distributed.internal.membership.gms.Services.start(Services.java:181)
Thanks & Regards,
Dharam
From: Thacker, Dharam
Sent: Tuesday, June 06, 2017 3:41 PM
To: [email protected]<mailto:[email protected]>
Cc: [email protected]<mailto:[email protected]>
Subject: RE: ExampleSecurityManager in Apache geode
Thank you Nilkanth!
Classpath worked!
start locator --name=locator1 --properties-file=locator.properties
--classpath=C:\Users\GeodeWorkDir\locator1
security-json file location:
C:\Users\GeodeWorkDir\locator1\security.json
Thanks & Regards,
Dharam
From: Nilkanth Patel [mailto:[email protected]]
Sent: Tuesday, June 06, 2017 3:35 PM
To: [email protected]<mailto:[email protected]>
Cc: [email protected]<mailto:[email protected]>
Subject: Re: ExampleSecurityManager in Apache geode
Dharam,
Try out something like bellow, "security.json" is kept into
/work/code/oss/geode/locator1 dir.
gfsh>start locator --name=/work/code/oss/geode/locator1
--security-properties-file=/work/code/oss/geode/locator1/locator.properties
--classpath=/work/code/oss/geode/locator1
Additional checks,
1. specify classpath while starting locator as shown in above command.
2. check the file permission for security.json.
Nilkanth.
On Tue, Jun 6, 2017 at 3:21 PM, Thacker, Dharam
<[email protected]<mailto:[email protected]>> wrote:
Hi Nilkanth,
Thanks for the reply! I tried below one but it’s still not taking security.json
file. Do you suggest anything different?
My Current Directory:
C:\Users\GeodeWorkDir
Locator Directory:
C:\Users\GeodeWorkDir\locator1
security-json file location [Tried both locations]:
C:\Users\GeodeWorkDir\locator1\security.json
C:\Users\GeodeWorkDir\security.json
Thanks & Regards,
Dharam
From: Nilkanth Patel
[mailto:[email protected]<mailto:[email protected]>]
Sent: Tuesday, June 06, 2017 3:07 PM
To: [email protected]<mailto:[email protected]>
Cc: [email protected]<mailto:[email protected]>
Subject: Re: ExampleSecurityManager in Apache geode
Dharam,
I believe following will be helpful to you.
IMO with the existing implementation, "security.json" file has to be kept in a
locator/server directory. In your case you need to be keep it in a locator
director (l1) and should work.
Hope this helps.
Nilkanth Patel.
On Tue, Jun 6, 2017 at 2:40 PM, Thacker, Dharam
<[email protected]<mailto:[email protected]>> wrote:
Hi Jinmei & Team,
I was going through “New Security In Apache Geode” video. I also tried to start
locator with ExampleSecurityManager and ExamplePostProcessor as shown below,
locator.proprties
mcast-port=0
security-manager=org.apache.ge<http://org.apache.ge>ode.examples.security.ExampleSecurityManager
security-post-processor=org.apache.geode.examples.security.ExamplePostProcessor
> dir
locator.properties
security.json
security-config.jar
My security-config.jar has following structure,
--- resources -> security.json
--- META-INF -> MANIFEST.MF
Could you guide me with below error?
gfsh>start locator --name=locator1 --properties-file=locator.properties
--classpath=C:\Users\GeodeWorkDir\security-config.jar
Starting a Geode Locator in C:\Users\GeodeWorkDir\locator1...
The Locator process terminated unexpectedly with exit status 1. Please refer to
the log file in C:\Users\GeodeWorkDir\locator1 for full details.
Jun 06, 2017 2:19:50 PM org.apache.geode.distributed.LocatorLauncher failOnStart
INFO: locator is exiting due to an exception
org.apache.geode.security.AuthenticationFailedException:
ExampleSecurityManager: unable to find json resource "security.json" as
specified by [security-json].
