This a basic example of the GemFire security manager for an authentication and authorization system.
VMware GemFire is an in-memory data grid that provides real-time, consistent access to data-intensive applications throughout widely distributed cloud architectures. Starting with GemFire 9.0.0, the SecurityManager interface was introduced to manage the authentication and authorization mechanisms in a single place, simplifying the implementation and interactions with all components in a consistent manner.
In this example you will go through a very basic implementation of a custom security manager implementation for an authentication and authorization system.
It’s important to note that I am not a security expert. The purpose of this article is to introduce the GemFire SecurityManager.
This example is not meant for use in a production environment.
To secure a GemFire cluster, the user needs to deploy a custom implementation of the SecurityManager interface, so that the authentication logic is entirely encapsulated within the implementation itself.
This example focuses on a basic authentication and authorization example, with the goal of understanding how the SecurityManager works on the server and how to connect a Java application to the cluster.
In this example, you will
BasicSecurityManager implementation that uses the SecurityManager authenticate and authorize methodsBasicSecurityManager security managerPUTS and GETS data into a region
If you have previously worked through the Authentication example, you will need to delete your server and locator directories, before beginning this example
GemFire offers multiple layers of access to a GemFire cluster, which are defined by the GemFire resource permissions In this example, we’ll create two users:
An Operator user that can manage the GemFire cluster but has no data access.
An Application Developer who can access the GemFire cluster but cannot manage the GemFire cluster, such as deleting the cluster. This user can manage the data in the cluster.
To keep things simple, you will be creating two USERs in the init method of the BasicSecurityManager. You will have hard-coded the username and password, which does not represent best practices.
The USER class looks like this:
import java.io.Serializable;
import java.util.List;
import org.apache.geode.security.ResourcePermission;
public class User implements Serializable {
List<ResourcePermission> userPermissions;
String userName;
String userPassword;
public User(String userName, String userPassword, List<ResourcePermission> userPermissions) {
this.userName = userName;
this.userPassword = userPassword;
this.userPermissions = userPermissions;
}
public String getUserPassword() {
return userPassword;
}
@Override
public String toString() {
return userName;
}
public List<ResourcePermission> getPermissions() {
return this.userPermissions;
}
public boolean hasPermission(ResourcePermission resourcePermissionRequested) {
boolean hasPermission = false;
for (ResourcePermission userPermission : userPermissions) {
if (userPermission.implies(resourcePermissionRequested)) {
hasPermission = true;
break;
}
}
return hasPermission;
}
}
It’s crucial that you implement the Serializable interface, as this allows GemFire to deserialize the class when checking the client username.
Now, in your BasicSecurityManager you can:
CLUSTER MANAGE, CLUSTER WRITE, and CLUSTER READ permissions. Set the username to “operator” and the password to “secret”CLUSTER READ, DATA MANAGE, DATA WRITE, DATA READ. Set the username to “appDeveloper” and the password to “NotSoSecret”.import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Properties;
import org.apache.geode.security.AuthenticationFailedException;
import org.apache.geode.security.ResourcePermission;
import org.apache.geode.security.SecurityManager;
public class BasicSecurityManager implements SecurityManager {
private HashMap<String, User> approvedUsersList = new HashMap<>();
@Override
public void init(final Properties securityProperties) {
List<ResourcePermission> operatorPermissions = new ArrayList<>();
operatorPermissions.add(new ResourcePermission(ResourcePermission.Resource.CLUSTER,
ResourcePermission.Operation.MANAGE));
operatorPermissions.add(new ResourcePermission(ResourcePermission.Resource.CLUSTER,
ResourcePermission.Operation.WRITE));
operatorPermissions.add(new Resou rcePermission(ResourcePermission.Resource.CLUSTER,
ResourcePermission.Operation.READ));
User operator = new User("operator", "secret", operatorPermissions);
List<ResourcePermission> appDevPermissions = new ArrayList<>();
appDevPermissions.add(new ResourcePermission(ResourcePermission.Resource.CLUSTER,
ResourcePermission.Operation.READ));
appDevPermissions.add(new ResourcePermission(ResourcePermission.Resource.DATA,
ResourcePermission.Operation.MANAGE));
appDevPermissions.add(new ResourcePermission(ResourcePermission.Resource.DATA,
ResourcePermission.Operation.WRITE));
appDevPermissions.add(new ResourcePermission(ResourcePermission.Resource.DATA,
ResourcePermission.Operation.READ));
User appDeveloper = new User("appDeveloper", "NotSoSecret", appDevPermissions);
this.approvedUsersList.put("operator", operator);
this.approvedUsersList.put("appDeveloper", appDeveloper);
}
}
Now that you have an approved users list created, you need to implement the authentication and authorization methods.
