diff --git a/.github/workflows/maven-pr-builder.yaml b/.github/workflows/maven-pr-builder.yaml new file mode 100644 index 000000000..e899a489d --- /dev/null +++ b/.github/workflows/maven-pr-builder.yaml @@ -0,0 +1,32 @@ +name: Compile Java source files + +on: + pull_request: + branches: + - main + paths: + - '**/*.java' + - 'pom.xml' + - 'docs/antora.yml' + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + cache: 'maven' + server-id: snapshot-internal + server-username: MAVEN_USERNAME + server-password: MAVEN_PASSWORD + - name: Maven compile + run: | + HZ_VERSION=$(grep full-version docs/antora.yml|sed "s/.*:[ ]*'\(.*\)'/\1/") + mvn test "-Dhazelcast.version=$HZ_VERSION" + env: + MAVEN_USERNAME: ${{ secrets.JFROG_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.JFROG_PASSWORD }} diff --git a/.gitignore b/.gitignore index 584542984..3c2fd1beb 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,5 @@ package-lock.json .project .settings/ .vscode/settings.json +/target/ +.classpath diff --git a/docs/modules/ROOT/examples/dds/map/Employee.java b/docs/modules/ROOT/examples/dds/map/Employee.java index 0bc2213e8..1f3579bdc 100644 --- a/docs/modules/ROOT/examples/dds/map/Employee.java +++ b/docs/modules/ROOT/examples/dds/map/Employee.java @@ -1,7 +1,9 @@ +import com.hazelcast.core.HazelcastJsonValue; + //tag::emp[] public class Employee { public static HazelcastJsonValue asJson(String surname) { return new HazelcastJsonValue("{ \"surname\": \"" + surname + "\" }"); } } -//end::emp[] \ No newline at end of file +//end::emp[] diff --git a/docs/modules/ROOT/examples/dds/map/ListenerWithPredicate.java b/docs/modules/ROOT/examples/dds/map/ListenerWithPredicate.java index 87fa097c7..574128ca7 100644 --- a/docs/modules/ROOT/examples/dds/map/ListenerWithPredicate.java +++ b/docs/modules/ROOT/examples/dds/map/ListenerWithPredicate.java @@ -2,6 +2,7 @@ import com.hazelcast.core.EntryEvent; import com.hazelcast.core.Hazelcast; import com.hazelcast.core.HazelcastInstance; +import com.hazelcast.core.HazelcastJsonValue; import com.hazelcast.map.IMap; import com.hazelcast.map.listener.EntryAddedListener; import com.hazelcast.map.listener.EntryRemovedListener; @@ -41,4 +42,4 @@ public void entryUpdated(EntryEvent event) { } } } -//end::lwp[] \ No newline at end of file +//end::lwp[] diff --git a/docs/modules/ROOT/examples/dds/map/Modify.java b/docs/modules/ROOT/examples/dds/map/Modify.java deleted file mode 100644 index e10ae8160..000000000 --- a/docs/modules/ROOT/examples/dds/map/Modify.java +++ /dev/null @@ -1,21 +0,0 @@ -import com.hazelcast.config.Config; -import com.hazelcast.core.Hazelcast; -import com.hazelcast.core.HazelcastInstance; -import com.hazelcast.map.IMap; - -//tag::modify[] -public class Modify { - - public static void main(String[] args) { - Config config = new Config(); - config.setProperty("hazelcast.map.entry.filtering.natural.event.types", "true"); - HazelcastInstance hz = Hazelcast.newHazelcastInstance(config); - IMap map = hz.getMap("map"); - - map.put("1", new Employee("smith")); - map.put("2", new Employee("jordan")); - System.out.println("done"); - System.exit(0); - } -} -//end::modify[] \ No newline at end of file diff --git a/docs/modules/ROOT/examples/dds/map/Supplement.java b/docs/modules/ROOT/examples/dds/map/Supplement.java index 56f7bcd57..6e840d363 100644 --- a/docs/modules/ROOT/examples/dds/map/Supplement.java +++ b/docs/modules/ROOT/examples/dds/map/Supplement.java @@ -1,3 +1,5 @@ +package dds.map; + import java.io.Serializable; @@ -18,4 +20,4 @@ public String getName() { public Integer getPrice() { return price; } -} \ No newline at end of file +} diff --git a/docs/modules/ROOT/examples/dds/map/YourMapStoreImplementation.java b/docs/modules/ROOT/examples/dds/map/YourMapStoreImplementation.java index 06ec3f58a..6c3016432 100644 --- a/docs/modules/ROOT/examples/dds/map/YourMapStoreImplementation.java +++ b/docs/modules/ROOT/examples/dds/map/YourMapStoreImplementation.java @@ -1,3 +1,5 @@ +package dds.map; + import com.hazelcast.core.HazelcastInstance; import com.hazelcast.map.MapLoaderLifecycleSupport; import com.hazelcast.map.MapStore; @@ -106,4 +108,4 @@ public void delete(String key) { public void deleteAll(Collection keys) { this.collection.deleteMany(in("_id", keys)); } -} \ No newline at end of file +} diff --git a/docs/modules/ROOT/examples/dds/queue/ConsumerMember.java b/docs/modules/ROOT/examples/dds/queue/ConsumerMember.java index 4e47e0953..d70bf1b48 100644 --- a/docs/modules/ROOT/examples/dds/queue/ConsumerMember.java +++ b/docs/modules/ROOT/examples/dds/queue/ConsumerMember.java @@ -7,17 +7,17 @@ public class ConsumerMember { public static void main( String[] args ) throws Exception { HazelcastInstance hz = Hazelcast.newHazelcastInstance(); - IQueue queue = hz.getQueue( "queue" ); <1> + IQueue queue = hz.getQueue( "queue" ); // <1> while ( true ) { - int item = queue.take(); <2> + int item = queue.take(); // <2> System.out.println( "Consumed: " + item ); if ( item == -1 ) { queue.put( -1 ); break; } - Thread.sleep( 5000 ); <3> + Thread.sleep( 5000 ); // <3> } System.out.println( "Consumer Finished!" ); } } -//end::consumer[] \ No newline at end of file +//end::consumer[] diff --git a/docs/modules/ROOT/examples/dds/queue/ProducerMember.java b/docs/modules/ROOT/examples/dds/queue/ProducerMember.java index 78103ace7..802e32155 100644 --- a/docs/modules/ROOT/examples/dds/queue/ProducerMember.java +++ b/docs/modules/ROOT/examples/dds/queue/ProducerMember.java @@ -7,9 +7,9 @@ public class ProducerMember { public static void main( String[] args ) throws Exception { HazelcastInstance hz = Hazelcast.newHazelcastInstance(); - IQueue queue = hz.getQueue( "queue" ); <1> + IQueue queue = hz.getQueue( "queue" ); // <1> - <2> + // <2> for ( int k = 1; k < 100; k++ ) { queue.put( k ); System.out.println( "Producing: " + k ); @@ -19,4 +19,4 @@ public static void main( String[] args ) throws Exception { System.out.println( "Producer Finished!" ); } } -//end::producer[] \ No newline at end of file +//end::producer[] diff --git a/docs/modules/ROOT/examples/dds/queue/TheQueueStore.java b/docs/modules/ROOT/examples/dds/queue/TheQueueStore.java index 3f4001e73..796cba0a8 100644 --- a/docs/modules/ROOT/examples/dds/queue/TheQueueStore.java +++ b/docs/modules/ROOT/examples/dds/queue/TheQueueStore.java @@ -28,7 +28,7 @@ public void deleteAll(Collection keys) { } @Override - <1> + // <1> public Item load(Long key) { System.out.println("load"); return null; @@ -46,4 +46,4 @@ public Set loadAllKeys() { return null; } } -//end::qs[] \ No newline at end of file +//end::qs[] diff --git