From c11b5e084a03f0c6f0b8289a7f26472229337adc Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 28 May 2024 10:11:25 -0400 Subject: [PATCH] docs(credentials): remove references to Session credentials storage (#182) --- .../configure-credentials-storage.md | 62 ------------------- guides/_subsections/store-credentials.md | 20 ++---- guides/index.md | 2 - 3 files changed, 4 insertions(+), 80 deletions(-) delete mode 100644 guides/_subsections/configure-credentials-storage.md diff --git a/guides/_subsections/configure-credentials-storage.md b/guides/_subsections/configure-credentials-storage.md deleted file mode 100644 index 09a9c741..00000000 --- a/guides/_subsections/configure-credentials-storage.md +++ /dev/null @@ -1,62 +0,0 @@ -## [Configure Credentials Storage](#configure-credentials-storage) - -Target **JVM** applications may require **Cryostat** to pass an authentication -challenge before being able to communicate over **JMX** or `HTTP` and manage **JFR**. - -**Cryostat** has two supported mechanisms for these Credentials: - -
    -
  1. - Credentials Keyring: see Store Credentials - for more detail. This mechanism entails uploading a Credentials definition - to the Cryostat backend's encrypted Keyring storage. Cryostat automatically - checks the Keyring for Credentials matching a target application when a - request to that application is opened. If no Credentials are found, - Cryostat responds to the requesting client with a response indicating the - authentication failure. The Cryostat Web UI then prompts the user for - Credentials. If Credentials are entered on the prompt, they will also be - stored in this same encrypted Keyring. - - Credentials entered in the Store Credentials - table are always stored in the server's encrypted Keyring. - Additionally, Cryostat Agent HTTP Credentials are always stored in the - same encrypted Keyring. -
    2. -
  2. - Web Session: This mechanism entails holding Credentials only in the - Cryostat Web UI's currently active session memory. Whenever the Cryostat - Web UI makes a request to the Cryostat server, it includes the relevant JMX - Credential in an X-JMX-Authorization header, which the server reads - and passes through to the target application. In this scheme, the Cryostat - server does not store nor persist the Credentials in any way - they are only - held in server memory long enough to complete the current request, then - are dropped. If the server sees this header on a request it will not - check its encrypted Credentials Keyring for any other Credentials matching - the target application, so this mechanism and header can also be used to - override the Keyring stored Credentials. -
    3. -
- -Now that you understand the difference, let's continue to see how you can -configure the **Cryostat Web** UI to use one or the other when you complete an -Authentication prompt. - -
    -
  1. - {% include_relative _subsections/common/navigate-to-settings.md %} -
    2. -
  2. - {% include howto_step.html - summary="Locate the Credentials Storage Setting" - image-name="3.0.0/credentials-setting.png" - text=" - This setting contains a brief explanation of its purpose and a simple - dropdown menu with selections for where any Credentials entered into an - Authentication Required challenge modal will be stored. Choose - Session (Browser Memory) to use the header passthrough mechanism - described above, or choose Backend to automatically store the - Credentials in the Cryostat server Keyring. - " - %} -
    3. -
diff --git a/guides/_subsections/store-credentials.md b/guides/_subsections/store-credentials.md index bbbed860..cbe8f630 100644 --- a/guides/_subsections/store-credentials.md +++ b/guides/_subsections/store-credentials.md @@ -1,15 +1,7 @@ ## [Store Credentials](#store-credentials) If you have Java Management Extensions **(JMX)** or `HTTP` authentication enabled on your containerized **JVMs**, **Cryostat** will prompt you to enter your credentials -before it can access the **JDK** `Flight Recordings` on your `target` **JVMs**. You can -Configure Credentials Storage and -choose whether these credentials are held in browser memory for the current -session only, or if they are uploaded to **Cryostat's** `Credentials Keyring`. The -following instructions are only applicable to `Credentials Keyring` storage. - -**Note**: for the best experience, it is recommended that you should use the -`Backend` **JMX** `Credentials Keyring` and choose a strong `Keyring` password when -deploying the server. +before it can access the **JDK** `Flight Recordings` on your `target` **JVMs**.
  1. @@ -79,13 +71,9 @@ deploying the server. Alternatively, credentials may also be stored if you navigate to either the Recordings tab or the Events tab and select a target JVM with authentication enabled. The authentication form will appear, - prompting you to enter your credentials. If you have - configured Backend Credentials Storage, - then a new credential definition with the provided username and - password will be stored for this specific target application in the - Cryostat Keyring. If you have configured credentials with the - Session option then these entered credentials will not be - stored in the Cryostat keyring. + prompting you to enter your credentials. A new credential definition with the provided + username and password will be stored for this specific target application + in the Cryostat Keyring. " %}
    2. diff --git a/guides/index.md b/guides/index.md index ebbe6834..b2843a48 100644 --- a/guides/index.md +++ b/guides/index.md @@ -43,8 +43,6 @@ common actions and workflows of interest and why they are useful. {% include_relative _subsections/store-credentials.md %} -{% include_relative _subsections/configure-credentials-storage.md %} - {% include_relative _subsections/add-a-trusted-certificate.md %} {% include_relative _subsections/create-an-automated-rule.md %}