You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@geode.apache.org by GitBox <gi...@apache.org> on 2022/01/07 21:00:47 UTC

[GitHub] [geode] jmelchio opened a new pull request #7248: GEODE-9933: documentation for authorization expiry

jmelchio opened a new pull request #7248:
URL: https://github.com/apache/geode/pull/7248


   Describes the addition of throwing `AuthenticationExpiredException` in `SecurityManager.authorize` and `SecurityManager.authenticate` methods along with some additional information on token based authentication.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] jmelchio merged pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

jmelchio merged pull request #7248:
URL: https://github.com/apache/geode/pull/7248


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] jmelchio removed a comment on pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

jmelchio removed a comment on pull request #7248:
URL: https://github.com/apache/geode/pull/7248#issuecomment-1011442536


   > > @jinmeiliao I will update to add the information mentioned in the first point. I think the second point is covered in the updated docs, and I will update to clarify the thirst point.
   > 
   > I think we should dedicate a section for the re-auth feature, outline the process, when the feature is started (1.15.0), what's the behavior on older clients (also for older client, the CQ/register interest client will be disconnected if they have expired credentials ), and those I mentioned in my bullet 3 above.
   
   @jinmeiliao to clarify point three. I thought we do support multi-user client connections and expiry.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] davebarnes97 commented on a change in pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

davebarnes97 commented on a change in pull request #7248:
URL: https://github.com/apache/geode/pull/7248#discussion_r787093298



##########
File path: geode-docs/managing/security/implementing_authentication_expiry.html.md.erb
##########
@@ -0,0 +1,55 @@
+---
+title:  Implementing Authentication Expiry
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+Authentication expiry makes it possible for cluster administrators to limit the life span of client
+and peer connections within the cluster. The use of expirable credentials is most common when used in
+combination with token based authentication and authorization.
+
+Client connections are notified of expiry through the throwing of an `AuthenticationExpiredException`
+which is thrown in the implementations of `SecurityManager.authenticate` or `SecurityManager.authorize`.
+
+Clients starting with version 1.15 will do one automatic attempt to reconnect. Upon receiving a
+second `AuthenticationExpiredException` the exception will be propagated up the chain for the user to
+handle.
+
+Clients older than version 1.15 will also be able to do an automatic reconnect unless the connection
+is one of the following types where the exception will always be propagated up the chain:

Review comment:
       @jmelchio Be sure to say "Geode 1.15", as this source file is consumed by other products whose versioning may differ.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] jinmeiliao commented on a change in pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

jinmeiliao commented on a change in pull request #7248:
URL: https://github.com/apache/geode/pull/7248#discussion_r786983353



##########
File path: geode-docs/managing/security/implementing_authentication_expiry.html.md.erb
##########
@@ -0,0 +1,55 @@
+---
+title:  Implementing Authentication Expiry
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+Authentication expiry makes it possible for cluster administrators to limit the life span of client
+and peer connections within the cluster. The use of expirable credentials is most common when used in
+combination with token based authentication and authorization.
+
+Client connections are notified of expiry through the throwing of an `AuthenticationExpiredException`
+which is thrown in the implementations of `SecurityManager.authenticate` or `SecurityManager.authorize`.
+
+Clients starting with version 1.15 will do one automatic attempt to reconnect. Upon receiving a
+second `AuthenticationExpiredException` the exception will be propagated up the chain for the user to
+handle.
+
+Clients older than version 1.15 will also be able to do an automatic reconnect unless the connection
+is one of the following types where the exception will always be propagated up the chain:

Review comment:
       I think this is misleading. Older client with multi-user auth will still work in regular user operations like put/get etc. 
   
