snappydata icon indicating copy to clipboard operation
snappydata copied to clipboard

Published 20 hours ago verified publisher icon TIBCOSoftware

Is there any plan to support Basic Authentication in OSS version

Open jestan opened this issue 8 years ago • 6 comments

It seems OSS version doesn't have even a simple basic username/password validation. https://snappydatainc.github.io/snappydata/security/security/

Is there any plan to support basic authentication using security manager similar to apache geode https://geode.apache.org/docs/guide/12/managing/security/authentication_overview.html

jestan avatar Oct 18 '17 08:10 jestan

@jestan The Apache Geode mechanism was added in GemFire and is available in its raw form for cluster server/lead/locator connects. However, the client connections don't use that (the thrift/DRDA servers are separate from GemFire/Geode's client-server mechanism).

The more appropriate one is the BUILTIN mechanism of GemFireXD: https://gemfirexd.docs.pivotal.io/docs-gemfirexd/deploy_guide/Topics/security/define_users.html . This has been deliberately skipped from SnappyData (at least for now) because of inherent complications with it in cluster mode. Specifically the need to read the database itself to verify credentials without having authenticated during cluster startup. So it requires the need for internal privilege escalation which is not safe for P2P connects but it just fine for client-server.

Again this is still available in raw form but causes trouble (e.g. in hive meta-store connections where meta-store itself is in the same SnappyData cluster) like reported in #650 . The additions to support authentication in enterprise include these fixes, carrying through security credentials to executor layer connections to data store, authentication in the UI etc are only available in the enterprise distribution and there is no plan as of yet to make it available in the OSS version. Without those changes, it will be very difficult to get any mechanism to work.

sumwale avatar Oct 23 '17 14:10 sumwale

This is an important feature to be in the OSS version.

The ideal situation is to have mutual authentication certificates for the cluster and clients with the username per certificate. Perhaps role based security. I'm not sure why this was removed.

Not sure how username + password would work.

fire avatar Jan 10 '18 06:01 fire

Look for SSL configuration in the documentation and you should be able to configure mutual authentication. At some point, we will support basic auth (user/pass) for all users.

jramnara avatar Jan 10 '18 16:01 jramnara

@fire Support for SSL in ODBC driver will be added soon but should work fine with JDBC or mutual P2P. The thrift API has provision to start both SSL and non-SSL servers on the same node so that both kinds of clients can continue to work which can be useful if the access is through an app server or something that segregates requests (protected vs open).

sumwale avatar Jan 22 '18 06:01 sumwale

Is there progress on this issue for OSS?

What steps can I take to hasten this implementation?

fire avatar Mar 27 '18 02:03 fire

As mentioned SSL support is in JDBC driver but not in ODBC. There is no plan to add any other security mechanism to OSS.

sumwale avatar Mar 27 '18 07:03 sumwale