a/docs/modules/ROOT/examples/distributedcomputing/ScheduledExecutorConfiguration.java b/docs/modules/ROOT/examples/distributedcomputing/ScheduledExecutorConfiguration.java index c7ae5cc65..116e8aefd 100644 --- a/docs/modules/ROOT/examples/distributedcomputing/ScheduledExecutorConfiguration.java +++ b/docs/modules/ROOT/examples/distributedcomputing/ScheduledExecutorConfiguration.java @@ -1,7 +1,9 @@ import com.hazelcast.config.Config; +import com.hazelcast.config.MergePolicyConfig; import com.hazelcast.core.Hazelcast; import com.hazelcast.core.HazelcastInstance; import com.hazelcast.scheduledexecutor.IScheduledExecutorService; +import com.hazelcast.config.ScheduledExecutorConfig; public class ScheduledExecutorConfiguration { public static void main(String[] args) throws Exception{ diff --git a/docs/modules/ROOT/examples/distributedevents/ExampleEntryListener.java b/docs/modules/ROOT/examples/distributedevents/ExampleEntryListener.java index 03a7ebd1e..8f925a20e 100644 --- a/docs/modules/ROOT/examples/distributedevents/ExampleEntryListener.java +++ b/docs/modules/ROOT/examples/distributedevents/ExampleEntryListener.java @@ -16,5 +16,17 @@ public void entryUpdated(EntryEvent event) { public void mapCleared(MapEvent event) { System.out.println( "Map Cleared: " + event ); } + @Override + public void entryRemoved(EntryEvent event) { + } + @Override + public void entryEvicted(EntryEvent event) { + } + @Override + public void entryExpired(EntryEvent event) { + } + @Override + public void mapEvicted(MapEvent event) { + } } -//end::mm[] \ No newline at end of file +//end::mm[] diff --git a/docs/modules/ROOT/examples/distributedevents/Listen.java b/docs/modules/ROOT/examples/distributedevents/Listen.java index 6936d2723..35f64cee5 100644 --- a/docs/modules/ROOT/examples/distributedevents/Listen.java +++ b/docs/modules/ROOT/examples/distributedevents/Listen.java @@ -1,6 +1,6 @@ import com.hazelcast.core.Hazelcast; import com.hazelcast.core.HazelcastInstance; -import com.hazelcast.core.HazelcastClient; +import com.hazelcast.client.HazelcastClient; import com.hazelcast.map.IMap; import com.hazelcast.map.MapEvent; import com.hazelcast.core.EntryEvent; @@ -10,7 +10,7 @@ public class Listen { public static void main( String[] args ) { - HazelcastInstance hz = HazelcastClient.newHazelcastCllient(); + HazelcastInstance hz = HazelcastClient.newHazelcastClient(); IMap map = hz.getMap( "somemap" ); map.addEntryListener( new MyEntryListener(), true ); System.out.println( "EntryListener registered" ); @@ -60,4 +60,4 @@ public void mapCleared( MapEvent event ) { } } } -//end::listen[] \ No newline at end of file +//end::listen[] diff --git a/docs/modules/ROOT/examples/jcache/ExampleJCacheApplication.java b/docs/modules/ROOT/examples/jcache/ExampleJCacheApplication.java index bcd866f63..9e3d9606f 100644 --- a/docs/modules/ROOT/examples/jcache/ExampleJCacheApplication.java +++ b/docs/modules/ROOT/examples/jcache/ExampleJCacheApplication.java @@ -1,3 +1,5 @@ +package jcache; + import javax.cache.Cache; import javax.cache.CacheManager; import javax.cache.Caching; @@ -37,4 +39,4 @@ public static void main(String[] args){ System.out.println( value ); //end::jcacheapp[] } -} \ No newline at end of file +} diff --git a/docs/modules/ROOT/examples/jcache/PartitionLostListenerUsage.java b/docs/modules/ROOT/examples/jcache/PartitionLostListenerUsage.java index aa58b027c..421634479 100644 --- a/docs/modules/ROOT/examples/jcache/PartitionLostListenerUsage.java +++ b/docs/modules/ROOT/examples/jcache/PartitionLostListenerUsage.java @@ -1,3 +1,5 @@ +package jcache; + import com.hazelcast.cache.ICache; import com.hazelcast.cache.impl.event.CachePartitionLostEvent; import com.hazelcast.cache.impl.event.CachePartitionLostListener; @@ -34,4 +36,4 @@ public void partitionLost(CachePartitionLostEvent event) { }); } } -//end::pllu[] \ No newline at end of file +//end::pllu[] diff --git a/docs/modules/ROOT/examples/jcache/User.java b/docs/modules/ROOT/examples/jcache/User.java index 129a70ba8..37d3f3a0b 100644 --- a/docs/modules/ROOT/examples/jcache/User.java +++ b/docs/modules/ROOT/examples/jcache/User.java @@ -1,3 +1,5 @@ +package jcache; + import java.io.Serializable; @SuppressWarnings("unused") @@ -66,4 +68,4 @@ public String toString() { + ", username='" + username + '\'' + '}'; } -} \ No newline at end of file +} diff --git a/docs/modules/ROOT/examples/jcache/UserCacheEntryListener.java b/docs/modules/ROOT/examples/jcache/UserCacheEntryListener.java index 3a1747294..183f02867 100644 --- a/docs/modules/ROOT/examples/jcache/UserCacheEntryListener.java +++ b/docs/modules/ROOT/examples/jcache/UserCacheEntryListener.java @@ -1,3 +1,5 @@ +package jcache; + import javax.cache.event.CacheEntryCreatedListener; import javax.cache.event.CacheEntryEvent; import javax.cache.event.CacheEntryExpiredListener; @@ -45,4 +47,4 @@ private void printEvents(Iterable create() { return new UserCacheEntryListener(); } } -//end::ucelf[] \ No newline at end of file +//end::ucelf[] diff --git a/docs/modules/ROOT/examples/jcache/UserCacheLoader.java b/docs/modules/ROOT/examples/jcache/UserCacheLoader.java index 701022414..e08124845 100644 --- a/docs/modules/ROOT/examples/jcache/UserCacheLoader.java +++ b/docs/modules/ROOT/examples/jcache/UserCacheLoader.java @@ -1,3 +1,5 @@ +package jcache; + import javax.cache.integration.CacheLoader; import javax.cache.integration.CacheLoaderException; import java.io.Serializable; @@ -36,4 +38,4 @@ public Map loadAll(Iterable keys) throws Cache return loaded; } } -//end::ucl[] \ No newline at end of file +//end::ucl[] diff --git a/docs/modules/ROOT/examples/jcache/UserCacheWriter.java b/docs/modules/ROOT/examples/jcache/UserCacheWriter.java index 08d895c1d..9537a4695 100644 --- a/docs/modules/ROOT/examples/jcache/UserCacheWriter.java +++ b/docs/modules/ROOT/examples/jcache/UserCacheWriter.java @@ -1,3 +1,5 @@ +package jcache; + import javax.cache.Cache; import javax.cache.integration.CacheWriter; import javax.cache.integration.CacheWriterException; @@ -55,4 +57,4 @@ public void deleteAll(Collection keys) throws CacheWriterException { } } } -//end::ucw[] \ No newline at end of file +//end::ucw[] diff --git a/docs/modules/ROOT/examples/jcache/UserDao.java b/docs/modules/ROOT/examples/jcache/UserDao.java index f71840d34..2176a083c 100644 --- a/docs/modules/ROOT/examples/jcache/UserDao.java +++ b/docs/modules/ROOT/examples/jcache/UserDao.java @@ -1,3 +1,5 @@ +package jcache; + import java.util.Collection; //tag::userdao[] @@ -8,4 +10,4 @@ public interface UserDao { boolean removeUser(int userId); Collection allUserIds(); } -//end::userdao[] \ No newline at