Chapter 12. Securing Fabric Containers
Abstract
By default, fabric containers uses text-based username/password authentication. Setting up a more robust access control system involves creating and deploying a new JAAS realm to the containers in the fabric.
Default authentication system
By default, Fabric uses a simple text-based authentication system (implemented by the JAAS login module,
io.fabric8.jaas.ZookeeperLoginModule
). This system allows you to define user accounts and assign passwords and roles to the users. Out of the box, the user credentials are stored in the Fabric registry, unencrypted.
Managing users
You can manage users in the default authentication system using the
jaas:*
family of console commands. First of all you need to attach the jaas:*
commands to the ZookeeperLoginModule
login module, as follows:
JBossFuse:karaf@root> jaas:realms Index Realm Module Class 1 karaf org.apache.karaf.jaas.modules.properties.PropertiesLoginModule 2 karaf org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule 3 karaf io.fabric8.jaas.ZookeeperLoginModule JBossFuse:karaf@root> jaas:manage --index 3
Which attaches the
jaas:*
commands to the ZookeeperLoginModule
login module. You can then add users and roles, using the jaas:useradd
and jaas:roleadd
commands. Finally, when you are finished editing the user data, you must commit the changes by entering the jaas:update command, as follows:
JBossFuse:karaf@root> jaas:update
Alternatively, you can abort the pending changes by entering
jaas:cancel
.
Obfuscating stored passwords
By default, the JAAS
ZookeeperLoginModule
stores passwords in plain text. You can provide additional protection to passwords by storing them in an obfuscated format. This can be done by adding the appropriate configuration properties to the io.fabric8.jaas
PID and ensuring that they are applied to all of the containers in the fabric.
For more details, see section "Encrypting Stored Passwords" in "Security Guide".
Note
Although message digest algorithms are not easy to crack, they are not invulnerable to attack (for example, see the Wikipedia article on cryptographic hash functions). Always use file permissions to protect files containing passwords, in addition to using password encryption.
Enabling LDAP authentication
Fabric supports LDAP authentication (implemented by the Apache Karaf
LDAPLoginModule
), which you can enable by adding the requisite configuration to the default profile.
For details of how to enable LDAP authentication in a fabric, see chapter "LDAP Authentication Tutorial" in "Security Guide".