I read here that Riak CS supports LDAP for authentication: http://bit.ly/1Rb2yTF
"Pluggable Authentication/Authorization for Integration with Existing Infrastructure – Riak CS provides an extensible authentication system, enabling integration with existing directory services (LDAP, ActiveDirectory, NIS, PAM)."
However I cannot find anything relating to the LDAP authentication configuration in the docs. I understand the Riak CS docs may sometimes lag behind the actual features implementation.
My question is: does the feature exist out of the box, or does the white paper only refer to the possibility of rolling out my own custom authentication module if I so desire? If there is an implementation I would be grateful if you could post some information to get me started please.
I don't know what the doc supposed but, as far as I know, keystone authentication feature may be used.
Riak CS (should) support keystone authentication [1] and keystone auth can be configured to use LDAP [2] [3].
[1] http://docs.basho.com/riakcs/latest/cookbooks/Using-Riak-CS-With-Keystone/
[2] http://docs.basho.com/riakcs/latest/cookbooks/Keystone-Conf-Sample/
[3] http://docs.openstack.org/developer/keystone/configuration.html
P.S. Keystone cooperation is not widely used, so there may be some bugs. For the case, riak-users mailing list is good place to discuss.
Related
I am working in data platform on Kubernetes. Therefore, I will need to install
several databases like Ceph (or Minio), Postgresql, Elasticsearch
A kafka cluster
a SQL engine like Trino (former PrestoSQL)
several api servers
Multiple users and applications (internal to Kubernetes or not) will need to be authenticated and authorized to use theses components above.
For authorization I have found a project like Open Policy Agent which fits my wish to have a centralized and unified way to control it.
I would like the same thing for authentication but I am still looking for it.
There are different ways to authenticate, the most interesting ones being:
TLS certificate
OAuth2
Kerberos
But all the above components does not implement these methods.
For instance, I was interested to use Keycloak. It is perfectly suited for API servers, Kafka but not for Postgresql.
Do you know some solutions, alternatives to my problem?
Like Jonas good mentioned in the comment:
This totally depends on what your systems support. It is easiest if they support JWT-tokens for authentication, then the microservices can use its serviceAccount.
One of the solutions might be to use service-mesh, like istio and JWT (JSON Web Tokens). Here is also istio documentation about JWT. In simple terms, microservice will generate a JWT and istio will check if the token is correct. This guide shows exactly, how Istio Authorization Policy works.
Here you can find a very good article that explains how such authorization works step by step. It presents various methods of implementation. It shows their strengths and weaknesses.
It's also worth taking a look here. The official istio security documentation explains how to approach the subject of authorization. You can find there all supported authorization methods.
You can also create your custom action to delegate the authorization to external system. Here is the guide, how you can do it.
Kubernetes also supports 3rd party authentication tools: Keycloak, Auth0 or Google Auth. Here are guides, how to secure Kubernetes clusters with:
Keycloak and istio
Auth0 and Istio
Google Auth and Istio
I'm learning about Amazon Neptune, and noticed that:
IAM authentication is not enabled by default
IAM authentication requires AWS Signature v4 for API calls, which increases application complexity
By default, it seems that Amazon Neptune uses anonymous authentication, as I didn't have to provide any API keys, username / password combinations, or certificates for authentication. Additionally, the code sample provided by AWS doesn't include any authentication details.
It appears that the only default security options for Amazon Neptune are network-level VPC Security Groups.
According to the What is Neptune? documentation, the service claims to be "highly secure." In my opinion, a service that does not support application-level authentication by default, is not "highly secure."
Neptune provides multiple levels of security for your database. Security features include network isolation using Amazon VPC, and encryption at rest using keys that you create and control through AWS Key Management Service (AWS KMS). On an encrypted Neptune instance, data in the underlying storage is encrypted, as are the automated backups, snapshots, and replicas in the same cluster.
Question: Why does Amazon Neptune use an insecure configuration by default, and is there a way to enable authentication without using the complicated IAM integrated authentication?
You've got some very valid points in there, so let me go through them in detail by providing some context.