In the authenticate method, check the credentials passed into the BasicSecurityManager from the client against those in the approvedUsers list. If the credentials match, instead of returning a Boolean of true and allowing all authenticated users full access to the system, the method returns a USER object, authenticatedUser. This is the object that will be passed into the authorize method when the client application performs an operation.
public class BasicSecurityManager implements SecurityManager {
private HashMap<String, User> approvedUsersList = new HashMap<>();
@Override
public void init(final Properties securityProperties) {...}
@Override
public Object authenticate(Properties credentials) throws AuthenticationFailedException {
String usernamePassedIn = credentials.getProperty(USER_NAME);
String passwordPassedIn = credentials.getProperty(PASSWORD);
User authenticatedUser = this.approvedUsersList.get(usernamePassedIn);
if (authenticatedUser == null) {
throw new AuthenticationFailedException("Wrong username/password");
}
if (authenticatedUser != null && !authenticatedUser.getUserPassword().equals(passwordPassedIn)
&& !"".equals(authenticatedUser)) {
throw new AuthenticationFailedException("Wrong username/password");
}
return authenticatedUser;
}
}
The object returned from the authenticate method above (the authenticatedUser object from above) is passed into the authorize method as the Object principal. This object is used to authorize the action the client is attempting to perform. The resourcePermissionRequested (the action the client wants to perform) is compared with the Users given permissions. If the user is allowed to perform the requested action, then the method returns true, otherwise the method returns false and the action is denied.
public class BasicSecurityManager implements SecurityManager {
private HashMap<String, User> approvedUsersList = new HashMap<>();
@Override
public void init(final Properties securityProperties) {...}
@Override
public Object authenticate(Properties credentials) throws AuthenticationFailedException {...}
@Override
public boolean authorize(Object principal, ResourcePermission resourcePermissionRequested) {
if (principal == null) {
return false;
}
User user = this.approvedUsersList.get(principal.toString());
if (user == null) {
return false;
}
for (ResourcePermission userPermission : user.getPermissions()) {
if (userPermission.implies(resourcePermissionRequested)) {
return true;
}
}
return false;
}
}
You are now ready to use the BasicSecurityManager with a GemFire cluster!
Now that you have your BasicSecurityManager implementation, you need to include it when starting the GemFire cluster.
Build the .jar file for the BasicSecurityManager created above. Note the directory and file path that the jar file is created in; it will be used in Step 3.
Start GemFire’s shell (gfsh) by running the gfsh command in a console / terminal.
Start a locator and include the path to the jar file and class name of the BasicSecurityManager. The start locator command will look something like this:
start locator --name=locator1 --J=-Dgemfire.securitymanager=BasicSecurityManager --classpath=[path to your jar file]/BasicSecurityManager-1.0-SNAPSHOT.jar
--J=-Dgemfire.securitymanager=BasicSecurityManager - Defines the package and class for your security manager and allows GemFire to find the class when starting up.--classpath=[path to your jar file]/BasicSecurityManager-1.0-SNAPSHOT.jar - Defines the path to the jar file that GemFire should use as the security manager.Once the locator has started, you will see an output similar to this:
Starting a Geode Locator in [path to where GemFire was started] /locator1...
.........
Locator in [path to where GemFire was started]/locator1 on [ip address] [10334] as locator1 is currently online.
Process ID: 75033
Uptime: 11 seconds
Geode Version: 1.15.0-build.0
Java Version: 1.8.0_292
...
Unable to auto-connect (Security Manager may be enabled). Please use "connect --locator=[ip address] [10334] --user --password" to connect Gfsh to the locator.
Authentication required to connect to the Manager.