   Probably a diagram would explain this better
   ```
                          single user ops  |    single user CQ/RI  |  multi user ops  |  multi user CQ/RI
   1.15 and later                          |                       |                  |         X
   previous                                |             X         |                  |         X
   ```

##########
File path: geode-docs/managing/security/implementing_authentication_expiry.html.md.erb
##########
@@ -0,0 +1,55 @@
+---
+title:  Implementing Authentication Expiry
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+Authentication expiry makes it possible for cluster administrators to limit the life span of client
+and peer connections within the cluster. The use of expirable credentials is most common when used in
+combination with token based authentication and authorization.
+
+Client connections are notified of expiry through the throwing of an `AuthenticationExpiredException`
+which is thrown in the implementations of `SecurityManager.authenticate` or `SecurityManager.authorize`.
+
+Clients starting with version 1.15 will do one automatic attempt to reconnect. Upon receiving a
+second `AuthenticationExpiredException` the exception will be propagated up the chain for the user to
+handle.
+
+Clients older than version 1.15 will also be able to do an automatic reconnect unless the connection
+is one of the following types where the exception will always be propagated up the chain:
+
+* multi-user client mode
+* event-dispatching (CQ and registered interest)
+
+## <id="authentication_expiry_considerations"></a>Authentication Expiry Considerations
+
+The common cycle for authentication and authorization is the following:
+
+```pre
+AuthInitialize.getCredentials(...) -> SecurityManager.authenticate(...) -> SecurityManager.authorize(...)
+```
+
+Where `AuthInitialize.getCredentials()` provides the `security properties` for `SecurityManager.authenticate()` which
+in turn provides the `principal object` for `SecurityManager.authorize()`.
+
+In case of the use of an external token provider we assume that this token provider will be asked for

Review comment:
       Emphasize that there would be time gap between the call of `getCredential` and `authorize`




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] jinmeiliao commented on pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

jinmeiliao commented on pull request #7248:
URL: https://github.com/apache/geode/pull/7248#issuecomment-1011243483


   > @jinmeiliao I will update to add the information mentioned in the first point. I think the second point is covered in the updated docs, and I will update to clarify the thirst point.
   
   I think we should dedicate a section for the re-auth feature, outline the process, when the feature is started (1.15.0), what's the behavior on older clients (also for older client, the CQ/register interest client will be disconnected if they have expired credentials ), and those I mentioned in my bullet 3 above.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] davebarnes97 commented on pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

davebarnes97 commented on pull request #7248:
URL: https://github.com/apache/geode/pull/7248#issuecomment-1011247334


   > Thanks @davebarnes97, I've applied the patch file and pushed the commit.
   Thanks, @jmelchio - Looks like you'll be making more changes in response to @jinmeiliao's  review. I'll hold off on finishing my review until after those changes are in place.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] jmelchio commented on pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

jmelchio commented on pull request #7248:
URL: https://github.com/apache/geode/pull/7248#issuecomment-1011442536


   > > @jinmeiliao I will update to add the information mentioned in the first point. I think the second point is covered in the updated docs, and I will update to clarify the thirst point.
   > 
   > I think we should dedicate a section for the re-auth feature, outline the process, when the feature is started (1.15.0), what's the behavior on older clients (also for older client, the CQ/register interest client will be disconnected if they have expired credentials ), and those I mentioned in my bullet 3 above.
   
   @jinmeiliao to clarify point three. I thought we do support multi-user client connections and expiry.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] davebarnes97 commented on pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

davebarnes97 commented on pull request #7248:
URL: https://github.com/apache/geode/pull/7248#issuecomment-1013517338


   One more comment for the record:
   The retry behavior is a new feature in Geode v1.15, but much of the material relating to tokens was applicable in earlier Geode releases, and could be back-ported to earlier Geode docs after this PR is merged.
   I will undertake to create a JIRA ticket for that work after this PR is merged.
   Thanks, @jmelchio and @jinmeiliao, for your contributions to the docs!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] jinmeiliao commented on a change in pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

jinmeiliao commented on a change in pull request #7248:
URL: https://github.com/apache/geode/pull/7248#discussion_r787222856