By default, it seems that Amazon Neptune uses anonymous authentication..
This is intentional for a reason. The query languages that Neptune support right now are Gremlin and SPARQL, both of which are built on top of HTTP/HTTPS without any sort of auth (Basic Auth is supported in Gremlin, but that is not something that clients use in production anyways. I'd need at least some form of message digest auth to call it secure, but unfortunately, the language spec does not include this). As these languages are open, there are a lot of open source client code that exist out there that assume that they are dealing with an unauthenticated endpoint. As a result, purely from an adoption point of view, Neptune chose to keep its request layer to be unauthenticated by default. If you explore other DB engines within AWS (say Aurora MySQL), the backing DB engine does support auth as its default posture.
This does not mean that it is the right thing to do, so I'll let someone from the Gremlin/SPARQL community comment on whether the spec should enforce authentication as the default posture or not.
It appears that the only default security options for Amazon Neptune are network-level VPC Security Groups.
SG's provide the network ACLs, and we do support TLS 1.2 by default (as of the newest engine versions), so that tightens up your client -> db connection as well.
The service claims to be "highly secure." In my opinion, a service that does not support application-level authentication by default, is not "highly secure."
In addition to the details called out above, the "highly secure" aspect of Neptune is not limited just to client -> db connection. Your data is replicated 6 way and stored in 3 AZs. This involves a lot of communication, not just from the DB, but within the backing storage nodes as well. All these communications are guarded by industry standard security protocols. Encryption at rest for the distributed store is a totally interesting case study on its own. Same standards apply to operator access to the machines, auditing, data safety which snapshotting and restoring etc etc. In short, I do agree that the default posture should be SigV4 (or some open standard) auth enabled, I do want to make sure that you do get some clarity on why we do claim to be a highly secure DB, much like any other product that AWS provides.
Is there a way to enable authentication without using the complicated IAM integrated authentication?
SigV4 is the standard that most AWS services do support. I do agree that it would have been a lot easier if there were an SDK that customers could directly use. We did vend out SigV4 plugins for some of the clients (especially Java and Python) and it actually has a pretty good uptake. Do try it out and share feedback on which areas in the integration seemed to be painful, and we'd be more than happy to take a look.
EDIT 1: The OP discussion here was around security between client and the database, so the security practices in the opaque backing data store that I've quoted above isn't really relevant. In other words, the discussion here is entirely around the data plane API of Neptune and whether we could be secure by default, rather than an opt in.
Problem Statement:
I am trying to build a custom management system which would require authentication and authorization both.
The system needs to have capabilities to manage/create/update/delete users, roles, permissions and groups.
My Design Solution
I am planing to implement this in-house from scratch and would provide authentication and authorization as follows.
Authentication : user would provide their credentials and the system would authenticate if the user is valid or not.
Authorization: once the user is authenticated, based on the user groups and the permissions they could access the requested pages on the site.
Question:
Now, my question is that suppose I have this application built successfully and in future my application requires LDAP (active directory) authentication would it be possible to plug in LDAP related features keeping my existing application intact or I would have to re-write the entire or most application using LDAP API's.
I have had a look at at apache shiro and spring security which
provides LDAP functionality and they also provide capabilities to manage/create/update/delete users.
As of now I have not yet decided if I would go with either of them or write my own.
Would appreciate if I could get a detailed reponse about how to go about things.
Note:
I am a complete newbie to LDAP so please excuse me if I have used some wrong terminology with regards to LDAP.
I would recommend NOT implementing this your self, just integrate with existing API.
Disclosure: I work for Stormpath (which provides exactly this) and on Apache Shiro.
Also, if your application needs to be backed by LDAP, most LDAP setups I've seen only support read operations when integrating with applications, so you may want to chat with your LDAP admin and see if your 'manage' user use case is viable.
Security is a serious domain, with lots and lots of hidden complications. I would definitely recommend against implementing this yourself. Since you mention Spring LDAP, I'm guessing you're in a Spring-based project. The obvious choice in such a setup would be the excellent Spring Security project.
