VMware GemFire

 UnAuthorization exception to call methods during OQL.

Monika A's profile image
Monika A posted Jul 01, 2020 09:18 AM

Hi,

 

We are getting unauthorized exception in methods during OQL processing. Can you please suggest how can we whitelist the custom methods in order to make it through. I read the out of box MethodInvocationAuthorizer but getting difficult to configure it.

 

Note: We have enabled security (security-enabled)

 

Exception: Caused by: org.apache.geode.security.NotAuthorizedException: Unauthorized access to method: XXX

 

Thanks,

Monika

Juan Ramos's profile image
Juan Ramos posted Jul 01, 2020 11:20 AM

Hello Monika,

 

Thanks for contacting the Support Community!.

That said, can you add more details about the issue you're facing while configuring the authorizers?.

As a side note, I'd suggest having a look at the Pluggable OQL Method Authorization [1] blog post, it contains a high level description of every authorizer shipped out of the box and the situations under which they should be used. The Method Invocation Authorizers [2] section, within the official User Guide, it's also a good starting point.

To change the Method Invocation Authorizer used by the cluster, either one of the four shipped with the product or your own, you should use the alter query-service [3] gfsh command.

Hope this helps.

Best regards.

 

[1]: https://medium.com/@jujoramos/pluggable-oql-method-authorization-coming-up-in-geode-1-12-0-c35c99a21768

[2]: https://gemfire.docs.pivotal.io/910/geode/managing/security/method_invocation_authorizers.html

[3]: https://gemfire.docs.pivotal.io/910/geode/tools_modules/gfsh/command-pages/alter.html#topic_alter_query_service

 

Monika A's profile image
Monika A posted Jul 01, 2020 11:49 AM
Thank you for response.\\nIt would be great if you can guide me to configure the custom MethodInvocationAuthorizer ,like where can I mention the new class so that it will be invoked during authorization.\\nWe are not using gfsh whereas we are maintaining in xml format (server.xml).
Juan Ramos's profile image
Juan Ramos posted Jul 01, 2020 11:57 AM

Hello Monika,

 

The usage of individual cache.xml files to configure the servers is discouraged and will be deprecated in the near future, the recommended approach is to use the GemFire SHell [1] + Cluster Configuration Service [2].

That said, the new OQL Method Authorization feature has been developed having the above in mind and it's mandatory to have a single authorizer per cluster (imagine what would happen if you mistakenly use different authorizers per servers, the OQL would behave differently), so there's no out of the box way of configuring the feature using individual cache.xml files , you must use GemFire SHell [1] + Cluster Configuration Service [2].

Hope this helps.

Best regards.

 

[1]: https://gemfire.docs.pivotal.io/910/gemfire/tools_modules/gfsh/chapter_overview.html

[2]: https://gemfire.docs.pivotal.io/910/geode/configuring/chapter_overview.html

Monika A's profile image
Monika A posted Jul 01, 2020 12:24 PM
We are bringing Gemfire application and its members via Spring boot, all its configuration we are maintaining in .xml file.\\nAs you suggested in link [1],I tried to use below tag in xml but its showing parsing exception.\\nAlso, is there any way that we can mentioned this in some property file.\\n\\n
Juan Ramos's profile image
Juan Ramos posted Jul 01, 2020 12:35 PM

Hello Monika,

 

Thanks for your quick reply.

That said, I've checked within the Spring repositories, and spring-data-geode / spring-data-gemfire don't have support for the new OQL Method Authorization feature yet, that's why you can't configure the OQL Authorizer using XML nor annotations yet.

Best regards.

Monika A's profile image
Monika A posted Jul 01, 2020 12:38 PM
Ahhh, then do we have any other option to enable it than gfsh as I am afraid that we wont be having access to gfsh on Prod like env.
Juan Ramos's profile image
Juan Ramos posted Jul 01, 2020 01:08 PM

Hello Monika,

 

There are some ways of configuring the Method Authorizer without GemFire SHell [1] Cluster Configuration Service [2], but it implies using internal classes and modifying the default product behaviour (highly discouraged).

You can certainly go down this path, but be warned:

  • There's no backward compatibility guaranteed when using internal classes.
  • It is not officially supported by VMware (in case you have a support contract for VMware GemFire).

 

If, after reading the above, you still want to give it a try, the easiest way would be to use the AlterQueryServiceFunction [3] to change the OQL Method Authorizer on all running members, which is basically what the gfsh alter query-service internally does here [4].

Another option (it still uses internal classes), since you are starting the servers as SpringBoot Applications, would be to get the actual InternalCache [5] instance, retrieve the QueryConfigurationService [6] and execute one of the internal updateMethodAuthorizer() methods. And example of this approach, used within the test classes, can be seen here [7].