at
org.apache.geode.examples.security.ExampleSecurityManager.in<http://rity.ExampleSecurityManager.in>it(ExampleSecurityManager.java:132)
at
org.apache.geode.internal.security.IntegratedSecurityService.initSecurity(IntegratedSecurityService.java:332)
at
org.apache.geode.internal.cache.GemFireCacheImpl.initialize(GemFireCacheImpl.java:1208)
at
org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate(GemFireCacheImpl.java:798)
at
org.apache.geode.internal.cache.GemFireCacheImpl.create(GemFireCacheImpl.java:783)
at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178)
at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218)
at
org.apache.geode.distributed.internal.InternalLocator.startCache(InternalLocator.java:767)
at
org.apache.geode.distributed.internal.InternalLocator.startDistributedSystem(InternalLocator.java:752)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:357)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:315)
at
org.apache.geode.distributed.LocatorLauncher.start(LocatorLauncher.java:630)
at
org.apache.geode.distributed.LocatorLauncher.run(LocatorLauncher.java:532)
at
org.apache.geode.distributed.LocatorLauncher.main(LocatorLauncher.java:174)
Exception in thread "main"
org.apache.geode.security.AuthenticationFailedException:
ExampleSecurityManager: unable to find json resource "security.json" as
specified by [security-json].
at
org.apache.geode.examples.security.ExampleSecurityManager.in<http://rity.ExampleSecurityManager.in>it(ExampleSecurityManager.java:132)
at
org.apache.geode.internal.security.IntegratedSecurityService.initSecurity(IntegratedSecurityService.java:332)
at
org.apache.geode.internal.cache.GemFireCacheImpl.initialize(GemFireCacheImpl.java:1208)
at
org.apache.geode.internal.cache.GemFireCacheImpl.basicCreate(GemFireCacheImpl.java:798)
at
org.apache.geode.internal.cache.GemFireCacheImpl.create(GemFireCacheImpl.java:783)
at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:178)
at org.apache.geode.cache.CacheFactory.create(CacheFactory.java:218)
at
org.apache.geode.distributed.internal.InternalLocator.startCache(InternalLocator.java:767)
at
org.apache.geode.distributed.internal.InternalLocator.startDistributedSystem(InternalLocator.java:752)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:357)
at
org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:315)
at
org.apache.geode.distributed.LocatorLauncher.start(LocatorLauncher.java:630)
at
org.apache.geode.distributed.LocatorLauncher.run(LocatorLauncher.java:532)
at
org.apache.geode.distributed.LocatorLauncher.main(LocatorLauncher.java:174)
Thanks & Regards,
Dharam
This message is confidential and subject to terms at:
http://www.jpmorgan.com/emaildisclaimer<http://www.jpmorgan.com/emaildisclaimer>
including on confidentiality, legal privilege, viruses and monitoring of
electronic messages. If you are not the intended recipient, please delete this
message and notify the sender immediately. Any unauthorized use is strictly
prohibited.
This message is confidential and subject to terms at:
http://www.jpmorgan.com/emaildisclaimer<http://www.jpmorgan.com/emaildisclaimer>
including on confidentiality, legal privilege, viruses and monitoring of
electronic messages. If you are not the intended recipient, please delete this
message and notify the sender immediately. Any unauthorized use is strictly
prohibited.
This message is confidential and subject to terms at:
http://www.jpmorgan.com/emaildisclaimer<http://www.jpmorgan.com/emaildisclaimer>
including on confidentiality, legal privilege, viruses and monitoring of
electronic messages. If you are not the intended recipient, please delete this
message and notify the sender immediately. Any unauthorized use is strictly
prohibited.
This message is confidential and subject to terms at:
http://www.jpmorgan.com/emaildisclaimer<http://www.jpmorgan.com/emaildisclaimer>
including on confidentiality, legal privilege, viruses and monitoring of
electronic messages. If you are not the intended recipient, please delete this
message and notify the sender immediately. Any unauthorized use is strictly
prohibited.
--
Cheers
Jinmei
This message is confidential and subject to terms at:
http://www.jpmorgan.com/emaildisclaimer<http://www.jpmorgan.com/emaildisclaimer>
including on confidentiality, legal privilege, viruses and monitoring of
electronic messages. If you are not the intended recipient, please delete this
message and notify the sender immediately. Any unauthorized use is strictly
prohibited.
--
Cheers
Jinmei
--
-John
john.blum10101 (skype)
--
-John
john.blum10101 (skype)
This message is confidential and subject to terms at:
http://www.jpmorgan.com/emaildisclaimer including on confidentiality, legal
privilege, viruses and monitoring of electronic messages. If you are not the
intended recipient, please delete this message and notify the sender
immediately. Any unauthorized use is strictly prohibited.