There’s a problem though. The locator started, but it says that it was unable to connect.
Once the security manager is included to start the cluster, it is immediately used to authenticate the user. To continue you must now connect to the cluster (in gfsh) as the Operator as defined in the BasicSecurityManager class above. This is the only role we created that has the authorization to manage the cluster.
In gfsh, the command would look similar to the following:
connect --locator= [IP Address that GemFire is running on] [10334] --user=operator --password=secret
You should now be connected to the locator. Next, you will start a server. This will be very similar to starting the locator. In gfsh, use the start server command, which will include the path to the same BasicSecurityManager .jar file used when starting the locator.
start server --name=server1 --locators=localhost[10334] --classpath=[path to your security manager]/BasicSecurityManager-1.0-SNAPSHOT.jar --user=operator --password=secret
--name= parameter to be unique for each server.Good work! You now have a GemFire cluster running with your BasicSecurityManager!
Before you create the client application, you need to create a region on the GemFire cluster for the app to interact with.
In the gfsh terminal, run the following command to create a region called helloWorld. This will create a partitioned region in your GemFire cluster that you can PUT and GET data from.
create region --name=helloWorld --type=PARTITION
Something went wrong!
Unauthorized. Reason : operator not authorized for DATA:MANAGE
This is because you are still connected to the cluster as the Operator, who does not have permission to create regions. To create the region, you must disconnect as the Operator and connect as the appDevloper.
Enter the following into your gfsh terminal:
gfsh: disconnect
gfsh: connect –-user=appDevleoper –-password=NotSoSecret
Once connected, run the create region command again.
Great! You now have a region you can interact with from a client application.
There are three important steps to connect a client application to the GemFire cluster.
AuthInitialize interface. This class is used by GemFire to provide the credentials to the clustersecurity username and security-passwordsecurity-client-auth-init property, which indicates to GemFire the class that implements the AuthInitialize interface.In this example you will be setting the security-username and security-password in the class that implements the AuthInitialize interface. In your company, these credentials might come from an external source, such as a credentials database, ActiveDirectory, or some other external system. The goal for this article is to keep things as simple as possible to help get a basic understanding of how the security manager works, so you will be hard-coding them into the application.
First create our class that implements the AuthInitialize interface.
import java.util.Properties;
import org.apache.geode.distributed.DistributedMember;
import org.apache.geode.security.AuthInitialize;
import org.apache.geode.security.AuthenticationFailedException;
public class UserPasswordAuthInit implements AuthInitialize {
@Override
public Properties getCredentials(Properties properties, DistributedMember distributedMember, boolean isPeer) throws AuthenticationFailedException {
properties.setProperty("security-username", "appDeveloper");
properties.setProperty("security-password", "NotSoSecret");
return properties;
}
}
This basic class sets two properties (security-username & security-password) that match the credentials declared for the appDeveloper user in the BasicSecurityManager class.
Next, set the security-client-auth-init property in the Main class and pass it to the ClientCacheFactory.
import java.util.Properties;
import org.apache.geode.cache.Region;
import org.apache.geode.cache.client.ClientCache;
import org.apache.geode.cache.client.ClientCacheFactory;
import org.apache.geode.cache.client.ClientRegionShortcut;
public class Main {
public static void main (String[] args) {
Properties properties = new Properties();
properties.setProperty("security-client-auth-init", UserPasswordAuthInit.class.getName());
ClientCache cache = new ClientCacheFactory(properties).addPoolLocator("localhost", 10334).create();
Region<String, String>
helloWorldRegion =
cache.<String, String>createClientRegionFactory(ClientRegionShortcut.PROXY).create("helloWorld");
helloWorldRegion.put("1", "HelloWorldValue");
String value1 = helloWorldRegion.get("1");
System.out.println(value1);
cache.close();
}
}
Run the app and you should see an output in your console/terminal like the following:
ERROR StatusLogger Log4j2 could not find a logging implementation. Please add log4j-core to the classpath. Using SimpleLogger to log to the console...
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
HelloWorldValue
Process finished with exit code 0
It worked! It prints out the value “HelloWorldValue” you put in for key “1”. You can ignore the ERROR for the sake of this example. If your application includes an authentication error though, confirm you have the correct username and password in your AuthInitialize class.