OAuth allows the you the User to grant access to his private resources on one site to another site. But how exactly does this happen. And if I want to provide OAuth features in my site, (both as Service Provider and consumer), how do I go about doing it. I'm using a Fedora 13 based server. And is it possible to configure Round Cube / Squirrel Mail to provide these Services. Like as of now all my users have mail account in the server, I want the credentials in the mail to be used to provide the OAuth Services.
If you want to be a provider of data, then you have to implement OAuth server at your site and if you want to be consumer, you will have to implement OAuth client at your site.
You should also read some articles and tutorials to gain a better understanding of the protocol, because it's a protocol that allows to protect APIs and that being said, everything connected with security should be well understood by the developer that is imeplementing it.
In case that you're a provider, the 1.0 version of the protocol works in the following way:
Consumer requires access to end-user's private data
Provider issues a token to the consumer
End-user authorizes the token
Consumer can make authorized requests with that token for end-users's private data
Good place to start is: http://hueniverse.com/oauth/
You can also read the RFC when you decide if you will implement 1.0a or 2.0 version of the protocol. I have implemented only 1.0a so far, so I cannot give advice to which is better. I guess the 2.0 version has more possibilities, and everyone says it's easier to implement. As far for the easier, 1.0a is not difficult to implement also, because there are good open source libraries both for clients and servers and you can set up and run server or client for 1 day, if you understand the mechanics of the protocol.
Of course, if you want to make a good server with different scopes of access, inheritance of scopes and if your API is complicated and extensible, you will have to do a lot more work there, no matter if you choose 1.0a or 2.0 OAuth version
A simple example to demonstrate oauth flow. Understanding the concept helps to design accordingly:
As for the "How will I do it?"
There are lots of good libraries out there. Here is an excellent list: http://oauth.net/code/
From Wikipedia: RSA SecurID is a mechanism developed by RSA Security for performing two-factor authentication for a user to a network resource.
I just read about this device, and it seems interesting to me. However, I'm not sure how (or even if) software (networked or non-networked) can utilize this method of authentication.
I'm making this a community wiki post as this isn't a specific question, but a general overview of addressing authentication with SecurID and similar technologies.
There's a similar technology called YubiKey.
Verisign's OpenID provider supports such tokens (sold at a discount by EBay and PayPal), which is certainly the easiest way to get started using dual-factor authentication for web applications.
To actually answer the original question, there are several ways to integrate with SecurID, from "simplest" to "requires a bit more work":
See if the application is already integrated/certified. A list of applications that have been integrated and validated by RSA can be found at http://www.rsasecured.com. Only applications that have opted to be validated are listed; it's possible that an application can integrate but has not undergone validation.
Leverage one of the existing RSA Authentication Agents (pieces of code that talk to the Authentication Manager server) and that integrate, for example, with the OS/Application Server/Web server, so that the authentication can be "offloaded" to the agent, and the application only has to take care of the core functionality. The Agents that RSA develops can be downloaded from http://www.emc.com/security/rsa-securid/rsa-securid-authentication-agents.htm (RSA is the Security Division of EMC).
If the application/device can leverage the RADIUS protocol for external authentication (see http://en.wikipedia.org/wiki/RADIUS), the Authentication Manager server is also a RADIUS server.
Lastly, if you want to integrate the application directly with RSA, the RSA SecurID Agent SDK allows you to embed the needed functionality in the application itself, so the app can talk directly to the Authentication Manager server, send authentication requests, receive the answers, leverage the HA functionality of the authentication server etc... This is how devices such as VPN SSL Concentrators, Firewalls, and many many others integrate (see the list in point 1).
Hope this helps
My company, WiKID Systems, has a dual-source two-factor authentication system. In addition to radius, ldap etc, we have a very simple API called wAuth and packages available in PHP, Python, Ruby, Java and C#. These 'network client' packages are LGPL so you can put them in open source or commercial licensed software. You can download here. It would be pretty simple to do others too.
Also, we have an open source version of the software token, so you can embed that if you like and you can really see how the system works from end-to-end.