Authentication

Ampool supports LDAP/Kerberos authentication for secured cluster. One authentication mechanism can be enabled for starting secured cluster. SSL is also supported to encrypt data which is sent over wire.

Kerberos authentication

Following are the steps for setting up secured cluster using kerberos authentication for servers and clients.

Create service principal and keytab files

Create a service principal and the corresponding keytab file for ampool cluster on your KDC. You can follow the steps mentioned in the KDC config page or use your KDC documentation. Transfer the keytab file on the all ampool nodes.

Note

Ampool needs a single keytab file for all cluster nodes.

Attention

keytab files should not be copied to an insecure location or assigned insecure permissions like (o+rwx). You should restrict the access to only the user who is going to start ampool services.

Create client/user principals and keytab files

Clients will use user principal and corresponding keytab files to access ampool cluster. Create the user principals and corresponding keytab files. You can follow the steps mentioned in the KDC config page or use your KDC documentation. Copy the keytab file to client nodes.

Attention

keytab files should not be copied to an insecure location or assigned insecure permissions (like o+rwx). You should restrict the access to only the user who is going to start ampool services.

Start secured locator

Create properties file e.g. "securedlocator.properties" with following properties,

security-manager=io.ampool.security.AmpoolSecurityManager
security-peer-auth-init=io.ampool.security.AmpoolAuthInitClient.create
security-enable-kerberos-authc=true
security-kerberos-service-principal=<ampool service principal>
security-kerberos-service-keytab-path=<path to keytab file for ampool service principal>

Start the locator from mash using "securedlocator.properties" file.

mash>start locator --name=locator --security-properties-file=securedlocator.properties

Start secured Server

Create properties file e.g. "securedserver.properties" with following properties,

security-manager=io.ampool.security.AmpoolSecurityManager
security-enable-kerberos-authc=true
security-peer-auth-init=io.ampool.security.AmpoolAuthInitClient.create
security-kerberos-service-principal=<ampool service principal>
security-kerberos-service-keytab-path=<path to keytab file for ampool service principal>

Start the server from mash using "securedserver.properties" file connecting to secured locator,

mash>start server --name=server --locators=localhost[10334] --security-properties-file=securedserver.properties

Connect to secured cluster from MASH

Create properties file e.g. "securedmash.properties" with following properties,

security-enable-kerberos-authc=true
security-kerberos-service-principal=<ampool service principal>
security-username=<user principal>
security-password=<path to user keytab file>

Connect to the ampool cluster using "securedclient.properties" file

mash>connect --locator=localhost[10334] - --security-properties-file=securedclient.properties

Connect to secured cluster from Java Client

Define the following properites in the Java Client code and provide those to AmpoolClient,

Property Details
security-enable-kerberos-authc Enable kerberos authentication
security-client-auth-init Client side authentication impl
security-kerberos-service-principal Ampool service principal
security-username User principal
security-password User keytab

Example:

Properties securedClientProps = new Properties();
securedClientProps.put("security-enable-kerberos-authc","true");
securedClientProps.put("security-client-auth-init","io.ampool.security.AmpoolAuthInitClient.create");
securedClientProps.put("security-kerberos-service-principal", <Service principal of ampool cluster>);
securedClientProps.put("security-username",<user principal>);
securedClientProps.put("security-password",<user keytab file path>);
final AmpoolClient ampoolClient = new AmpoolClient("localhost", locatorPort, securedClientProps);

LDAP authentication

Following are the steps for setting up secured cluster using LDAP authentication for servers and clients.

