search

jboss-dockerfiles / infinispan

Docker image for Infinispan project
19 stars 25 forks source link

Hotrod endpoint doesn't support SASL #137

Open ctron opened 5 years ago

ctron commented 5 years ago

Setting the username and password, and trying to log in with them using Hotrod, you get an error message that whatever SASL mech you define, it is not support. And the only supported SASL mechs are [].

I think this is due to the fact that the hotrod connector is not configured to use SASL: https://infinispan.org/docs/stable/server_guide/server_guide.html#security_hotrod_auth

ryanemerson commented 5 years ago

@ctron Hi! Thanks for reporting this issue. There are no plans to add support for this in Infinispan 9.4.x, however we're currently rewriting our image offering for Infinispan 10 which is scheduled for release in October. SASL will definitely be supported in our images from 10.x on.

ctron commented 5 years ago

So what would be the alternative, not using SASL?

ryanemerson commented 5 years ago

You could provide your own Infinispan configuration via S2I: https://github.com/jboss-dockerfiles/infinispan/tree/master/server#source-to-image-s2i

ctron commented 5 years ago

You could provide your own Infinispan configuration via S2I: https://github.com/jboss-dockerfiles/infinispan/tree/master/server#source-to-image-s2i

So are you saying that, using the default image, authentication is simply broken?

ryanemerson commented 5 years ago

@ctron In the default image, authentication is enabled by default for the rest endpoint but not the HotRod endpoint. As we're current on the .11 patch release, I think it's too late in the lifecycle to change the default behaviour so drastically as it will stop all existing hotrod users client configuration from working when they upgrade to the next image release.

Authentication will work with HotRod if you provide your own configuration file.

This can be achieved by adding the following element to the hotrod endpoint in the /opt/jboss/infinispan-server/standalone/configuration/clustered.xml:

   <authentication security-realm="ApplicationRealm">
      <sasl server-name="myhotrodserver" mechanisms="DIGEST-MD5" qop="auth" />
   </authentication>

Please see https://infinispan.org/docs/stable/server_guide/server_guide.html#security_hotrod_auth for more details.

ctron commented 5 years ago

I am aware of being able to bring in my own configuration. However that will also mean that, over time, I will need to sync this with newer versions manually vs being able to consume update automatically.