Open ctron opened 5 years ago
@ctron Hi! Thanks for reporting this issue. There are no plans to add support for this in Infinispan 9.4.x
, however we're currently rewriting our image offering for Infinispan 10 which is scheduled for release in October. SASL will definitely be supported in our images from 10.x on.
So what would be the alternative, not using SASL?
You could provide your own Infinispan configuration via S2I: https://github.com/jboss-dockerfiles/infinispan/tree/master/server#source-to-image-s2i
You could provide your own Infinispan configuration via S2I: https://github.com/jboss-dockerfiles/infinispan/tree/master/server#source-to-image-s2i
So are you saying that, using the default image, authentication is simply broken?
@ctron In the default image, authentication is enabled by default for the rest endpoint but not the HotRod endpoint. As we're current on the .11 patch release, I think it's too late in the lifecycle to change the default behaviour so drastically as it will stop all existing hotrod users client configuration from working when they upgrade to the next image release.
Authentication will work with HotRod if you provide your own configuration file.
This can be achieved by adding the following element to the hotrod endpoint in the /opt/jboss/infinispan-server/standalone/configuration/clustered.xml
:
<authentication security-realm="ApplicationRealm">
<sasl server-name="myhotrodserver" mechanisms="DIGEST-MD5" qop="auth" />
</authentication>
Please see https://infinispan.org/docs/stable/server_guide/server_guide.html#security_hotrod_auth for more details.
I am aware of being able to bring in my own configuration. However that will also mean that, over time, I will need to sync this with newer versions manually vs being able to consume update automatically.
Setting the username and password, and trying to log in with them using Hotrod, you get an error message that whatever SASL mech you define, it is not support. And the only supported SASL mechs are
[]
.I think this is due to the fact that the hotrod connector is not configured to use SASL: https://infinispan.org/docs/stable/server_guide/server_guide.html#security_hotrod_auth