As developers, it's always easy for us to "forget" about documentation and tutorials, and let them get out of date. And this is exactly what happened with our clustered cache tutorial.
Even though we kept updating the tutorial to use the latest configuration style, the core of the tutorial was still assuming that state transfer was disabled by default - something that we changed back in Infinispan 5.0.0.Final.
This was causing a bit of confusion, so I'm happy to report that I've updated the tutorial and I've removed all traces of the ClusterValidation class. Now the tutorial allows you to start as many nodes as you want, and it also shows how a joining node receives data from the existing members during startup.
Friday 11 April 2014
Infinispan Security #1: Authorization
Dear all, with the release of 7.0.0.Alpha3, Infinispan has finally gained the ability to perform Access Control (aka Authorization) on CacheManagers and Caches. This is the first stepping-stone towards the full-fledged security work that will be completed during the 7.0 cycle.
Infinispan authorization is built around the standard security features available in a JDK near you, such as JAAS and the SecurityManager. Here's a worked example.
or programmatically:
You don't have to use the default implementation that comes with the JDK, but if you do you need to supply an appropriate policy file. The Infinispan distribution comes with an example policy file which illustrates the permissions required by some of Infinispan's JAR files. Integrate these permissions with the ones required by your application.
While Infinispan's authorization can work without a SecurityManager for the basic cache operations (put, get, etc), some more complex tasks (distexec, map/reduce, query) will fail without one.
Let's look at cache containers (aka CacheManagers) first:
Each cache container determines the following:
As you can see you can choose to use only a subset of the roles defined at the container level.
Before you can start using a secured cache, you need to get yourself a javax.security.auth.Subject.
It is then the duty of the mapper to look through the principals associated with the Subject and convert them into roles suitable for matching those you have defined at the container level.
Once you have a Subject, you interact with the Cache within the context of a PrivilegedAction as follows:
Obviously if you're lucky enough to use Java 8, you can use the following, more concise, lambda-enabled code:
For more details consult the Security chapter in the Infinispan documentation and the org.infinispan.security JavaDocs.
Stay tuned for the next parts in the Infinispan security saga !
Infinispan authorization is built around the standard security features available in a JDK near you, such as JAAS and the SecurityManager. Here's a worked example.
Running within a SecurityManager
In order for Infinispan to be able to enforce access restrictions, you should enable the SecurityManager in your JVM. This can be done from the command-line:java -Djava.security.manager ...
or programmatically:
System.setSecurityManager(new SecurityManager());
You don't have to use the default implementation that comes with the JDK, but if you do you need to supply an appropriate policy file. The Infinispan distribution comes with an example policy file which illustrates the permissions required by some of Infinispan's JAR files. Integrate these permissions with the ones required by your application.
While Infinispan's authorization can work without a SecurityManager for the basic cache operations (put, get, etc), some more complex tasks (distexec, map/reduce, query) will fail without one.
Configuring Infinispan for authorization
Authorization in Infinispan is configured at two levels: at the cache container and at the single cache.Let's look at cache containers (aka CacheManagers) first:
Each cache container determines the following:
- whether to use authorization, via the enabled attribute.
- a class which will map the user's principals to a set of roles
- a set of named roles and the permissions they represent
As you can see you can choose to use only a subset of the roles defined at the container level.
Before you can start using a secured cache, you need to get yourself a javax.security.auth.Subject.
Obtaining a Subject
Infinispan is not fussy about how you obtain a JAAS Subject: you may use your container's features, or a third-party library (such as JBoss PicketBox or Apache Shiro). The important thing is that your Subject should be populated with a set of Principals which represent the user and the groups it belongs to in your security domain (e.g. LDAP, Active Directory, etc).It is then the duty of the mapper to look through the principals associated with the Subject and convert them into roles suitable for matching those you have defined at the container level.
Once you have a Subject, you interact with the Cache within the context of a PrivilegedAction as follows:
Obviously if you're lucky enough to use Java 8, you can use the following, more concise, lambda-enabled code:
For more details consult the Security chapter in the Infinispan documentation and the org.infinispan.security JavaDocs.
Stay tuned for the next parts in the Infinispan security saga !
Infinispan 7.0.0.Alpha3 is out!
Hi,
The Alpha3 release of Infinispan 7.0.0 is now available.
Highlights:
If you have any questions please check our forums, our mailing lists or ping us directly on IRC.
Cheers,
Mircea
The Alpha3 release of Infinispan 7.0.0 is now available.
Highlights:
- authorization at both CacheManager and Cache levels
- some important enhancements for Map/Reduce's usability, like the ability to use an intermediate cache during Map/Reduce execution and for storing the final results of the Map/Reduce tasks
- a much welcomed revamp of the Infinispan embedded configuration which has been aligned to with the server
If you have any questions please check our forums, our mailing lists or ping us directly on IRC.
Cheers,
Mircea