-
1. Re: Doubts regarding authenticating clients.
nadirx Mar 7, 2016 9:20 AM (in response to udit-mishra-5113a21a)If you have these questions you should be using LDAP.
-
2. Re: Doubts regarding authenticating clients.
udit-mishra-5113a21a Mar 7, 2016 9:42 AM (in response to nadirx)Okay, I will try with LDAP as well. But, please answer my queries, so that I will have an idea at the least.
-
3. Re: Doubts regarding authenticating clients.
nadirx Mar 7, 2016 10:43 AM (in response to udit-mishra-5113a21a)I guess, I have to keep identical copies of application-user.properties and application-roles.properties in all the nodes. How would that work in a running cluster where I wil keep on adding users. Do I have to manually copy the files on all nodes each time I add a user??
Yes, the properties files are only meant to quickly prototype authentication / authorization, but if you need to share credentials across a cluster you'd better use a directory service
Does it require a restart of the nodes?
No, it will re-read the properties files if they change
If multiple clients access the same cluster, assuming they'll have different distributed caches (lets say based on instance name), how can I ensure that one UserA of instanceA can access only cache entries of cache instanceA. Do I have to define unique role for each instance?
Yes, you will need one role per cache.
- Is there any way that even if I share the same role for different cache (lets say an Admin role with permission All), UserA should be able to access only cache instanceA ? Even if that user accidentally tries to access cache instanceB, he should get an unauthorized access.
As I've answered above, this is not possible.
-
4. Re: Doubts regarding authenticating clients.
udit-mishra-5113a21a Mar 8, 2016 12:58 AM (in response to nadirx)Agreed. One more thing I would like to know is where can I find the details about permissions attribute of ROLE tag. I read one of your blog (Infinispan Security #3: HotRod authentication | Planet JBoss Developer) in which you explined the authentication for hotrod clients. I used only ALL and it worked with retrieving and storing keys.
Is there only 4 possible values i.e. ALL, READ, WRITE & ALL_READ_ALL_WRITE for roles?
READ and WRITE seems trivial, ALL I assume both but that is this ALL_READ_ALL_WRITE ?
-
5. Re: Doubts regarding authenticating clients.
nadirx Mar 9, 2016 5:25 AM (in response to udit-mishra-5113a21a)Instead of reading just the blog, you should look at the full documentation where the permissions and the affected methods are clearly described: http://infinispan.org/docs/8.2.x/user_guide/user_guide.html#_embedded_permissions
-
6. Re: Doubts regarding authenticating clients.
udit-mishra-5113a21a Mar 9, 2016 5:49 AM (in response to nadirx)Thanks for the reference, now its clear.