CLI options to disable encryption and authentication to external Infinispan

[pruivo]

Description

In production, it is recommended to encrypt and authenticate the communication between the Keycloak server and the Infinispan server. However, in some environments, like development, proofs-of-concept, and demos, it is easier to deploy Keycloak + Infinispan without configuring users or TLS certificates.

The following options are proposed:

• cache-remote-tls-enabled -> defaults to true, set to false to allow plain text communication with an Infinispan Server without encryption configured.
• cache-remote-auth-enabled -> defaults to true, set to false to allow communication with an Infinispan server without security.

[ahus1]

@vmuzikar - We would like to see two additional options on the Quarkus CLI which would make it simpler for developers to develop changes, and also for users to try out those features in their local environment.

Could you please approve that those options are OK, and that the names align with the current ones? If that is the case, @pruivo will go ahead and create a PR.

Thanks!

[vmuzikar]

@ahus1 @pruivo Sorry for the late reply. Would it rather make sense to set this based on prod/dev profile (kc.sh start vs. kc.sh start-dev)? Alternatively, set this based on if TLS key/cert and/or auth creds were provided? Or a combination of these approaches: enforce setting TLS and auth in prod profile, dev would have it optional.

CC @keycloak/cloud-native

[pruivo]

I don't have a strong opinion on we should create CLI options to disable or make that decision based on tls/auth provided. The latter would make my life easier and avoid creating "too many" CLI options.

About the prod vs dev profile, the only use case where disabling this makes sense in prod is when Infinispan is running on a private datacenter/network as it won't make much sense to pay the cost of encrypting data.

[vmuzikar]

I think it all depends on whether we want to explicitly require setting TLS and auth for ISPN, how common is the non-TLS no-auth scenario. If we want to be really secure-by-default, we probably should have explicit options to disable TLS and auth.

the only use case where disabling this makes sense in prod is when Infinispan is running on a private datacenter/network as it won't make much sense to pay the cost of encrypting data.

That make sense. So let's not tie it to the dev profile.

[pruivo]

The Infinispan server defaults are

• TLS disabled
• Auth enabled

The non-TLS scenario is very useful for testing. In the feature that I'm developing, I'm disabling TLS using system properties: https://github.com/keycloak/keycloak/pull/28845/files#diff-15b16210d4c7b60aaf3ad0d7b19f1a2d6f31f487c1a02cdfa498bc0996e78578R52

You can argue that cache-remote-auth-enabled is redundant and we can enable auth when cache-remote-username or cache-remote-password is set. But, I vote to be secure by default and have options to disable it. I would be happy to hear the others' opinions.

[vmuzikar]

Ah, I realized now that we're talking specifically only about remote ISPN. In that case, the security really lies in the hands of the ISPN server, not Keycloak. From my perspective then we don't need explicit options to disable (validations of) TLS and auth. If it's specified, Keycloak will use it, otherwise it won't.

WDYT @pruivo @ahus1?

[pruivo]

@vmuzikar Just to clarify:

• Create a new option cache-remote-tls-enabled (or any other name) to enable/disable TLS. I don't have any way to tell if TLS is required or not.
• Make existing options cache-remote-username and cache-remote-password optional and, if present, enable authentication.

If my understanding is correct, 👍 from me.

[vmuzikar]

@pruivo Yes, that's 👍 from me too.