Since Infinispan 5.3, HotRod has featured SSL/TLS support which, aside from encryption, also provides some form of authentication by optionally requiring client certificates. While this does indeed stop unauthorized clients from connecting to a remote cache, the level of access-control ends there. Now that we have full role-based authorization checks at the cache and container level, we want to be able to recognize users and map their roles accordingly.
As usual, we didn't want to reinvent the wheel, but leverage existing security frameworks and integrate them into our existing platform. For this reason, the protocol chosen to implement HotRod authentication is SASL, which is in widespread use in other connection-oriented transports (e.g. LDAP, Memached, etc).
Using SASL we can support the following authentication mechanisms out of the box (since they are part of the standard JDK/JRE):
- PLAIN where credentials are exchanged in clear-text (insecure, but easieast to setup)
- DIGEST-MD5 where credentials are hashed using server-provided nonces
- GSSAPI where clients can use Kerberos tokens
- EXTERNAL where the client-certificate identity of the underlying transport is used as the credentials
Since our preferred server distribution is based on a stripped-down WildFly server, we are essentially reusing the Security Realms of the container. This gives us the ability to validate users and to also retrieve group membership. against a number of sources (property files, LDAP, etc).
The following is an example server configuration which uses the ApplicationRealm to authenticate and authorize users. Since the <identity-role-mapper> is in use, role names will be mapped 1:1 from the realm into Infinispan roles.
The HotRod endpoint is using the SASL PLAIN mechanism. Note that two caches have been defined: the default cache, without authorization, and a secured cache, which instead requires authorization. This means that remote clients can access the default cache anonymously, but they will need to authenticate if they want to access the secured cache.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <server xmlns="urn:jboss:domain:2.1"> | |
| <management> | |
| <security-realms> | |
| <security-realm name="ApplicationRealm"> | |
| <authentication> | |
| <local default-user="$local" allowed-users="*" skip-group-loading="true"/> | |
| <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> | |
| </authentication> | |
| <authorization> | |
| <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> | |
| </authorization> | |
| </security-realm> | |
| </security-realms> | |
| </management> | |
| <profile> | |
| <subsystem xmlns="urn:infinispan:server:core:7.0" default-cache-container="local"> | |
| <cache-container name="local" default-cache="default"> | |
| <security> | |
| <authorization> | |
| <identity-role-mapper/> | |
| <role name="admin" permissions="ALL"/> | |
| <role name="reader" permissions="READ"/> | |
| <role name="writer" permissions="WRITE"/> | |
| <role name="supervisor" permissions="ALL_READ ALL_WRITE"/> | |
| </authorization> | |
| </security> | |
| <local-cache name="default" start="EAGER"> | |
| <locking acquire-timeout="30000" concurrency-level="1000" striping="false"/> | |
| </local-cache> | |
| <local-cache name="secured"> | |
| <security> | |
| <authorization roles="admin reader writer supervisor"/> | |
| </security> | |
| </local-cache> | |
| </cache-container> | |
| </subsystem> | |
| <subsystem xmlns="urn:infinispan:server:endpoint:7.0"> | |
| <hotrod-connector socket-binding="hotrod" cache-container="local"> | |
| <topology-state-transfer lock-timeout="1000" replication-timeout="5000"/> | |
| <authentication security-realm="ApplicationRealm"> | |
| <sasl server-name="localhost" mechanisms="PLAIN"/> | |
| </authentication> | |
| </hotrod-connector> | |
| </subsystem> | |
| </profile> | |
| </server> | |
The following bit of code explains how to use the HotRod Java client to connect to the secured cache defined above:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import java.util.Collections; | |
| import javax.security.sasl.Sasl; | |
| import org.infinispan.client.hotrod.RemoteCache; | |
| import org.infinispan.client.hotrod.RemoteCacheManager; | |
| import org.infinispan.client.hotrod.configuration.ConfigurationBuilder; | |
| public class AuthenticatedHotRodClient { | |
| public static void main(String[] args) { | |
| ConfigurationBuilder builder = new ConfigurationBuilder(); | |
| builder | |
| .connectionPool() | |
| .maxTotal(1) | |
| .security() | |
| .authentication() | |
| .enable() | |
| .serverName("localhost") | |
| .saslMechanism("PLAIN") | |
| .callbackHandler(new TestCallbackHandler("user", "ApplicationRealm", "qwer1234!".toCharArray())); | |
| RemoteCacheManager rcm = new RemoteCacheManager(builder.build()); | |
| RemoteCache<String, String> cache = rcm.getCache("secured"); | |
| cache.getVersion(); | |
| cache.put("key", "value"); | |
| cache.get(key); | |
| rcm.stop(); | |
| } | |
| public static class TestCallbackHandler implements CallbackHandler { | |
| final private String username; | |
| final private char[] password; | |
| final private String realm; | |
| public TestCallbackHandler(String username, String realm, char[] password) { | |
| this.username = username; | |
| this.password = password; | |
| this.realm = realm; | |
| } | |
| @Override | |
| public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { | |
| for (Callback callback : callbacks) { | |
| if (callback instanceof NameCallback) { | |
| NameCallback nameCallback = (NameCallback) callback; | |
| nameCallback.setName(username); | |
| } else if (callback instanceof PasswordCallback) { | |
| PasswordCallback passwordCallback = (PasswordCallback) callback; | |
| passwordCallback.setPassword(password); | |
| } else if (callback instanceof AuthorizeCallback) { | |
| AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback; | |
| authorizeCallback.setAuthorized(authorizeCallback.getAuthenticationID().equals( | |
| authorizeCallback.getAuthorizationID())); | |
| } else if (callback instanceof RealmCallback) { | |
| RealmCallback realmCallback = (RealmCallback) callback; | |
| realmCallback.setText(realm); | |
| } else { | |
| throw new UnsupportedCallbackException(callback); | |
| } | |
| } | |
| } | |
| } | |
| } |
No comments:
Post a Comment