Start secured locator

Create properties file e.g. "securedlocator.properties" with following properties,

security-enable-ldap-authc=true
security-ldap-server=<ldapserver:port>
security-ldap-basedn=<ldapbasedn>
security-manager=io.ampool.security.AmpoolSecurityManager

Start the locator from mash using "securedlocator.properties" file,

mash>start locator --name=locator --security-properties-file=securedlocator.properties

Start secured Server

create properties file e.g. "securedserver.properties" with following properties,

security-enable-ldap-authc=true
security-ldap-server=<ldapserver:port>
security-ldap-basedn=<ldapbasedn>
security-username=<ldapuser>
security-password=<password>

Start the server from mash using ""securedserver.properties" file and the secured locator details.

mash>start server --name=server --locators=localhost[10334] --security-properties-file=securedserver.properties

Connect to secured cluster from MASH

Create properties file e.g. "securedclient.properties" with following properties,

security-username=<ldap username>
security-password=<password>

Connect to the ampool cluster using "securedclient.properties" file and secured locator,

mash>connect --locator=localhost[10334] - --security-properties-file=securedclient.properties

Connect to secured cluster from Java Client

Set the following properties in Java client and provide them while creating Ampool Client,

Properties securedClientProps = new Properties();
securedClientProps.setProperty(DistributionConfig.SECURITY_CLIENT_AUTH_INIT_NAME,
        "io.ampool.security.AmpoolAuthInitClient.create");
securedClientProps.setProperty(USER_NAME, "<username>");
securedClientProps.setProperty(PASSWORD, "<password>");

final AmpoolClient ampoolClient = new AmpoolClient("localhost", locatorPort, securedClientProps);

Securing the communications using SSL

Ampool can use SSL to secure the data which is sent on wire when different entities(clients, server etc.) are talking to each other.

Configuring

SSL Components

There are multiple types of component communications in an Ampool distributed system for which SSL can be enabled or disabled. The following table lists the keywords and the type of component communication it will apply to:

keyword component communication
cluster peer to peer communication between the cluster members i.e servers and locators
web All web based services i.e REST APIs, Pulse web.
jmx mash CLI communication when connected using JMX
locator Communication with and between the locators
server Communication between client and server
all Includes all the above

When SSL is enabled for a communication channel then it applies to both the endpoints, for eg. if you enable SSL on servers then the client connecting to the servers must use SSL.

SSL Properties

Following properties can be used to configure the behavior

Property Details Valid values Default
ssl-enabled-components SSL enabled components. Coma separated list of components or "all". none
ssl-require-authentication Components needs mutual SSL authentication. This does not apply to web component true/false true
ssl-web-require-authentication Mutual authentication for web true/false false
ssl-default-alias Alias of the certificate to be used If a keystore store has multiple certificates. A single certificate alias from the keystore First certificate in the keystore.
ssl-component-alias Each communication channel can be configured with a different certificate using this property. The format is ssl-<name of the component>-alias. If this property is used it overrides the ssl-default-alias propery for that component A single certificate alias from the keystore None
ssl-ciphers A comma separated list of SSL ciphers which should be used in SSL communications A list of allowed ciphers or 'any' any
ssl-keystore Path to the SSL keystore to be used String None
ssl-keystore-password keystore password String None
ssl-truststore Path to SSL truststore to be used String None
ssl-truststore-password truststore password String None
ssl-keystore-type Type of keystore. If none is specified and the component has a attached console then the user will be prompted to enter the type of keystore JKS/jks jks

Example

This section will show a sample SSL implementation which will use a single keystore for all components.

Create the keystore and certificates

Use the java keytool(1) command to generate a keystore.

$ keytool -genkeypair -alias ampool -dname "CN=ampool" -validity 365 -keypass secret -keystore ./ampool.keystore -storepass secret -storetype JKS
$ keytool -list -keystore ampool.keystore -storepass secret

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

ampool, Jun 21, 2017, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 35:40:7B:79:AC:77:98:53:72:25:67:7D:77:B0:ED:6A:B0:0F:EC:10

Define properties

$ cat ampool.properties 
ssl-enabled-components=all

$ cat /home/ampool/security.properties
ssl-enabled-components=all
ssl-keystore=/home/ampool/ampool.keystore
ssl-keystore-password=secret
ssl-truststore=/home/ampool/ampool.keystore
ssl-truststore-password=secret
ssl-keystore-type=JKS

Start the locator and server

mash>start locator --name=L1 --properties-file=/home/ampool/ampool.properties --security-properties-file=/home/ampool/security.properties
mash>start server --name=server1 --properties-file=/home/ampool/ampool.properties --security-properties-file=/home/ampool/security.properties --