Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CLI options to disable encryption and authentication to external Infinispan #28750

Closed
Tracked by #28745
pruivo opened this issue Apr 15, 2024 · 8 comments · Fixed by #28756
Closed
Tracked by #28745

CLI options to disable encryption and authentication to external Infinispan #28750

pruivo opened this issue Apr 15, 2024 · 8 comments · Fixed by #28756
Assignees
Labels

Comments

@pruivo
Copy link
Contributor

pruivo commented Apr 15, 2024

Description

In production, it is recommended to encrypt and authenticate the communication between the Keycloak server and the Infinispan server. However, in some environments, like development, proofs-of-concept, and demos, it is easier to deploy Keycloak + Infinispan without configuring users or TLS certificates.

The following options are proposed:

  • cache-remote-tls-enabled -> defaults to true, set to false to allow plain text communication with an Infinispan Server without encryption configured.
  • cache-remote-auth-enabled -> defaults to true, set to false to allow communication with an Infinispan server without security.
@ahus1
Copy link
Contributor

ahus1 commented Apr 15, 2024

@vmuzikar - We would like to see two additional options on the Quarkus CLI which would make it simpler for developers to develop changes, and also for users to try out those features in their local environment.

Could you please approve that those options are OK, and that the names align with the current ones? If that is the case, @pruivo will go ahead and create a PR.

Thanks!

@vmuzikar
Copy link
Contributor

@ahus1 @pruivo Sorry for the late reply. Would it rather make sense to set this based on prod/dev profile (kc.sh start vs. kc.sh start-dev)? Alternatively, set this based on if TLS key/cert and/or auth creds were provided? Or a combination of these approaches: enforce setting TLS and auth in prod profile, dev would have it optional.

CC @keycloak/cloud-native

@pruivo
Copy link
Contributor Author

pruivo commented Apr 17, 2024

I don't have a strong opinion on we should create CLI options to disable or make that decision based on tls/auth provided. The latter would make my life easier and avoid creating "too many" CLI options.

About the prod vs dev profile, the only use case where disabling this makes sense in prod is when Infinispan is running on a private datacenter/network as it won't make much sense to pay the cost of encrypting data.

@vmuzikar
Copy link
Contributor

I think it all depends on whether we want to explicitly require setting TLS and auth for ISPN, how common is the non-TLS no-auth scenario. If we want to be really secure-by-default, we probably should have explicit options to disable TLS and auth.

the only use case where disabling this makes sense in prod is when Infinispan is running on a private datacenter/network as it won't make much sense to pay the cost of encrypting data.

That make sense. So let's not tie it to the dev profile.

@pruivo
Copy link
Contributor Author

pruivo commented Apr 18, 2024

The Infinispan server defaults are

  • TLS disabled
  • Auth enabled

The non-TLS scenario is very useful for testing. In the feature that I'm developing, I'm disabling TLS using system properties: https://github.com/keycloak/keycloak/pull/28845/files#diff-15b16210d4c7b60aaf3ad0d7b19f1a2d6f31f487c1a02cdfa498bc0996e78578R52

You can argue that cache-remote-auth-enabled is redundant and we can enable auth when cache-remote-username or cache-remote-password is set. But, I vote to be secure by default and have options to disable it. I would be happy to hear the others' opinions.

@vmuzikar
Copy link
Contributor

Ah, I realized now that we're talking specifically only about remote ISPN. In that case, the security really lies in the hands of the ISPN server, not Keycloak. From my perspective then we don't need explicit options to disable (validations of) TLS and auth. If it's specified, Keycloak will use it, otherwise it won't.

WDYT @pruivo @ahus1?

@pruivo
Copy link
Contributor Author

pruivo commented Apr 18, 2024

@vmuzikar Just to clarify:

  • Create a new option cache-remote-tls-enabled (or any other name) to enable/disable TLS. I don't have any way to tell if TLS is required or not.
  • Make existing options cache-remote-username and cache-remote-password optional and, if present, enable authentication.

If my understanding is correct, 👍 from me.

@vmuzikar
Copy link
Contributor

@pruivo Yes, that's 👍 from me too.

pruivo added a commit to pruivo/keycloak that referenced this issue Apr 19, 2024
ahus1 added a commit to ahus1/keycloak that referenced this issue Apr 19, 2024
Closes keycloak#28750

Signed-off-by: Alexander Schwartz <[email protected]>
pruivo pushed a commit to pruivo/keycloak that referenced this issue Apr 19, 2024
ahus1 added a commit to pruivo/keycloak that referenced this issue Apr 20, 2024
ahus1 pushed a commit that referenced this issue Apr 20, 2024
ahus1 added a commit that referenced this issue Apr 20, 2024
Closes #28750

Signed-off-by: Alexander Schwartz <[email protected]>
ahus1 added a commit that referenced this issue Apr 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants