diff --git a/akka-docs/java/remoting.rst b/akka-docs/java/remoting.rst index 376eab2584..c4c5edee5f 100644 --- a/akka-docs/java/remoting.rst +++ b/akka-docs/java/remoting.rst @@ -294,3 +294,63 @@ which holds the transport used (RemoteTransport) and optionally the address that To intercept when an inbound remote client has been closed you listen to ``RemoteServerClientClosed`` which holds the transport used (RemoteTransport) and optionally the address of the remote client that was closed (Option
). +Remote Security +^^^^^^^^^^^^^^^ + +Akka provides a couple of ways to enhance security between remote nodes (client/server): + +* Untrusted Mode +* Security Cookie Handshake + +Untrusted Mode +-------------- + +You can enable untrusted mode for preventing system messages to be send by clients, e.g. messages like. +This will prevent the client to send these messages to the server: + +* ``Create`` +* ``Recreate`` +* ``Suspend`` +* ``Resume`` +* ``Terminate`` +* ``Supervise`` +* ``ChildTerminated`` +* ``Link`` +* ``Unlink`` + +Here is how to turn it on in the config:: + + akka { + actor { + remote { + untrusted-mode = on + } + } + } + +Secure Cookie Handshake +----------------------- + +Akka remoting also allows you to specify a secure cookie that will be exchanged and ensured to be identical +in the connection handshake between the client and the server. If they are not identical then the client +will be refused to connect to the server. + +The secure cookie can be any kind of string. But the recommended approach is to generate a cryptographically +secure cookie using this script ``$AKKA_HOME/scripts/generate_config_with_secure_cookie.sh`` or from code +using the ``akka.util.Crypt.generateSecureCookie()`` utility method. + +You have to ensure that both the connecting client and the server have the same secure cookie as well +as the ``require-cookie`` option turned on. + +Here is an example config:: + + akka { + actor { + remote { + netty { + secure-cookie = "090A030E0F0A05010900000A0C0E0C0B03050D05" + require-cookie = on + } + } + } + } diff --git a/akka-docs/scala/remoting.rst b/akka-docs/scala/remoting.rst index 88096d90d1..5b36226b24 100644 --- a/akka-docs/scala/remoting.rst +++ b/akka-docs/scala/remoting.rst @@ -301,3 +301,64 @@ which holds the transport used (RemoteTransport) and optionally the address that To intercept when an inbound remote client has been closed you listen to ``RemoteServerClientClosed`` which holds the transport used (RemoteTransport) and optionally the address of the remote client that was closed (Option[Address]). + +Remote Security +^^^^^^^^^^^^^^^ + +Akka provides a couple of ways to enhance security between remote nodes (client/server): + +* Untrusted Mode +* Security Cookie Handshake + +Untrusted Mode +-------------- + +You can enable untrusted mode for preventing system messages to be send by clients, e.g. messages like. +This will prevent the client to send these messages to the server: + +* ``Create`` +* ``Recreate`` +* ``Suspend`` +* ``Resume`` +* ``Terminate`` +* ``Supervise`` +* ``ChildTerminated`` +* ``Link`` +* ``Unlink`` + +Here is how to turn it on in the config:: + + akka { + actor { + remote { + untrusted-mode = on + } + } + } + +Secure Cookie Handshake +----------------------- + +Akka remoting also allows you to specify a secure cookie that will be exchanged and ensured to be identical +in the connection handshake between the client and the server. If they are not identical then the client +will be refused to connect to the server. + +The secure cookie can be any kind of string. But the recommended approach is to generate a cryptographically +secure cookie using this script ``$AKKA_HOME/scripts/generate_config_with_secure_cookie.sh`` or from code +using the ``akka.util.Crypt.generateSecureCookie()`` utility method. + +You have to ensure that both the connecting client and the server have the same secure cookie as well +as the ``require-cookie`` option turned on. + +Here is an example config:: + + akka { + actor { + remote { + netty { + secure-cookie = "090A030E0F0A05010900000A0C0E0C0B03050D05" + require-cookie = on + } + } + } + } diff --git a/akka-remote/src/main/resources/reference.conf b/akka-remote/src/main/resources/reference.conf index 11a4da0711..97b85895ed 100644 --- a/akka-remote/src/main/resources/reference.conf +++ b/akka-remote/src/main/resources/reference.conf @@ -60,8 +60,8 @@ akka { # default is a TCP-based remote transport based on Netty transport = "akka.remote.netty.NettyRemoteTransport" - # Enable untrusted mode for full security of server managed actors, allows - # untrusted clients to connect. + # Enable untrusted mode for full security of server managed actors, prevents system messages to be send + # by clients, e.g. messages like 'Create', 'Suspend', 'Resume', 'Terminate', 'Supervise', 'Link' etc. untrusted-mode = off # Timeout for ACK of cluster operations, like checking actor out etc. diff --git a/ls.sbt b/ls.sbt index 83e5babc79..87e68ed303 100644 --- a/ls.sbt +++ b/ls.sbt @@ -1,13 +1,13 @@ -seq(lsSettings:_*) +// seq(lsSettings:_*) -(description in LsKeys.lsync) := "Akka is the platform for the next generation of event-driven, scalable and fault-tolerant architectures on the JVM." +// (description in LsKeys.lsync) := "Akka is the platform for the next generation of event-driven, scalable and fault-tolerant architectures on the JVM." -(homepage in LsKeys.lsync) := Some(url("http://akka.io")) +// (homepage in LsKeys.lsync) := Some(url("http://akka.io")) -(LsKeys.tags in LsKeys.lsync) := Seq("actors", "stm", "concurrency", "distributed", "fault-tolerance", "scala", "java", "futures", "dataflow", "remoting") +// (LsKeys.tags in LsKeys.lsync) := Seq("actors", "stm", "concurrency", "distributed", "fault-tolerance", "scala", "java", "futures", "dataflow", "remoting") -(LsKeys.docsUrl in LsKeys.lsync) := Some(url("http://akka.io/docs")) +// (LsKeys.docsUrl in LsKeys.lsync) := Some(url("http://akka.io/docs")) -(licenses in LsKeys.lsync) := Seq(("Apache 2", url("http://www.apache.org/licenses/LICENSE-2.0.html"))) +// (licenses in LsKeys.lsync) := Seq(("Apache 2", url("http://www.apache.org/licenses/LICENSE-2.0.html"))) -(externalResolvers in LsKeys.lsync) := Seq("Typesafe Releases" at "http://repo.typesafe.com/typesafe/releases") +// (externalResolvers in LsKeys.lsync) := Seq("Typesafe Releases" at "http://repo.typesafe.com/typesafe/releases") diff --git a/project/AkkaBuild.scala b/project/AkkaBuild.scala index d216464fde..0dedada9f8 100644 --- a/project/AkkaBuild.scala +++ b/project/AkkaBuild.scala @@ -8,7 +8,6 @@ import sbt._ import sbt.Keys._ import com.typesafe.sbtmultijvm.MultiJvmPlugin import com.typesafe.sbtmultijvm.MultiJvmPlugin.{ MultiJvm, extraOptions, jvmOptions, scalatestOptions } -import com.typesafe.schoir.SchoirPlugin.schoirSettings import com.typesafe.sbtscalariform.ScalariformPlugin import com.typesafe.sbtscalariform.ScalariformPlugin.ScalariformKeys import java.lang.Boolean.getBoolean @@ -79,7 +78,7 @@ object AkkaBuild extends Build { id = "akka-remote", base = file("akka-remote"), dependencies = Seq(actor, actorTests % "test->test", testkit % "test->test"), - settings = defaultSettings ++ multiJvmSettings ++ schoirSettings ++ Seq( + settings = defaultSettings ++ multiJvmSettings ++ Seq( libraryDependencies ++= Dependencies.remote, // disable parallel tests parallelExecution in Test := false, @@ -98,7 +97,7 @@ object AkkaBuild extends Build { id = "akka-cluster", base = file("akka-cluster"), dependencies = Seq(remote, remote % "test->test", testkit % "test->test"), - settings = defaultSettings ++ multiJvmSettings ++ schoirSettings ++ Seq( + settings = defaultSettings ++ multiJvmSettings ++ Seq( libraryDependencies ++= Dependencies.cluster, // disable parallel tests parallelExecution in Test := false, diff --git a/project/build.properties b/project/build.properties index f4ff7a5afa..d4287112c6 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=0.11.2 +sbt.version=0.11.3 diff --git a/project/plugins.sbt b/project/plugins.sbt index 80ff9db95a..768904eacb 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -3,12 +3,10 @@ resolvers += Classpaths.typesafeResolver addSbtPlugin("com.typesafe.sbtmultijvm" % "sbt-multi-jvm" % "0.1.9") -addSbtPlugin("com.typesafe.schoir" % "schoir" % "0.1.2") - -addSbtPlugin("com.typesafe.sbtscalariform" % "sbtscalariform" % "0.3.1") +addSbtPlugin("com.typesafe.sbtscalariform" % "sbtscalariform" % "0.4.0") resolvers ++= Seq( "less is" at "http://repo.lessis.me", "coda" at "http://repo.codahale.com") -addSbtPlugin("me.lessis" % "ls-sbt" % "0.1.1") +// addSbtPlugin("me.lessis" % "ls-sbt" % "0.1.1")