If you were to remove the appDevelopers permission to WRITE to the GemFire cluster, you would get an error that looks similar to this
ERROR StatusLogger Log4j2 could not find a logging implementation. Please add log4j-core to the classpath. Using SimpleLogger to log to the console...
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
Exception in thread "main" org.apache.geode.cache.client.ServerOperationException: remote server on [your IP address]: org.apache.geode.security.NotAuthorizedException: appDeveloper not authorized for DATA:WRITE:helloWorld:1
at org.apache.geode.cache.client.internal.OpExecutorImpl.handleException(OpExecutorImpl.java:554)
at org.apache.geode.cache.client.internal.OpExecutorImpl.handleException(OpExecutorImpl.java:615)
at org.apache.geode.cache.client.internal.OpExecutorImpl.handleException(OpExecutorImpl.java:501)
at org.apache.geode.cache.client.internal.OpExecutorImpl.execute(OpExecutorImpl.java:142)
at org.apache.geode.cache.client.internal.OpExecutorImpl.execute(OpExecutorImpl.java:108)
at org.apache.geode.cache.client.internal.PoolImpl.execute(PoolImpl.java:776)
at org.apache.geode.cache.client.internal.PutOp.execute(PutOp.java:91)
at org.apache.geode.cache.client.internal.ServerRegionProxy.put(ServerRegionProxy.java:159)
at org.apache.geode.internal.cache.LocalRegion.serverPut(LocalRegion.java:3048)
at org.apache.geode.internal.cache.LocalRegion.cacheWriteBeforePut(LocalRegion.java:3165)
at org.apache.geode.internal.cache.ProxyRegionMap.basicPut(ProxyRegionMap.java:238)
at org.apache.geode.internal.cache.LocalRegion.virtualPut(LocalRegion.java:5613)
at org.apache.geode.internal.cache.LocalRegion.virtualPut(LocalRegion.java:5591)
at org.apache.geode.internal.cache.LocalRegionDataView.putEntry(LocalRegionDataView.java:156)
at org.apache.geode.internal.cache.LocalRegion.basicPut(LocalRegion.java:5049)
at org.apache.geode.internal.cache.LocalRegion.validatedPut(LocalRegion.java:1648)
at org.apache.geode.internal.cache.LocalRegion.put(LocalRegion.java:1635)
at org.apache.geode.internal.cache.AbstractRegion.put(AbstractRegion.java:442)
at Main.main(Main.java:21)
Caused by: org.apache.geode.security.NotAuthorizedException: appDeveloper not authorized for DATA:WRITE:helloWorld:1
at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:292)
at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:275)
at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:269)
at org.apache.geode.internal.cache.tier.sockets.command.Put70.cmdExecute(Put70.java:246)
at org.apache.geode.internal.cache.tier.sockets.BaseCommand.execute(BaseCommand.java:187)
at org.apache.geode.internal.cache.tier.sockets.ServerConnection.doNormalMessage(ServerConnection.java:881)
at org.apache.geode.internal.cache.tier.sockets.ServerConnection.doOneMessage(ServerConnection.java:1070)
at org.apache.geode.internal.cache.tier.sockets.ServerConnection.run(ServerConnection.java:1344)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.geode.internal.cache.tier.sockets.AcceptorImpl.lambda$initializeServerConnectionThreadPool$3(AcceptorImpl.java:690)
at org.apache.geode.logging.internal.executors.LoggingThreadFactory.lambda$newThread$0(LoggingThreadFactory.java:120)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [DATA:WRITE:helloWorld:1]
at org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:334)
at org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:141)
at org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:214)
at org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:288)
... 12 more
Process finished with exit code 1
You can see the error message points to an org.apache.geode.security.NotAuthorizedException: appDeveloper not authorized for DATA:WRITE:helloWorld:1, showing that the appDeveloper does not have the correct permissions to write to the cluster.
Working through this article, you learned how to:
SecurityManager implementation that can authenticate and authorizeSecurityManagerIn a future article will take a more in-depth look at how to implement a SecurityManager that interacts with a token-based authentication and authorization system, such as an OAuth2 or Kerberos server.