Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id C5B53200CF0 for ; Thu, 7 Sep 2017 19:32:30 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id C52CB161203; Thu, 7 Sep 2017 17:32:30 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id E48DF1609E3 for ; Thu, 7 Sep 2017 19:32:29 +0200 (CEST) Received: (qmail 13732 invoked by uid 500); 7 Sep 2017 17:32:29 -0000 Mailing-List: contact dev-help@geode.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@geode.apache.org Delivered-To: mailing list dev@geode.apache.org Received: (qmail 13712 invoked by uid 99); 7 Sep 2017 17:32:28 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Sep 2017 17:32:28 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 4DA4CC53C6; Thu, 7 Sep 2017 17:32:28 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.25 X-Spam-Level: *** X-Spam-Status: No, score=3.25 tagged_above=-999 required=6.31 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2, KAM_LAZY_DOMAIN_SECURITY=1, KAM_LOTSOFHASH=0.25, RP_MATCHES_RCVD=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id dBUe_s9Y5tpu; Thu, 7 Sep 2017 17:32:22 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 729FC5F6C8; Thu, 7 Sep 2017 17:32:22 +0000 (UTC) Received: from reviews.apache.org (unknown [10.41.0.12]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id C5A29E00A9; Thu, 7 Sep 2017 17:32:21 +0000 (UTC) Received: from reviews-vm2.apache.org (localhost [IPv6:::1]) by reviews.apache.org (ASF Mail Server at reviews-vm2.apache.org) with ESMTP id 52FA6C41A62; Thu, 7 Sep 2017 17:32:20 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============6121497882413112174==" MIME-Version: 1.0 Subject: Re: Review Request 62088: GEODE-3249 Validate internal client/server messages From: Bruce Schuchardt To: Udo Kohlmeyer , Galen O'Sullivan , Hitesh Khamesra , Alexander Murmann Cc: Bruce Schuchardt , geode , Anthony Baker , Darrel Schneider Date: Thu, 07 Sep 2017 17:32:20 -0000 Message-ID: <20170907173220.39549.55037@reviews-vm2.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: Bruce Schuchardt X-ReviewGroup: geode X-Auto-Response-Suppress: DR, RN, OOF, AutoReply X-ReviewRequest-URL: https://reviews.apache.org/r/62088/ X-Sender: Bruce Schuchardt References: <20170905175735.63456.18449@reviews-vm2.apache.org> In-Reply-To: <20170905175735.63456.18449@reviews-vm2.apache.org> X-ReviewBoard-Diff-For: geode-cq/src/test/java/org/apache/geode/security/ClientAuthorizationTwoDUnitTest.java X-ReviewBoard-Diff-For: geode-cq/src/test/java/org/apache/geode/security/ClientAuthorizationCQDUnitTest.java Reply-To: Bruce Schuchardt X-ReviewRequest-Repository: geode archived-at: Thu, 07 Sep 2017 17:32:31 -0000 --===============6121497882413112174== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/62088/ ----------------------------------------------------------- (Updated Sept. 7, 2017, 10:32 a.m.) Review request for geode, Alexander Murmann, Galen O'Sullivan, Hitesh Khamesra, and Udo Kohlmeyer. Bugs: GEODE-3249 https://issues.apache.org/jira/browse/GEODE-3249 Repository: geode Description (updated) ------- This change leaves the security hole in place but allows you to plug it by setting the system property geode.disallow-internal-messages-without-credentials=true Clients must be upgraded to the release containing this change if you set this system property to true and client/server authentication is enabled. Otherwise client messages to register PDX types or Instantiators will be rejected by the servers. New tests have been added to perform backward-compatibility testing with the old security implementation and the internal message command classes have been modified to perform validation of credentials if the system property is set to true. Diffs (updated) ----- geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/ServerConnection.java b243d8ebb8f7fb698a4637c7a787ee2d7216f1f7 geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/AddPdxEnum.java 5a4a07b81b18d33e465bd3aa46ad4232b976b608 geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/AddPdxType.java 041e12fbd04e81f1f69520c53ef9c2f7481132fd geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/GetFunctionAttribute.java 76cc4a59bff691c4760083861362825d70ba326e geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/GetPDXEnumById.java 5e59640e5067ec8ac5fc50807ec276e1bdc025dd geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/GetPDXIdForEnum.java b0ebaf23f27e91278c7afe3648954ad6113206a8 geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/GetPDXIdForType.java f2172ef4d8fa9f83929d8f5b2aa0c5377d7cf57e geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/GetPDXTypeById.java e46445bc96d735a66aa09330a1790b951591251e geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/GetPdxEnums70.java 3fe9750f8577a70e4cda9e76da83070f6e6606b1 geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/GetPdxTypes70.java e64683fb620985d698357912bb1d1b52e8b24681 geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/RegisterDataSerializers.java eef5195eae3bedb414aa2e2fca748b31e0b27908 geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/RegisterInstantiators.java a402cb360f05f99442833e6098c736d2ac18d69a geode-core/src/test/java/org/apache/geode/security/ClientAuthenticationDUnitTest.java ca7b2b6b7a2c8d8215eda828901a05dcabdf3625 geode-core/src/test/java/org/apache/geode/security/ClientAuthenticationPart2DUnitTest.java f8ebe056e21228f1d9e32e1dd271f6a4bfb4af71 geode-core/src/test/java/org/apache/geode/security/ClientAuthenticationTestCase.java 0ecd72f4ee321f7f8aa5e998fa176551e45f025c geode-core/src/test/java/org/apache/geode/security/ClientAuthorizationDUnitTest.java 09aedbec86f95ab9affa1f76b387a5a03c0098ec geode-core/src/test/java/org/apache/geode/security/ClientAuthorizationTestCase.java a4fd365ffaa51447d56c2bcb481311082ddcbc31 geode-core/src/test/java/org/apache/geode/security/SecurityTestUtils.java e69f36de1efbd0061ad8621db45fe3a64686968e geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/MonitorCQ.java f5e31df988f5955d2fbeef5269a7729ec97c9d03 geode-cq/src/test/java/org/apache/geode/security/ClientAuthorizationTwoDUnitTest.java f5f686c0595c7500c4275292edb2e8f87593c67e Diff: https://reviews.apache.org/r/62088/diff/2/ Changes: https://reviews.apache.org/r/62088/diff/1-2/ Testing ------- Thanks, Bruce Schuchardt --===============6121497882413112174==--