end of file +//end::userdao[] diff --git a/docs/modules/ROOT/examples/jcache/UserUpdateEntryProcessor.java b/docs/modules/ROOT/examples/jcache/UserUpdateEntryProcessor.java index 3703f5850..ec2ed4460 100644 --- a/docs/modules/ROOT/examples/jcache/UserUpdateEntryProcessor.java +++ b/docs/modules/ROOT/examples/jcache/UserUpdateEntryProcessor.java @@ -1,3 +1,5 @@ +package jcache; + import javax.cache.processor.EntryProcessor; import javax.cache.processor.EntryProcessorException; import javax.cache.processor.MutableEntry; @@ -34,4 +36,4 @@ public User process(MutableEntry entry, Object... arguments) thro return user; } } -//end::uuep[] \ No newline at end of file +//end::uuep[] diff --git a/docs/modules/ROOT/examples/security/CredentialsCallback.java b/docs/modules/ROOT/examples/security/CredentialsCallback.java index 212731119..29f807a95 100644 --- a/docs/modules/ROOT/examples/security/CredentialsCallback.java +++ b/docs/modules/ROOT/examples/security/CredentialsCallback.java @@ -1,3 +1,5 @@ +package security; + import com.hazelcast.security.Credentials; import javax.security.auth.callback.Callback; diff --git a/docs/modules/ROOT/examples/security/CustomLoginModule.java b/docs/modules/ROOT/examples/security/CustomLoginModule.java index 0f7b765ed..bccac56ca 100644 --- a/docs/modules/ROOT/examples/security/CustomLoginModule.java +++ b/docs/modules/ROOT/examples/security/CustomLoginModule.java @@ -1,3 +1,5 @@ +package security; + import com.hazelcast.security.Credentials; import javax.security.auth.Subject; diff --git a/docs/modules/ROOT/examples/CustomLoginModuleTest.java b/docs/modules/ROOT/examples/security/CustomLoginModuleTest.java similarity index 100% rename from docs/modules/ROOT/examples/CustomLoginModuleTest.java rename to docs/modules/ROOT/examples/security/CustomLoginModuleTest.java diff --git a/docs/modules/ROOT/examples/security/EnablingSecurity.java b/docs/modules/ROOT/examples/security/EnablingSecurity.java index ea640efaf..d3c195145 100644 --- a/docs/modules/ROOT/examples/security/EnablingSecurity.java +++ b/docs/modules/ROOT/examples/security/EnablingSecurity.java @@ -1,13 +1,57 @@ +package security; + import com.hazelcast.config.Config; +import com.hazelcast.config.PermissionConfig; +import com.hazelcast.config.PermissionConfig.PermissionType; import com.hazelcast.config.SecurityConfig; +import com.hazelcast.config.security.LdapAuthenticationConfig; +import com.hazelcast.config.security.RealmConfig; +import com.hazelcast.config.security.SimpleAuthenticationConfig; public class EnablingSecurity { public static void main(String[] args) throws Exception{ - //tag::es[] - Config cfg = new Config(); - SecurityConfig securityCfg = cfg.getSecurityConfig(); - securityCfg.setEnabled( true ); - //end::es[] +//tag::es[] +Config cfg = new Config(); +SecurityConfig securityCfg = cfg.getSecurityConfig(); +securityCfg.setEnabled( true ); +//end::es[] + } + + public static void authenticationSample() throws Exception{ +//tag::authn[] +Config cfg = new Config(); +SimpleAuthenticationConfig sac = new SimpleAuthenticationConfig() + .addUser("test", "V3ryS3cr3tString", "monitor", "hazelcast") + .addUser("man-center", "HardToGuess", "root"); +cfg.getSecurityConfig().setEnabled(true) + .setClientRealmConfig("simpleRealm", + new RealmConfig().setSimpleAuthenticationConfig(sac)); +//end::authn[] + } + + public static void identitySample() throws Exception{ +//tag::identity[] +Config cfg = new Config(); +cfg.getSecurityConfig() + .setEnabled(true) + .addRealmConfig("aRealm", + new RealmConfig().setLdapAuthenticationConfig(new LdapAuthenticationConfig()/* ... */) + .setUsernamePasswordIdentityConfig("uid=hazelcast,ou=Services,dc=hazelcast,dc=com", "theSecret")) + .setClientRealm("aRealm") + .setMemberRealm("aRealm"); +//end::identity[] + } + + public static void authorizationSample() throws Exception{ +//tag::authz[] +Config cfg = new Config(); +cfg.getSecurityConfig() + .setEnabled(true) + .setClientRealmConfig("aRealm", new RealmConfig()/* ... */) + .addClientPermissionConfig(new PermissionConfig(PermissionType.ALL, null, "man-center")) + .addClientPermissionConfig(new PermissionConfig(PermissionType.MAP, "playground", "*").addAction("all")); +//end::authz[] } -} \ No newline at end of file + +} diff --git a/docs/modules/ROOT/examples/security/MapSecurityInterceptor.java b/docs/modules/ROOT/examples/security/MapSecurityInterceptor.java index 11da5089f..411446967 100644 --- a/docs/modules/ROOT/examples/security/MapSecurityInterceptor.java +++ b/docs/modules/ROOT/examples/security/MapSecurityInterceptor.java @@ -1,3 +1,5 @@ +package security; + import com.hazelcast.client.HazelcastClient; import com.hazelcast.client.config.ClientConfig; import com.hazelcast.config.Config; diff --git a/docs/modules/ROOT/examples/security/SocketInterceptorClient.java b/docs/modules/ROOT/examples/security/SocketInterceptorClient.java index 7e11da16b..2bfb7c0dd 100644 --- a/docs/modules/ROOT/examples/security/SocketInterceptorClient.java +++ b/docs/modules/ROOT/examples/security/SocketInterceptorClient.java @@ -1,3 +1,5 @@ +package security; + import com.hazelcast.client.HazelcastClient; import com.hazelcast.client.config.ClientConfig; import com.hazelcast.config.Config; diff --git a/docs/modules/ROOT/examples/security/SocketInterceptorMember.java b/docs/modules/ROOT/examples/security/SocketInterceptorMember.java index b9df9c4ef..8c6493ed6 100644 --- a/docs/modules/ROOT/examples/security/SocketInterceptorMember.java +++ b/docs/modules/ROOT/examples/security/SocketInterceptorMember.java @@ -1,3 +1,5 @@ +package security; + import com.hazelcast.config.Config; import com.hazelcast.config.SocketInterceptorConfig; import com.hazelcast.core.Hazelcast; diff --git a/docs/modules/ROOT/examples/storage/SampleEncryptionAtRestConfiguration.java b/docs/modules/ROOT/examples/storage/SampleEncryptionAtRestConfiguration.java index 5d08680d5..9d3923fa8 100644 --- a/docs/modules/ROOT/examples/storage/SampleEncryptionAtRestConfiguration.java +++ b/docs/modules/ROOT/examples/storage/SampleEncryptionAtRestConfiguration.java @@ -4,7 +4,6 @@ import com.hazelcast.config.PersistenceConfig; import com.hazelcast.config.JavaKeyStoreSecureStoreConfig; import com.hazelcast.config.SSLConfig; -import com.hazelcast.config.SecureStoreConfig; import com.hazelcast.config.VaultSecureStoreConfig; import java.io.File; @@ -12,14 +11,6 @@ public class SampleEncryptionAtRestConfiguration { public static void main(String[] args) throws Exception{ - //tag::encryptionatrest[] - PersistenceConfig PersistenceConfig = new PersistenceConfig(); - EncryptionAtRestConfig encryptionAtRestConfig = - PersistenceConfig.getEncryptionAtRestConfig(); - encryptionAtRestConfig.setEnabled(true) - .setAlgorithm("AES/CBC/PKCS5Padding") - .setSecureStoreConfig(/* pass in a configuration object for a secure store here */); - //end::encryptionatrest[] //tag::keystore[] JavaKeyStoreSecureStoreConfig keyStoreConfig = new JavaKeyStoreSecureStoreConfig(new File("/path/to/keystore.file")) @@ -28,6 +19,14 @@ public static void main(String[] args) throws Exception{ .setCurrentKeyAlias("current") .setPollingInterval(60); //end::keystore[] + //tag::encryptionatrest[] + PersistenceConfig PersistenceConfig = new PersistenceConfig(); + EncryptionAtRestConfig encryptionAtRestConfig = + PersistenceConfig.getEncryptionAtRestConfig(); + encryptionAtRestConfig.setEnabled(true) + .setAlgorithm("AES/CBC/PKCS5Padding") + .setSecureStoreConfig(/* pass in a configuration object for a secure store here */keyStoreConfig); + //end::encryptionatrest[] //tag::vault[] VaultSecureStoreConfig vaultConfig = new VaultSecureStoreConfig("http://localhost:1234", "secret/path", "token") @@ -38,4 +37,4 @@ public static void main(String[] args) throws Exception{ private static void configureSSL(SSLConfig sslConfig) { } -} \ No newline at end of file +} diff --git a/docs/modules/ROOT/examples/storage/SampleHotRestartConfiguration.java b/docs/modules/ROOT/examples/storage/SamplePersistenceConfiguration.java similarity index 86% rename from docs/modules/ROOT/examples/storage/SampleHotRestartConfiguration.java rename to docs/modules/ROOT/examples/storage/SamplePersistenceConfiguration.java index 21d8eee1f..115483223 100644 --- a/docs/modules/ROOT/examples/storage/SampleHotRestartConfiguration.java +++ b/docs/modules/ROOT/examples/storage/SamplePersistenceConfiguration.java @@ -7,16 +7,16 @@ public class SamplePersistenceConfiguration { public static void main(String[] args) throws Exception{ //tag::hrconf[] Config config = new Config(); - PersistenceConfig PersistenceConfig = new PersistenceConfig() + PersistenceConfig persistenceConfig = new PersistenceConfig() .setEnabled(true) .setBaseDir(new File("/mnt/persistence")) .setParallelism(1) .setValidationTimeoutSeconds(120) .setDataLoadTimeoutSeconds(900) .setClusterDataRecoveryPolicy(PersistenceClusterDataRecoveryPolicy.FULL_RECOVERY_ONLY) - .setAutoRemoveStaleData(true); - .setRebalanceDelaySeconds(0) - config.setPersistenceConfig(PersistenceConfig); + .setAutoRemoveStaleData(true) + .setRebalanceDelaySeconds(0); + config.setPersistenceConfig(persistenceConfig); MapConfig mapConfig = config.getMapConfig("test-map"); mapConfig.getDataPersistenceConfig().setEnabled(true); @@ -35,4 +35,4 @@ public static void main(String[] args) throws Exception{ config.getJetConfig().setLosslessRestartEnabled(true); //end::hrconf[] } -} \ No newline at end of file +} diff --git a/docs/modules/ROOT/examples/wan/EnablingWRforCache.java b/docs/modules/ROOT/examples/wan/EnablingWRforCache.java index ab8d6d3bc..7b441c897 100644 --- a/docs/modules/ROOT/examples/wan/EnablingWRforCache.java +++ b/docs/modules/ROOT/examples/wan/EnablingWRforCache.java @@ -1,6 +1,7 @@ import com.hazelcast.config.Config; import com.hazelcast.config.WanReplicationConfig; import com.hazelcast.config.WanReplicationRef; +import com.hazelcast.spi.merge.PassThroughMergePolicy; public class EnablingWRforCache { diff --git a/docs/modules/integrate/pages/elasticsearch-connector.adoc b/docs/modules/integrate/pages/elasticsearch-connector.adoc index 291a423cf..616f37f16 100644 --- a/docs/modules/integrate/pages/elasticsearch-connector.adoc +++ b/docs/modules/integrate/pages/elasticsearch-connector.adoc @@ -14,7 +14,7 @@ Each module includes an Elasticsearch client that's compatible with the given ma == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, your clients may need permissions to use this connector. For details, see xref:pipelines:job-security.adoc[]. +If xref:security:enabling-security.adoc[security] is enabled, your clients may need permissions to use this connector. For details, see xref:pipelines:job-security.adoc[]. == Elasticsearch as a Source diff --git a/docs/modules/integrate/pages/file-connector.adoc b/docs/modules/integrate/pages/file-connector.adoc index 3d710dac3..0b0582d54 100644 --- a/docs/modules/integrate/pages/file-connector.adoc +++ b/docs/modules/integrate/pages/file-connector.adoc @@ -18,7 +18,7 @@ Depending on the <>, you may also == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can set up permissions to restrict clients' access to your files. For details, see xref:pipelines:job-security.adoc[]. +If xref:security:enabling-security.adoc[security] is enabled, you can set up permissions to restrict clients' access to your files. For details, see xref:pipelines:job-security.adoc[]. == Supported File Systems diff --git a/docs/modules/integrate/pages/jcache-connector.adoc b/docs/modules/integrate/pages/jcache-connector.adoc index 03862bfb9..6f1bfa49a 100644 --- a/docs/modules/integrate/pages/jcache-connector.adoc +++ b/docs/modules/integrate/pages/jcache-connector.adoc @@ -11,4 +11,4 @@ distributions of Hazelcast. == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can set up permissions to restrict clients' access to these data structures. For details, see xref:security:native-client-security.adoc[]. \ No newline at end of file +If xref:security:enabling-security.adoc[security] is enabled, you can set up permissions to restrict clients' access to these data structures. For details, see xref:security:native-client-security.adoc[]. \ No newline at end of file diff --git a/docs/modules/integrate/pages/kafka-connect-connectors.adoc b/docs/modules/integrate/pages/kafka-connect-connectors.adoc index 89f260230..f2571ba50 100644 --- a/docs/modules/integrate/pages/kafka-connect-connectors.adoc +++ b/docs/modules/integrate/pages/kafka-connect-connectors.adoc @@ -49,7 +49,7 @@ Every Kafka Connect Source connector comes with documentation that includes the == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, your clients may need updated permissions to upload the ZIP or JAR file used by the Kafka Connect Source Connector. For details, see xref:pipelines:job-security.adoc[]. +If xref:security:enabling-security.adoc[security] is enabled, your clients may need updated permissions to upload the ZIP or JAR file used by the Kafka Connect Source Connector. For details, see xref:pipelines:job-security.adoc[]. == Adding the Connector Configuration diff --git a/docs/modules/integrate/pages/kafka-connector.adoc b/docs/modules/integrate/pages/kafka-connector.adoc index 2ea9553d5..68620229c 100644 --- a/docs/modules/integrate/pages/kafka-connector.adoc +++ b/docs/modules/integrate/pages/kafka-connector.adoc @@ -17,7 +17,7 @@ If you're using the slim distribution, you must add the link:https://mvnreposito == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, your clients may need permissions to use this connector. For details, see xref:pipelines:job-security.adoc[]. +If xref:security:enabling-security.adoc[security] is enabled, your clients may need permissions to use this connector. For details, see xref:pipelines:job-security.adoc[]. == Configuration Options diff --git a/docs/modules/integrate/pages/legacy-file-connector.adoc b/docs/modules/integrate/pages/legacy-file-connector.adoc index e4f81fb9c..2a059e264 100644 --- a/docs/modules/integrate/pages/legacy-file-connector.adoc +++ b/docs/modules/integrate/pages/legacy-file-connector.adoc @@ -22,7 +22,7 @@ To access Hadoop or any of the cloud-based file systems, add one of the download == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can set up permissions to restrict clients' access to your files. For details, see xref:pipelines:job-security.adoc[]. +If xref:security:enabling-security.adoc[security] is enabled, you can set up permissions to restrict clients' access to your files. For details, see xref:pipelines:job-security.adoc[]. == Supported File Systems diff --git a/docs/modules/integrate/pages/list-connector.adoc b/docs/modules/integrate/pages/list-connector.adoc index ae797c976..8309d2b99 100644 --- a/docs/modules/integrate/pages/list-connector.adoc +++ b/docs/modules/integrate/pages/list-connector.adoc @@ -11,7 +11,7 @@ This connector is included in the full and slim distributions of Hazelcast. == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can set up permissions to restrict clients' access to these data structures. For details, see xref:security:native-client-security.adoc[]. +If xref:security:enabling-security.adoc[security] is enabled, you can set up permissions to restrict clients' access to these data structures. For details, see xref:security:native-client-security.adoc[]. == List as a Source or Sink diff --git a/docs/modules/integrate/pages/map-connector.adoc b/docs/modules/integrate/pages/map-connector.adoc index fcb21722e..557167e9d 100644 --- a/docs/modules/integrate/pages/map-connector.adoc +++ b/docs/modules/integrate/pages/map-connector.adoc @@ -11,7 +11,7 @@ distributions of Hazelcast. == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can set up permissions to restrict clients' access to these data structures. +If xref:security:enabling-security.adoc[security] is enabled, you can set up permissions to restrict clients' access to these data structures. For example, to read from map sources, you must add the `create` and `read` permissions for those maps. If you use the map connector to write to map sinks, you must add the `create` and `put` permissions for those maps. diff --git a/docs/modules/integrate/pages/reliable-topic-connector.adoc b/docs/modules/integrate/pages/reliable-topic-connector.adoc index b0a898813..77f81309c 100644 --- a/docs/modules/integrate/pages/reliable-topic-connector.adoc +++ b/docs/modules/integrate/pages/reliable-topic-connector.adoc @@ -11,7 +11,7 @@ distributions of Hazelcast. == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can set up permissions to restrict clients' access to these data structures. For details, see xref:security:native-client-security.adoc[]. +If xref:security:enabling-security.adoc[security] is enabled, you can set up permissions to restrict clients' access to these data structures. For details, see xref:security:native-client-security.adoc[]. == Reliable Topic as a Source or Sink diff --git a/docs/modules/integrate/pages/vector-collection-connector.adoc b/docs/modules/integrate/pages/vector-collection-connector.adoc index 93251011a..fc63300db 100644 --- a/docs/modules/integrate/pages/vector-collection-connector.adoc +++ b/docs/modules/integrate/pages/vector-collection-connector.adoc @@ -12,7 +12,7 @@ For further information on vector collections, see xref:data-structures:vector-c This connector is included in the full and slim {enterprise-product-name} distributions of Hazelcast. == Permissions -If xref:security:enabling-jaas.adoc[security] is enabled, you can set up permissions to restrict clients' access to these data structures. +If xref:security:enabling-security.adoc[security] is enabled, you can set up permissions to restrict clients' access to these data structures. To search in vector collection, you must add the `create` and `read` permissions for those collections. If you use the vector collection sink to write to vector collections, you must add the `create` and `put` permissions for those collections. diff --git a/docs/modules/maintain-cluster/pages/rest-api.adoc b/docs/modules/maintain-cluster/pages/rest-api.adoc index 693bc9826..4894e84ac 100644 --- a/docs/modules/maintain-cluster/pages/rest-api.adoc +++ b/docs/modules/maintain-cluster/pages/rest-api.adoc @@ -430,7 +430,7 @@ NOTE: Some of the REST calls listed below need their REST endpoint groups to be See the <> on how to enable them. Also note that the value of `$\{PASSWORD}` in the following calls is checked only if -the security is xref:security:enabling-jaas.adoc[enabled] in Hazelcast, i.e., if you have Hazelcast {enterprise-product-name}. +the security is xref:security:enabling-security.adoc[enabled] in Hazelcast, i.e., if you have Hazelcast {enterprise-product-name}. If the security is disabled, the `$\{PASSWORD}` can be left empty. [cols="5a"] diff --git a/docs/modules/secure-cluster/pages/security-defaults.adoc b/docs/modules/secure-cluster/pages/security-defaults.adoc index c0d05df54..710dede4d 100644 --- a/docs/modules/secure-cluster/pages/security-defaults.adoc +++ b/docs/modules/secure-cluster/pages/security-defaults.adoc @@ -29,3 +29,21 @@ If you are using Hazelcast on Docker and Kubernetes environments: * Since these environments don’t allow any access unless specified explicitly, all the features are enabled in the Hazelcast distributions on these cloud environments. +== Defaults by distribution type + +The table shows which security hardening features are used by default in the given distribution type. + +[options="header",cols="6,^1,^1,^1,^1"] +|===================================================================================================== +| Feature | Zip/Tgz | Rpm/Deb /Brew | Maven/Jar | Docker +| Bind to localhost only | ✅ | ✅ | ❌ | ❌ +| Multicast discovery method disabled | ✅ | ✅ | ❌ | ❌ +| Advanced networking enabled | ❌ | ❌ | ❌ | ❌ +| Jet (and SQL) disabled | ❌ | ❌ | ✅ | ❌ +| Jet resource