Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Enabling LDAP Security for DataGrid Cache

April 13, 2017
Kamesh Sampath
Related topics:
JavaSecurity
Related products:
Red Hat Data Grid

Share:

    Expanding on Tristan's blog, where he spoke of enabling security for JBoss Data Grid caches, in this post we will cover how to add LDAP based security to the JDG caches. The principles and techniques remain defined by Tristan, but there are some minor changes that I will be highlighting in this blog for a successful working configuration of JDG enabled with LDAP security.

    Before we jump on to configuring the JDG for security, I would like to brush up on the available permissions in JDG:

    • READ - typical read operations get, contains etc., except bulk read
    • WRITE - typical write operations put, putIfAbsent, replace, remove, evict
    • EXEC - distexec, mapreduce
    • LISTEN - permissions to add Listeners
    • BULK_READ - keySet, values, query, entrySet etc.,
    • BULK_WRITE - clear, putAll
    • ALL_READ - all read operations typically READ + BULK_READ
    • ALL_WRITE - all write operations typically WRITE + BULK_WRITE
    • LIFECYCLE - start/stop of caches
    • ADMIN - typical cache administration operations like getVersion, getCacheConfiguration etc.,
    • ALL -  All the permissions listed above

    More information on these is available in the JDG Developer Guide.

    Setup

    LDAP

    The complete source code of examples used in this blog is available on Github, here. If you don't have an LDAP server running on your machine and wish to quickly run one, you can do so by pulling a docker image of the same by pulling docker image fabric8/389ds, to run a 389ds-Directory Server with sample users and groups as shown in LDIF, run the following command,

    docker run -d --name "dirsrv-389ds" -p 10389:389 fabric8/389ds -e "DIRSRV_ADMIN_USERNAME=admin,DIRSRV_ADMIN_PASSWORD=admin@123, DIRSRV_MANAGER_PASSWORD=admin@123, DIRSRV_SUFFIX=dc=example,dc=com"

    Groups and Permissions

    The following section shows the Groups and Roles mapping, refer to JDG Security Permissions for more information on each of the permissions mentioned below:

    • ClusterAdmins - the user(s) belonging to this group can do ALL operations on JDG cache(s)
    • Managers - the users(s) belonging to this group can do ALL_READ,ALL_WRITE,EXEC on JDG cache(s)
    • Developers - the user(s) belonging to this group can only WRITE on JDG cache(s)
    • Business - the user(s) belonging to this group can only READ on JDG cache(s)

    If you are running the dockerized version of the 389ds then all the required groups mentioned above with sample users are all set up, if you are using your own LDAP server then you'll import the LDIF to have them created for you.

    Configuring JDG

    We leverage the jboss-cli for setting up the LDAP security and configuring the authentication and authorization JDG. The source repo's jboss-cli folder has the following JBOSS CLI commands file, which can help in setting up the LDAP Security and JDG Cache security.

    Assumptions

    • JDG Server is up and running with "clustered.xml" as configuration and its management port is on 9990, if you don't have JDG running you can download it from here, unzip it to a folder of your choice and then start it with the command,
      $JBOSS_HOME/bin/standalone.sh -c clustered.xml
    • Export JBOSS_HOME environment variable to point to JDG Home, this not a must but a convenience to run the JBOSS CLI commands.

    Before getting started, clone the repository https://github.com/kameshsampath/jdg.git to a folder of your choice, let's call it as $PROJECT_HOME and then change to directory jdg-security-demo under $PROJECT_HOME, unless explicitly stated, all the commands in the following sections will be executed from $PROJECT_HOME/jdg-security-demo directory.

    JDG LDAP Security Configuration

    • To configure LDAP security, run the following command,
    $JBOSS_HOME/bin/cli.sh --controller=127.0.0.1:9990 --connect --file=./jboss-cli/ldap-enable.cli

    NOTE: You might need to check the ./jboss-cli/ldap-enable.cli for ports, LDAP credentials etc., corresponding to your LDAP server before running the above command.

    • After running the above command the server restart, wait for the server to restart completely.
    • Now execute,
    $JBOSS_HOME/bin/cli.sh --controller=127.0.0.1:9990 --connect

    It will prompt you for a username and password, you can use any of the usernames from LDAP with this demo, the application is not configured for authorization or management. If you have imported the LDIF then you can use admin/password to log into the JBoss CLI, if you are successfully logged in then LDAP security is configured correctly. Going forward every subsequent connection via JBoss CLI will prompt for the username and password.

    JDG Cache Security Configuration

    • To configure JDG security do run the following command,
    $JBOSS_HOME/bin/cli.sh --controller=127.0.0.1:9990 --connect --file=./jboss-cli/jdg-security-enable.cli
    • The command will add security to the JDG cache container "clustered" with roles and permissions mentioned above, the command will also secure the HotRod connector, hence making the clients pass credentials to do operations on the cache.

    Example JDG Cache Configuration

    To run the test let's create a sample cache and its configuration, which we secured using the LDAP and authorization previously defined. To create sample cache and configuration run the following command,

    $JBOSS_HOME/bin/cli.sh --controller=127.0.0.1:9990 --connect --file=./jboss-cli/cache-security-config.cli

    The command above creates a distributed cache configuration called "securedConfig" and creates distributed cache called "users-cache" which will use the "securedConfig".

    Testing the Secured Cache

    To test the secured cache from the project root run the following command,

    mvn clean test

    The project has only one test case called org.workspace7.jdg.JDGSecurityTest, which runs a simple test to check all the roles mentioned above.

    Couple of points to note in the setup, the "cache-container" security authentication will still use "identity-role-mapper" instead of "common-name-role-mapper", this is a workaround for now until the JDG-951 is fixed, to enable this workaround, map correct role names, the LDAP security authorization should be configured to return SIMPLE names for the roles like shown below,

    group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn"
    group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,dc=example,dc=com"
    membership-filter principal-attribute="uniqueMember"/
    /group-to-principal
    /group-search

    Ideally, you don't need to do these updates, as the jboss-cli's that were executed earlier takes care of this workaround. Please refer to the JDG Developer guide for more information on mappers that are available.

    That's it! You are all set to rock with JDG enabled with LDAP Authentication/Authorization; you can check the complete clustered.xml sample here.


    Click here to download JBoss Data Grid an intelligent, distributed caching solution that boosts application performance and provides greater deployment flexibility.

    Last updated: March 21, 2023

    Recent Posts

    • How to run a fraud detection AI model on RHEL CVMs

    • How we use software provenance at Red Hat

    • Alternatives to creating bootc images from scratch

    • How to update OpenStack Services on OpenShift

    • How to integrate vLLM inference into your macOS and iOS apps

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue