Chapter 13. Securing Fabric Containers
By default, fabric containers uses text-based username/password authentication. Setting up a more robust access control system involves creating and deploying a new JAAS realm to the containers in the fabric.
Default authentication system
By default, Fabric uses a simple text-based authentication system (implemented by the JAAS login module,
io.fabric8.jaas.ZookeeperLoginModule). This system allows you to define user accounts and assign passwords and roles to the users. Out of the box, the user credentials are stored in the Fabric registry, unencrypted.
You can manage users in the default authentication system using the
jaas:*family of console commands. First of all you need to attach the
jaas:*commands to the
ZookeeperLoginModulelogin module, as follows:
JBossFuse:karaf@root> jaas:realms Index Realm Module Class 1 karaf org.apache.karaf.jaas.modules.properties.PropertiesLoginModule 2 karaf org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule 3 karaf io.fabric8.jaas.ZookeeperLoginModule JBossFuse:karaf@root> jaas:manage --index 3
Which attaches the
jaas:*commands to the
ZookeeperLoginModulelogin module. You can then add users and roles, using the
jaas:roleaddcommands. Finally, when you are finished editing the user data, you must commit the changes by entering the
jaas:updatecommand, as follows:
Alternatively, you can abort the pending changes by entering
Obfuscating stored passwords
By default, the JAAS
ZookeeperLoginModulestores passwords in plain text. You can provide additional protection to passwords by storing them in an obfuscated format. This can be done by adding the appropriate configuration properties to the
io.fabric8.jaasPID and ensuring that they are applied to all of the containers in the fabric.
For more details, see section "Encrypting Stored Passwords" in "Security Guide".
Although message digest algorithms are not easy to crack, they are not invulnerable to attack (for example, see the Wikipedia article on cryptographic hash functions). Always use file permissions to protect files containing passwords, in addition to using password encryption.
Enabling LDAP authentication
Fabric supports LDAP authentication (implemented by the Apache Karaf
LDAPLoginModule), which you can enable by adding the requisite configuration to the default profile.
For details of how to enable LDAP authentication in a fabric, see chapter "LDAP Authentication Tutorial" in "Security Guide".