On Jun 23, 2020, at 8:08 AM, Jakov Varenina <jakov.varen...@est.tech<mailto:jakov.varen...@est.tech>> wrote:
We haven't gone far with the implementation of the solution described in the research paper. So it is a great that you have found alternative and better solution, but it seems that the attachment with patch is missing from you mail. Not sure what happened. I just pushed the branch to my fork so here is a link to the diff. https://github.com/apache/geode/compare/develop...pivotal-jbarrett:wip/certificate-auth Could you please just clarify a bit more your opinion on this below? > On Jun 19, 2020, at 2:53 PM, Jacob Barrett <jabarr...@vmware.com<mailto:jabarr...@vmware.com>> wrote: > ... Personally I would be inclined to leave RMI out of the solution initially. Second I would use this private variable to compete the support in OpenJDK.. If I correctly understood and we leave RMI out of the solution that would mean one of the following scenarios: 1) Geode would have to use existing username/password authentication and authorization feature just for RMI connections, and the new kind of certificate auth for all other interfaces. This way user will still have to handle usernames/passwords which we want to get rid of, and also this would complicate a little bit more implementation of SecurityManager interface (user would have to deal with both certificates and username/passwords). 2) If geode doesn't use username/password feature and the certificate based auth is enabled, then it will have to reject all RMI connections, since the clients initiating those RMI connections cannot be properly authenticated and authorized on the server side. Yes, you would either support both username/password based auth for interactive user logins and certificate based for non-interactive application/service logins or prevent fail all RMI authentication rendering gfsh/pulse over RMI ineffective. At this point, given the ease of getting RMI working with the branch I shared I think I would now be inclined to include RMI in the initial solution. -Jake
