2

I run Hazelcast 3.4 in a two machine cluster. In order to sync their content I have them connected over the network. Now I do search means to prevent unwanted write and if possible read access to either of them. Security is only available in the Enterprise Edition and as far as I know groups only prevent other Hazelcast servers from joining the cluster.

Is it possible to have the two servers sync over the network but prevent others to simply connect to port 5701 and read / write ?

If this information helps to narrow down the problem: I just use the JCache features of Hazelcast so I only need to protect that part. Setting up a firewall configuration that allows ServerA<->ServerB and prevents viciousUser<->ServerN is not possible because I am not allowed to configure firewalls on the servers (don't ask why ;-))

Marged
  • 10,577
  • 10
  • 57
  • 99

2 Answers2

1

This fine control is not possible. So it is an all or nothing situation. The groups can indeed be used to control the all or nothing.

And unfortunately this functionality is only available in enterprise. But.. you can always wrap the IMap and add your own security layer. So something like:

IMap map = securityDecorator.newMap(hz.getMap('yourmap'));

Although one can still mess around with the original proxy of course.

pveentjer
  • 10,545
  • 3
  • 23
  • 40
  • I suppose that the JCache will not allow to "manipulate" the way the IMap is accessed. But I think I did not get the basic concept of your idea (read: where the security layer comes in), perhaps you can spend some more words to explain ? – Marged Jan 19 '15 at 20:25
  • It is just an application of the proxy design pattern where you add a security proxy around an interface. For JCache we have an interface as well, ICache. So you could create your security decorator for the ICache to add some form of security to it. – pveentjer Jan 21 '15 at 07:13
  • "This fine control is not possible. So it is an all or nothing situation." > Is this a general statement for Hazelcast or for only valid for Hazelcast Community? Is this possible in Hazelcast Enterprise? – gammay Oct 15 '15 at 08:45
1

I had the exact same problem. But I think the groups should solve it:

This works for version 3.4:

When you configure your Nodes with GroupConfiguration object and pass it the parameters name and password like this:

Config config = new Config();
GroupConfig group = new GroupConfig(groupName, grouppassword);
config.setGroupConfig(group);

and try to connect with a simple client (I used the one which comes with complete package in "demo" folder in v3.4), I ll get:

INFORMATION: [x.x.x.x]:5701 [group1] [3.4] Accepting socket connection from /127.0.0.1:57136
Feb 18, 2015 10:26:41 AM com.hazelcast.nio.tcp.TcpIpConnectionManager
INFORMATION: [x.x.x.x]:5701 [group1] [3.4] Established socket connection between /127.0.0.1:5701 and 127.0.0.1/127.0.0.1:57136
Feb 18, 2015 10:26:41 AM com.hazelcast.client.impl.client.AuthenticationRequest
WARNUNG: [x.x.x.x]:5701 [group1] [3.4] Received auth from Connection [/127.0.0.1:5701 -> 127.0.0.1/127.0.0.1:57136], endpoint=null, live=true, type=JAVA_CLIENT, authentication failed
Feb 18, 2015 10:26:41 AM com.hazelcast.nio.tcp.TcpIpConnection
INFORMATION: [x.x.x.x]:5701 [group1] [3.4] Connection [127.0.0.1/127.0.0.1:57136] lost. Reason: java.io.EOFException[Remote socket closed!]
Feb 18, 2015 10:26:41 AM com.hazelcast.nio.tcp.ReadHandler
WARNUNG: [x.x.x.x]:5701 [group1] [3.4] hz._hzInstance_1_group1.IO.thread-in-1 Closing socket to endpoint null, Cause:java.io.EOFException: Remote socket closed!

First WARNUNG (sorry, german dev environment ;-) ) clearly says Auth fail, closes connection and the client dies which prevents read/write access to group and should solve your problem, and so mine.

raptaML
  • 140
  • 8
  • 1
    I know this is old question, however, for the benefit of people looking for this in later versions of hazelcast, 'group password' feature was not intended for security purpose. To avoid the confusion, it was removed starting v3.8.2. More details here - https://github.com/hazelcast/hazelcast/issues/11667#issuecomment-422670245 – ramtech Sep 20 '18 at 04:12