upload disabled | ❌ | ❌ | ✅ | ❌ +| User code deployment disabled | ✅ | ✅ | ✅ | ✅ +| REST health-check disabled | ❌ | ❌ | ✅ | ❌ +| MC scripting disallowed | ✅ | ✅ | ✅ | ✅ +| MC access to ConsoleApp disabled | ✅ | ✅ | ✅ | ✅ +| MC access from a specific IP only | ❌ | ❌ | ❌ | ❌ +|===================================================================================================== diff --git a/docs/modules/secure-cluster/partials/nav.adoc b/docs/modules/secure-cluster/partials/nav.adoc index 809739ba8..735c4e63c 100644 --- a/docs/modules/secure-cluster/partials/nav.adoc +++ b/docs/modules/secure-cluster/partials/nav.adoc @@ -1,19 +1,23 @@ * Securing a Cluster ** xref:security:overview.adoc[] -** xref:secure-cluster:security-defaults.adoc[] -** xref:secure-cluster:hardening-recommendations.adoc[] -** xref:security:enabling-jaas.adoc[] ** TLS/SSL *** xref:security:tls-ssl.adoc[] *** xref:security:integrating-openssl.adoc[] *** xref:security:tls-configuration.adoc[] -** Authentication Types -*** xref:security:default-authentication.adoc[] +** xref:secure-cluster:security-defaults.adoc[] +** xref:security:enabling-security.adoc[] +** Authentication and Authorization +*** xref:security:authentication-overview.adoc[] *** xref:security:simple-authentication.adoc[] +*** xref:security:ldap-authentication.adoc[] +*** xref:security:kerberos-authentication.adoc[] +*** xref:security:tls-authentication.adoc[] +*** xref:security:identity-configuration.adoc[] *** xref:security:jaas-authentication.adoc[] -** xref:security:security-realms.adoc[] -** xref:security:cluster-member-security.adoc[] +*** xref:security:default-authentication.adoc[] +*** xref:security:client-authorization.adoc[] ** xref:security:native-client-security.adoc[] +** xref:security:cluster-member-security.adoc[] ** xref:security:socket-interceptor.adoc[] ** xref:security:security-interceptor.adoc[] ** Advanced Security Features @@ -22,3 +26,4 @@ *** xref:security:fips-140-2.adoc[] *** xref:security:security-debugging.adoc[] *** xref:security:encryption.adoc[] +** xref:secure-cluster:hardening-recommendations.adoc[] diff --git a/docs/modules/security/pages/authentication-overview.adoc b/docs/modules/security/pages/authentication-overview.adoc new file mode 100644 index 000000000..f4572eb29 --- /dev/null +++ b/docs/modules/security/pages/authentication-overview.adoc @@ -0,0 +1,219 @@ += Authentication overview +:page-enterprise: true +:page-aliases: security-realms.adoc + +Authentication is used to verify the incoming connection has valid credentials configured. +Hazelcast supports several authentication types which can be configured for member-to-member, and client-to-member communication: + +* xref:simple-authentication.adoc[Simple] - users and roles are configured directly within the member configuration, +* xref:ldap-authentication.adoc[LDAP] - LDAP server is used to verify credentials and load roles, +* xref:kerberos-authentication.adoc[Kerberos] - service tickets are used for authentication, +* xref:tls-authentication.adoc[TLS] - information from client-side TLS certificates (when TLS mutual authentication is enabled) are used for role assignment, +* xref:simple-authentication.adoc[custom JAAS login module] implementations can be also used if the Hazelcast provided authentication mechanisms don't fully cover users needs. + +Named security configurations called Security Realms are used to map an authentication mechanism to a Hazelcast protocol (client or member). +Security realms allow defining security configuration independently on the module which consumes it. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + + + + + + monitor + hazelcast + + + root + + + + + + + + +---- +-- + +YAML:: ++ +-- +[source,yaml] +---- +hazelcast: + security: + enabled: true + realms: + - name: simpleRealm + authentication: + simple: + users: + - username: test + password: 'V3ryS3cr3tString' + roles: + - monitor + - hazelcast + - username: man-center + password: 'HardToGuess' + roles: + - root +---- +-- + +Java:: ++ +[source,java] +---- +include::ROOT:example$/security/EnablingSecurity.java[tag=authn] +---- +==== + + +== Identity + +A security configuration part where members and clients have their own credentials configured is called an Identity. +The Identity can be a username-password pair, a token, or a Kerberos ticket. Refer to xref:identity-configuration.adoc[Identity configuration] for more details. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + + + + + + + + + + + + + + + + +---- +-- + +YAML:: ++ +-- +[source,yaml] +---- +hazelcast: + security: + enabled: true + realms: + - name: aRealm + authentication: + ldap: +# ... + identity: + username-password: + username: uid=hazelcast,ou=Services,dc=hazelcast,dc=com + password: theSecret + member-authentication: + realm: aRealm + client-authentication: + realm: aRealm + +---- +-- + +Java:: ++ +[source,java] +---- +include::ROOT:example$/security/EnablingSecurity.java[tag=identity] +---- +==== + + +== Authorization + +Authorization is supported by Client protocol. During the authentication, +clients get roles assigned. Access is then controlled by +permissions assigned to the roles. + +Authorization is not supported in member-to-member communication. All members +have unlimited access to the cluster data once they authenticate. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + + + + + + + + + + + all + + + + + +---- +-- + +YAML:: ++ +-- +[source,yaml] +---- +hazelcast: + security: + enabled: true + realms: + - name: aRealm +# ... + client-authentication: + realm: aRealm + client-permissions: + all: + principal: man-center + map: + - name: playground + principal: * + actions: + - all + +---- +-- + +Java:: ++ +[source,java] +---- +include::ROOT:example$/security/EnablingSecurity.java[tag=authz] +---- +==== diff --git a/docs/modules/security/pages/client-authorization.adoc b/docs/modules/security/pages/client-authorization.adoc new file mode 100644 index 000000000..7caf79bcb --- /dev/null +++ b/docs/modules/security/pages/client-authorization.adoc @@ -0,0 +1,1663 @@ += Client Authorization +:description: To protect your members from a malicious client, you can allow them to identify clients and restrict their permissions to access either data in data structures or features such as user code deployment. +:page-enterprise: true + +{description} + +Hazelcast client authorization is configured by a client permission +policy. Hazelcast has a default permission policy implementation that uses +permission configurations defined in the Hazelcast security configuration. +Default policy permission checks are done against instance types (map, queue, etc.), +instance names, instance actions (put, read, remove, add, etc.), +the client endpoint address (`ClusterEndpointPrincipal`), and client roles (`ClusterRolePrincipal`). + +The default permission policy allows to use comma separated names in the `principal` +attribute configuration. + +[NOTE] +==== +Unless part of the role name, do not include spaces when adding names to the `principal` attribute. + +Hazelcast does not automatically remove spaces in role names. If you include spaces that are not part of the name, permission is not granted to the intended role. + +For example, if you configure permissions for the *admin* and *devel* roles using ``principal=" admin ,devel"``, the *admin* role is not granted the permission. +==== + +You can define the instance and principal names as wildcards using the `"*"` character. +See the xref:configuration:using-wildcards.adoc[Using Wildcards] section for details. + +The endpoint names can use range characters `"-"` and `"*"` as described +in the xref:clusters:network-configuration.adoc#interfaces[Interfaces] section. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + ... + + + + + + 127.0.0.1 + + + + + + + create + destroy + put + read + + + + + + + 10.10.*.* + 127.0.0.1 + + + put + read + remove + + + + + + + 192.168.1.1-100 + 192.168.2.* + + + create + add + remove + + + + + + + + ... + +---- +-- + +YAML:: ++ +[source,yaml] +---- +hazelcast: + security: + enabled: true + client-permissions: + on-join-operation: RECEIVE + all: + principal: admin,root + endpoints: + - 127.0.0.1 + map: + - name: myMap + principal: dev + endpoints: + - 127.0.0.1 + actions: + - create + - destroy + - put + - read + map: + - name: com.foo.entity + principal: dev + endpoints: + - 10.10.*.* + - 127.0.0.1 + actions: + - put + - read + - remove + queue: + - name: "*" + principal: dev + endpoints: + - 192.168.1.1-100 + - 192.168.2.* + actions: + - create + - add + - remove + transaction: +---- +==== + +You can also define your own policy by implementing `com.hazelcast.security.IPermissionPolicy`. + +[source,java] +---- +package com.hazelcast.security; +/** + * IPermissionPolicy is used to determine any Subject's + * permissions to perform a security sensitive Hazelcast operation. + * + */ +public interface IPermissionPolicy { + void configure( SecurityConfig securityConfig, Properties properties ); + + PermissionCollection getPermissions( Subject subject, + Class type ); + + void destroy(); +} +---- + +Permission policy implementations can access client-permissions that are in the +configuration by using `SecurityConfig.getClientPermissionConfigs()` when +Hazelcast calls the `configure(SecurityConfig securityConfig, Properties properties)` method. + +The `IPermissionPolicy.getPermissions(Subject subject, Class type)` +method is used to determine a client request that has been granted permission to +perform a security-sensitive operation. + +Permission policy should return a `PermissionCollection` containing permissions +of the given type for the given `Subject`. The Hazelcast access controller calls +`PermissionCollection.implies(Permission)` on returning `PermissionCollection` and +it decides whether the current `Subject` has permission to access the requested resources. + +== Permissions + +The following is the list of client permissions that can be configured on the member: + +=== All Permission + +This permission grants clients access to all data and features. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +all: + principal: principal + endpoints: + - .. +---- +==== + +=== Management Permission + +This permission defines which +client principals/endpoints are allowed to perform management tasks. +Here, the client we mention is the one that is used by Hazelcast Management Center +when it connects to the clusters. To learn more about this client, see xref:{page-latest-supported-mc}@management-center:ROOT:connecting-members.adoc[]. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +management: + principal: mcadmin + endpoints: + - .. +---- +==== + +=== Map Permission + +Actions: all, create, destroy, index, intercept, listen, lock, put, read, remove + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +map: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Queue Permission + +Actions: add, all, create, destroy, listen, read, remove + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +queue: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== MultiMap Permission + +Actions: all, create, destroy, listen, lock, put, read, remove + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +multimap: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Replicated Map Permission + +Actions: all, create, destroy, index, intercept, listen, lock, put, read, remove + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +replicatedmap: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Topic Permission + +Actions: create, destroy, listen, publish + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +topic: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Reliable Topic Permission + +Actions: create, destroy, listen, publish + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +reliable-topic: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== List Permission + +Actions: add, all, create, destroy, listen, read, remove + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +list: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Set Permission + +Actions: add, all, create, destroy, listen, read, remove + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +set: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Ringbuffer Permission + +Actions: add, put, read, create, destroy + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +ringbuffer: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Lock Permission + +Actions: all, create, destroy, lock, read + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +lock: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== AtomicLong Permission + +Actions: all, create, destroy, modify, read + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +atomic-long: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== AtomicReference Permission + +Actions: all, create, destroy, modify, read + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +atomic-reference: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + + +=== CountDownLatch Permission + +Actions: all, create, destroy, modify, read + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +countdown-latch: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== FlakeIdGenerator