##########
File path: geode-docs/managing/security/implementing_authentication_expiry.html.md.erb
##########
@@ -0,0 +1,55 @@
+---
+title:  Implementing Authentication Expiry
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+Authentication expiry makes it possible for cluster administrators to limit the life span of client
+and peer connections within the cluster. The use of expirable credentials is most common when used in
+combination with token based authentication and authorization.
+
+Client connections are notified of expiry through the throwing of an `AuthenticationExpiredException`
+which is thrown in the implementations of `SecurityManager.authenticate` or `SecurityManager.authorize`.
+
+Clients starting with version 1.15 will do one automatic attempt to reconnect. Upon receiving a
+second `AuthenticationExpiredException` the exception will be propagated up the chain for the user to
+handle.
+
+Clients older than version 1.15 will also be able to do an automatic reconnect unless the connection
+is one of the following types where the exception will always be propagated up the chain:

Review comment:
       Oh, this table shows client version, did we mention anywhere in the doc that the re-authentication feature is only supported by **server** with Geode 1.15 and higher




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] jmelchio commented on a change in pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

jmelchio commented on a change in pull request #7248:
URL: https://github.com/apache/geode/pull/7248#discussion_r787176962



##########
File path: geode-docs/managing/security/implementing_authentication_expiry.html.md.erb
##########
@@ -0,0 +1,55 @@
+---
+title:  Implementing Authentication Expiry
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+Authentication expiry makes it possible for cluster administrators to limit the life span of client
+and peer connections within the cluster. The use of expirable credentials is most common when used in
+combination with token based authentication and authorization.
+
+Client connections are notified of expiry through the throwing of an `AuthenticationExpiredException`
+which is thrown in the implementations of `SecurityManager.authenticate` or `SecurityManager.authorize`.
+
+Clients starting with version 1.15 will do one automatic attempt to reconnect. Upon receiving a
+second `AuthenticationExpiredException` the exception will be propagated up the chain for the user to
+handle.
+
+Clients older than version 1.15 will also be able to do an automatic reconnect unless the connection
+is one of the following types where the exception will always be propagated up the chain:

Review comment:
       @davebarnes97 updated the code




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] jmelchio commented on pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

jmelchio commented on pull request #7248:
URL: https://github.com/apache/geode/pull/7248#issuecomment-1011133433


   > @jmelchio Thanks for your contribution to the user guide! I approve the two example files as-is. I request a few changes to the implementation files - I've attached a diff containing these changes. One change is mandatory in each file - please replace Geode with the product_name variable (see diff for syntax). A discretionary change in the implementing_authentication file would be my suggested re-phrasing (three occurrences) that emphasizes that the token is one alternative, and that the username/password combination is a second alternative. Your choice on this one - read it and see what you think. [GEODE-9933.DIFF.zip](https://github.com/apache/geode/files/7850178/GEODE-9933.DIFF.zip)
   
   Thanks @davebarnes97, I've applied the patch file and pushed the commit.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [geode] jmelchio commented on pull request #7248: GEODE-9933: documentation for authorization expiry

Posted by GitBox <gi...@apache.org>.

jmelchio commented on pull request #7248:
URL: https://github.com/apache/geode/pull/7248#issuecomment-1011183342


   > We should somehow convey these to the readers:
   > 
   >     1. the `Properties` returned by the `getCredentials` call is passed directly to the `authenticate` call, and the subject returned by the `authenticate` call is passed directly to the `authorize`. So getCredentials() --> authenticate() --> authorize(). the output of the previous call is fed to the next.  The interface doesn't dictate what should be in the input/output.
   > 
   >     2. When a `AuthorizationExpiredException` is thrown anywhere in the calling chain, the client will try one more time to call `getCredentials` again and re-login automatically behind the scene, if the re-try failed, user will then see `AuthorizationExpiredException`. Bear in mind there is a time gap between `getCredentials` call on the client and `authorize` call on the server, so if client returns a credential that's gonna expire in the very near future, even the retry might fail.
   > 
   >     3. limitation of this auto-retry: currently only supported on client/server protocol, and is not supported in event-dispatching (cq  and registered interest) in multi-user client mode.
   
   @jinmeiliao I will update to add the information mentioned in the first point. I think the second point is covered in the updated docs, and I will update to clarify the thirst point.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org