When running Infinispan 9.0.0.Final in a cloud env, the default security code enforcements are causing issues when trying to register a proto file.
The "___protobuf_metadata" cache cannot be written remotely any more. Accessing this cache to add protofile descriptors to server. The default configuration throws this error:
The code in CacheDecodeContext that enables this check does the following:
In order to have better out-of-the-box experience in cloud but still be secured, the following should be done:
- Remove the code check for authorization in CacheDecodeContext.
- Server's default configuration should require authentication.
- Docker image allows passing in APP_USER and APP_PASS as env variables easily, but it provides default usernames and passwords for both APP and MGMT. These defaults should be removed since they're a security risk.
- Docker image should have the possibility to set APP_GROUPS so that we can pass in optionally the role groups associated with a user. This is handy for making it easier in the future for users to add authorization on top of authentication.
I will create JIRA subtasks for these so that the work can be divided.