Is it possible to secure the communication between the LRA co-ordinator and its participants
61 views
Skip to first unread message
Jason Yong
Apr 29, 2020, 7:11:05 AM4/29/20
to narayana-users
Hi,
The communication between the LRA co-ordinator and its participants appears to be over http by default. Is it possible to configure it to use https or any other authentication methods?
I assume that from the co-ordinator point of view its all based on the container you are running it in, but for the participant is it possible to configure it to use https?
Thanks for you time
Jason
Michael Musgrove
Apr 29, 2020, 8:35:45 AM4/29/20
to Jason Yong, narayana-users
The Narayana implementation of the LRA spec should use whatever the container uses. So if the container is configured to use HTTPS then the comms will be secured. I guess we should write some tests that verify my statement.
--
You received this message because you are subscribed to the Google Groups "narayana-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to narayana-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/narayana-users/634c3876-1338-48ee-88fa-6bb7d5b2156c%40googlegroups.com.
Michael Musgrove
JBoss, by Red Hat
Registered Address: Red Hat Ltd, 6700 Cork Airport Business Park, Kinsale Road, Co. Cork.
Registered in the Companies Registration Office, Parnell House, 14 Parnell Square, Dublin 1, Ireland, No.304873
Directors:Michael Cunningham (USA), Vicky Wiseman (USA), Michael O'Neill, Keith Phelan, Matt Parson (USA)
Registered Address: Red Hat Ltd, 6700 Cork Airport Business Park, Kinsale Road, Co. Cork.
Registered in the Companies Registration Office, Parnell House, 14 Parnell Square, Dublin 1, Ireland, No.304873
Directors:Michael Cunningham (USA), Vicky Wiseman (USA), Michael O'Neill, Keith Phelan, Matt Parson (USA)
Jason Yong
Apr 29, 2020, 10:47:40 AM4/29/20
to narayana-users
I’m sorry if I have misunderstood something but I’m a bit confused.
I understand that the co-ordinator is using its containers’s settings to listen on a secure port but how would you setup the participant to use an outbound SSL connection?
Are you saying that by setting
•-Dlra.http.port=...
•-Dlra.http.host=...
•-Dlra.coordinator.path=...
to a https port it would somehow setup a secure connection? Or is it up to the developer to setup something like a forward proxy?
Thanks
Jason
On Wednesday, 29 April 2020 13:35:45 UTC+1, Michael Musgrove wrote:
The Narayana implementation of the LRA spec should use whatever the container uses. So if the container is configured to use HTTPS then the comms will be secured. I guess we should write some tests that verify my statement.
On Wed, Apr 29, 2020 at 12:11 PM Jason Yong <jason...@gmail.com> wrote:
Hi,--The communication between the LRA co-ordinator and its participants appears to be over http by default. Is it possible to configure it to use https or any other authentication methods?I assume that from the co-ordinator point of view its all based on the container you are running it in, but for the participant is it possible to configure it to use https?Thanks for you timeJason
You received this message because you are subscribed to the Google Groups "narayana-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to narayan...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/narayana-users/634c3876-1338-48ee-88fa-6bb7d5b2156c%40googlegroups.com.
Michael Musgrove
Apr 29, 2020, 11:58:08 AM4/29/20
to Jason Yong, narayana-users
That is a good point Jason. I have raised an issue to look into this requirement. Since LRA is aimed at MicroProfile based services I have recommended that the project initially focus on JWT in the issue description:
The Narayana implementation of the MicroProfile LRA specification uses a JAX-RS filter to communicate with a remote coordinator. The interaction is currently insecure. This issue is to investigate the best way of securing this channel. Since the JAX-RS filter is applied to the MicroProfile service we should initially investigate the MicroProfile security solution (MicroProfile JSON Web Token).
You can track its progress by watching the issue. If you have any particular requirements please can you let the project know here so that whoever implements it can take them into consideration when resolving the issue.
I have marked the issue as "Major". If you think it should be "Critical" or a "Blocker" then we will review the priority.
To unsubscribe from this group and stop receiving emails from it, send an email to narayana-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/narayana-users/09cff4a8-4ce8-4399-a456-ae9392cb751f%40googlegroups.com.
Jason Yong
Apr 30, 2020, 9:03:37 AM4/30/20
to narayana-users
Hi Michael,
Thanks for opening the issue. My concern is that without that communication being secured, people may not be willing to use LRA in production as there would be a security risk in doing so. I'm not sure if that should affect the priority level or not.
On Wednesday, 29 April 2020 16:58:08 UTC+1, Michael Musgrove wrote:
That is a good point Jason. I have raised an issue to look into this requirement. Since LRA is aimed at MicroProfile based services I have recommended that the project initially focus on JWT in the issue description:The Narayana implementation of the MicroProfile LRA specification uses a JAX-RS filter to communicate with a remote coordinator. The interaction is currently insecure. This issue is to investigate the best way of securing this channel. Since the JAX-RS filter is applied to the MicroProfile service we should initially investigate the MicroProfile security solution (MicroProfile JSON Web Token).You can track its progress by watching the issue. If you have any particular requirements please can you let the project know here so that whoever implements it can take them into consideration when resolving the issue.I have marked the issue as "Major". If you think it should be "Critical" or a "Blocker" then we will review the priority.
To view this discussion on the web, visit https://groups.google.com/d/msgid/narayana-users/09cff4a8-4ce8-4399-a456-ae9392cb751f%40googlegroups.com.
Michael Musgrove
Apr 30, 2020, 9:43:02 AM4/30/20
to Jason Yong, narayana-users
I marked its priority as Critical. Issues marked with priority Critical or Blocker are flagged up on our weekly triage of issues so there is a much higher likelihood of them being resolved in the next release.
To unsubscribe from this group and stop receiving emails from it, send an email to narayana-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/narayana-users/878fe546-9eb3-4bbf-8e5a-a193e26635e9%40googlegroups.com.
Michael Musgrove
Nov 14, 2023, 7:29:27 AM11/14/23
to narayana-users
The issue reference earlier is fixed so I will mark the question as complete.
Note that we also have plans to support OpenIDConnect (OIDC) for securing the coordinator and you may track our progress on that via issue JBTM-3811.
Reply all
Reply to author
Forward
0 new messages