• Type: Enhancement
    • Status: New (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 9.0.0.Final
    • Fix Version/s: None
    • Component/s: Security, Server
    • Labels:


      When running Infinispan 9.0.0.Final in a cloud env, the default security code enforcements are causing issues when trying to register a proto file.

      The "___protobuf_metadata" cache cannot be written remotely any more. Accessing this cache to add protofile descriptors to server. The default configuration throws this error:

      [datagrid-1-akxoi] 12:15:56,602 ERROR [org.infinispan.server.hotrod.CacheDecodeContext] (HotRod-ServerWorker-4-2) ISPN005003: Exception reported: org.infinispan.server.hotrod.RequestParsingException: Remote requests are allowed to protected caches only over loopback or if authorization is enabled. Do no send remote requests to cache '___protobuf_metadata'
      [datagrid-1-akxoi] at org.infinispan.server.hotrod.CacheDecodeContext.obtainCache(
      [datagrid-1-akxoi] at org.infinispan.server.hotrod.HotRodDecoder.decodeHeader(
      [datagrid-1-akxoi] at org.infinispan.server.hotrod.HotRodDecoder.decode(

      The code in CacheDecodeContext that enables this check does the following:

      if (!cacheManager.getCacheManagerConfiguration().security().authorization().enabled()...

      In order to have better out-of-the-box experience in cloud but still be secured, the following should be done:

      • Remove the code check for authorization in CacheDecodeContext.
      • Server's default configuration should require authentication.
      • Docker image allows passing in APP_USER and APP_PASS as env variables easily, but it provides default usernames and passwords for both APP and MGMT. These defaults should be removed since they're a security risk.
      • Docker image should have the possibility to set APP_GROUPS so that we can pass in optionally the role groups associated with a user. This is handy for making it easier in the future for users to add authorization on top of authentication.

      I will create JIRA subtasks for these so that the work can be divided.

        Gliffy Diagrams




              • Assignee:
                galder.zamarreno Galder Zamarreño
                galder.zamarreno Galder Zamarreño
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created: