New Security Framework in Apache Geode
Download as PPTX, PDF1 like823 views
The document discusses Apache Geode, a data management platform that provides tools for managing clusters and data, including authentication and authorization processes. It describes the implementation of a security manager for user authentication and permission mapping, along with the use of Apache Shiro for enhanced security features. Finally, it outlines the future of Geode security, including custom realms and various authentication methods.
New Security Framework in Apache Geode
- 1. Geode Security Before and After
- 2. Apache Geode Apache Geode is a data management platform. It provides you tools to manage your cluster and your data: Cluster management: start/stop locator/server, shutdown, alter runtime… Cluster read/write: describe member, config, regions, alter log level... Data management: create/destroy region, indexes, disk stores, create functions... Data read/write: put/get data entries, querying…. Various ways for you to interact with your cluster/data: Java client, native client
- 3. Geode Security Authentication Resolve identity, represented as a principal Authorization Resolve roles and permissions Post Processing Resolve final value presented back to user
- 4. Geode Security - Before Java Client JMX Client Gfsh Pulse Locator Server Server Server Native Client Credentials(TCP) Peer Auth RESTful Client Client-Auth Not Secured (HTTP) Client-Accessor Properties needed: Security-peer-auth-init Security-peer-authenticator Security-client-auth-init Security-client-authenticator Security-client-accessor Jmx-manager-password-file jmx-manager-access-file
- 5. Security Manager Security Manager Security Manager Geode Security - 1.0 Java Client JMX Client Gfsh Pulse Locator Server Server Native Client Credentials(TCP) RESTful Client Properties needed: security-manager
- 6. SecurityManager Implement a single interface to secure your Geode cluster. public class SimpleSecurityManager implements SecurityManager { @Override public void init(Properties securityProps) {} // authenticated if username matches password public Object authenticate(Properties credentials) throws AuthenticationFailedException { String username = credentials.getProperty("security-username"); String password = credentials.getProperty("security-password"); If (username!=null && username.equals(password)) { return username; } throw new AuthenticationFailedException("invalid username/password"); } // authorized if username is the beginning part of the permission string public boolean authorize(Object principal, ResourcePermission permission) { String permissionString = permission.toString().replace(":","").toLowerCase(); String principle = principal.toString().toLowerCase(); return permissionString.startsWith(principle); } @Override public void close() {} }
- 7. Defined by your implementation of SecurityManager authorize(principal, permission) Defined by Geode Security Users, Permissions and Operations Permission Permission Permission Permission Permission Operation Operation Operation Operation Operation Operation Operation Operation Operation has requires
- 8. ResourcePermission It’s the key to unify authorization across different communication channels. It contains at most 4 parts: Resource: DATA, CLUSTER Operation: READ, WRITE, MANAGE Region (only for data): region name Key (only for data): key value Each operation, no matter where it originates, has a corresponding ResourcePermission: Start server: CLUSTER:MANAGE
- 9. Roles ● Your SecurityManager needs to define User ->Permission mapping. ● By definition, there would be 2 x 3 x #of regions x #of keys permission permutations. Can’t possibly grant them individually. ● ResourcePermission(resource:operation:region:key) has this implication system built in: ○ A --> A:B --> A:B:C --> A:B:C:D ○ E.g. data -> data:manage -> data:manage:regionA -> data:manage:regionA:key1 ○ * means “all”, and can be put in any of the four parts. ● It’s easier to assign roles to the user and have roles implies specific
- 10. Post Processor An add-on feature to authentication/authorization Any region data returned back to clients as a result of user operation will pass through this post processor first Any form of getting region value in the client, gfsh command or rest service Query results, continued query results. Data in the registered interest events Configured by security-post-processor property Method to be implemented (showing SamplePostProcessor): public Object processRegionValue(Object principal, String regionName, Object key, Object value) {
- 11. Demo
- 12. Geode How it’s Done Shiro Security Engine Custom Realm SecurityManager Client PeerJMX Rest Pulse Credentials In the authenticators: 1. Authenticate credentials. 2. Puts the logged-in subject in the current executing thread. Anywhere In Geode: 1. Get the subject out of the executing thread. 2. Check the required permission
- 13. Apache Shiro Apache Shiro is a Java security framework that performs authentication, authorization, cryptography, and session management. Easy to Use API Subject based, saved in ThreadLocal, you can retrieve it anywhere in your code. Single method call to authenticate/authorize currentUser.login(username, password) currentUser.checkPermission(permission) Powerful: Pluggable data source, called Realms to manage your users.
- 14. GEODE Security In Geode’s Future Shiro Security Engine LDAP Realm Custom Realm SecurityManager shiro.ini AD Realm JDBC Realm TextConfig Realm Client PeerJMX Rest Pulse Your own Realm
Editor's Notes
- #3: What is region, in memory, key value pair (Apache con)
- #5: Just showing a typical Geode topology to illustrate the security framework (pre 9.0) Pulse’s underlying communication to Geode is still over JMX, so still secured by jmx-manager-* settings, but no restrictions on page views Each of those colored components is different implementation. Too much setup, too many implementations and un-unified implementation leads to data leak.
- #6: Currently credentials are sent in as security-username and security-password for all interfaces. RESTful OAuth is after 1.0
- #7: Authenticate method returns the principal used in the authorize method.
- #8: Roles are used to group permissions for easier management
- #9: This ResourcePermission is passed to your implementation of SecurityManager for authorization
- #11: Note regionName or key could be null when the system is calling this method, because in some situations we can’t determine those values, like when we return a big resultset
- #12: Start locator with security Login using wrong password Login using user Start server with locators (demo peer to peer authentication/authorization) (server 1 with sufficient privilage, server2 with insufficient privilage) Create region Put data Get data Demo permission is specific enough to allow granular control.
- #13: Lesson learned Threading, annotations
- #14: Geode’s ResourcePermission extends from Shiro’s WildCardPermission