Hope this helps.

Best regards.

 

[1]: https://gemfire.docs.pivotal.io/910/gemfire/tools_modules/gfsh/chapter_overview.html

[2]: https://gemfire.docs.pivotal.io/910/geode/configuring/chapter_overview.html

[3]: https://github.com/apache/geode/blob/develop/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/functions/AlterQueryServiceFunction.java

[4]: https://github.com/apache/geode/blob/develop/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/AlterQueryServiceCommand.java#L79-L94

[5]: https://github.com/apache/geode/blob/develop/geode-core/src/main/java/org/apache/geode/internal/cache/InternalCache.java

[6]: https://github.com/apache/geode/blob/develop/geode-core/src/main/java/org/apache/geode/cache/query/internal/QueryConfigurationService.java

[7]: https://github.com/apache/geode/blob/develop/geode-core/src/distributedTest/java/org/apache/geode/cache/query/internal/QueryConfigurationServiceConstraintsDistributedTest.java#L136-L143

Monika A's profile image
Monika A posted Jul 01, 2020 01:34 PM
I thought to give a try using gfsh however getting below error, seems like “alter query-service” Is not supported. Could you please let me know if I am missing something..\\n\\nNote- Connected to gfsh and jar also deployed in deploy directory.\\n\\n\\nCluster-17 gfsh>alter query-service --method-authorizer=com.jpmc.cib.graphite.capture.store.gemfire.client.service.MethodInvocationAuthorizerImpl\\nCommand 'alter query-service --method-authorizer com.jpmc.cib.graphite.capture.store.gemfire.client.service.MethodInvocationAuthorizerImpl' not found (for assistance press TAB)\\nCluster-17 gfsh>alter\\nalter async-event-queue alter disk-store alter region alter runtime\\nCluster-17 gfsh>\\n\\n[cid:image003.png@01D64FC1.00DC0530]
Juan Ramos's profile image
Juan Ramos posted Jul 01, 2020 01:37 PM

Hello Monika,

 

The alter query-service command was added in GemFire 9.10, maybe you're using an older version of VMware GemFire?.

Best regards.

Monika A's profile image
Monika A posted Jul 01, 2020 01:43 PM
We are using 9.9.1. , it should be there right?
Juan Ramos's profile image
Juan Ramos posted Jul 01, 2020 01:55 PM

Hello Monika,

 

As I stated previously, the feature was introduced in VMware GemFire 9.10. Since you're using 9.9, the answer would be no, the feature is not present in that version (9.10 is higher/more recent than 9.9).

Best regards.

Monika A's profile image
Monika A posted Jul 01, 2020 02:57 PM
Yeah , I over sought the version. Thank you for explaining.\\nNow after upgrading to 9.10.0, am able to run the MethodInvocationAuthorizer class. However pulse is not coming up with 9.10.0 , seems like its not compatible with spring-data-gemfire version that we are using (2.2.4).\\nCan you please suggest the compatible version .
Juan Ramos's profile image
Juan Ramos posted Jul 01, 2020 03:11 PM

Hello Monika,

 

Yes, that's expected, you can't just mix and match versions of VMware GemFire and Spring-Data-GemFire. Please have a look at the Spring Data for Pivotal GemFire Version Compatibility Matrix [1] and Spring Boot for Apache Geode and Pivotal GemFire Version Compatibility Matrix [2] for the supported combinations.

Best regards.

 

[1]: https://github.com/spring-projects/spring-data-gemfire/wiki/Spring-Data-for-Pivotal-GemFire-Version-Compatibility-Matrix

[2]: https://github.com/spring-projects/spring-boot-data-geode/wiki/Spring-Boot-for-Apache-Geode-and-Pivotal-GemFire-Version-Compatibility-Matrix#version-compatibility-matrix

Monika A's profile image
Monika A posted Jul 02, 2020 08:42 AM
Thank you Juan for your response ☺
Monika A's profile image
Monika A posted Jul 06, 2020 07:59 AM
Hi Juan,\\n\\nAnother query please , which property we shall use to persist cluster configuration as currently after restarting locator, we have to use “alter query service” command everytime.\\n\\nThanks,\\nMonika
Juan Ramos's profile image
Juan Ramos posted Jul 08, 2020 04:21 PM

Hello Monika,

 

You don't have to set any specific property for this to work, the cluster configuration service is persisted by default so all changes made by gfsh commands are automatically remembered.

Please have a look at Overview of the Cluster Configuration Service [1] for further details.

Best regards.

 

[1]: https://gemfire.docs.pivotal.io/910/geode/configuring/cluster_config/gfsh_persist.html