Permission + +Actions: all, create, destroy, modify, read + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +flake-id-generator: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Semaphore Permission + +Actions: all, acquire, create, destroy, read, release + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +semaphore: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Executor Service Permission + +Actions: all, create, destroy + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +executor-service: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Durable Executor Service Permission + +Actions: all, create, destroy + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +durable-executor-service: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Scheduled Executor Service Permission + +Actions: all, create, destroy, read, modify + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +scheduled-executor-service: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Cardinality Estimator Permission + +Actions: all, create, destroy, read, modify + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +cardinality-estimator: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== PN Counter Permission + +Actions: all, create, destroy, read, modify + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +pn-counter: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Transaction Permission + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +transaction: + principal: principal + endpoints: + - .. +---- +==== + +=== Cache Permission + +Actions: all, create, destroy, listen, put, read, remove + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +cache: + - name: /hz/cache-name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +NOTE: The name provided in `cache-permission` must be the Hazelcast distributed +object name corresponding to the `Cache` as described in +the xref:jcache:hazelcast-integration.adoc[JCache - Hazelcast Instance Integration section]. + +=== Vector Collection Permission (Beta) + +Actions: all, create, destroy, put, read, remove, optimize + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +vector-collection: + - name: name + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== User Code Deployment Permission + +Actions: all, deploy + +include::clusters:partial$ucn-migrate-tip.adoc[] + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +user-code-deployment: + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +If you have migrated to {ucn} use the following permissions: + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +user-code-namespace: + principal: principal + endpoints: + - .. + actions: + - .. +---- +==== + +=== Configuration Permission + +This permission defines which +client principals/endpoints are allowed to +xref:configuration:dynamic-config.adoc[add data structure configurations at runtime]. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +config: + principal: principal + endpoints: + - .. +---- +==== + +=== Job Permission + +Actions: + +- `submit`: Submit a new job, without uploading resources. +- `cancel`: Cancel a running job. +- `read`: Get or list information about a job (by ID or name) such as job configuration, job status, and +submission time. ++ +WARNING: When you query a streaming source with SQL, Hazelcast runs that query as a job. As a result, clients with the `read` permission for jobs can see the SQL query and any parameters. +- `restart`: Suspend and resume a running job. +- `export-snapshot`: Export or read snapshots. +- `add-resources`: Upload resources and classes as well as jobs to members. ++ +WARNING: Hazelcast cannot check permissions in code that's uploaded with a job, If you enable this permission, clients can xref:pipelines:job-security.adoc[upload custom code] that ignores any configured permissions. +- `all`: Enable all actions. + +All actions for job permissions also enable the `read` action. For example if you enable the `create` action, the `read` action is automatically enabled as well. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ... + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +job: + - principal: "principal" + actions: + - .. +---- +==== + + +=== Connector Permission + +You can give permissions to the following xref:integrate:connectors.adoc[connectors]: + +- File +- Socket + +Actions: + +- `read`: Read data from sources. +- `write`: Write data to sinks. +- `all`: Enable all actions. + +[tabs] +==== +XML:: ++ +-- +.File Connector + +```xml + + + + ... + + +``` + +.Socket Connector + +```xml + + + ... + + +``` + +-- + +YAML:: ++ +-- +.File Connector + +[source,yaml] +---- +connector: + - name: "file:directory_name" + actions: + - .. +---- + +.Socket Connector + +[source,yaml] +---- +connector: + - name: "socket:host:port" + actions: + - .. +---- + +-- +==== + +WARNING: To protect external systems from being reached by external connectors (JDBC, Mongo, S3, ...), use other means than Hazelcast client permissions. +Traditionally, this is done by enabling authentication on the external system and/or setting up firewall rules. + +=== SQL Permission + +You can give clients permission to use the following xref:sql:sql-statements.adoc[SQL statements]: + +- xref:sql:create-mapping.adoc[`CREATE MAPPING`] +- xref:sql:drop-mapping.adoc[`DROP MAPPING`] +- xref:sql:create-index.adoc[`CREATE INDEX`] +- xref:sql:create-view.adoc[`CREATE VIEW`] +- xref:sql:drop-view.adoc[`DROP VIEW`] +- xref:sql:create-data-connection.adoc[`CREATE DATA CONNECTION`] +- xref:sql:drop-data-connection.adoc[`DROP DATA CONNECTION`] +- xref:sql:show-resources.adoc[`SHOW RESOURCES`] + +Actions: + +- `create`: Use the `CREATE MAPPING` statement to create new mappings or replace existing ones. +- `destroy`: Use the `DROP MAPPING` statement to delete mappings. +- `create-index`: Use the `CREATE INDEX` statement to create a new index for a map. +- `create-view`: Use the `CREATE VIEW` statement to create new views or replace existing ones. +- `drop-view`: Use the `DROP VIEW` statement to delete an existing view. +- `create-dataconnection`: Use the `CREATE DATA CONNECTION` statement to create new data connections or replace existing ones. +- `drop-dataconnection`: Use the `DROP DATA CONNECTION` statement to delete data connections. +- `view-dataconnection`: Use the `SHOW RESOURCES` statement to view the resources and data types accessible via data connections. +- `all`: Enable all actions. + +To apply permissions to certain mappings or data connections, provide their names in the `name` attribute. Or, you can apply permissions to all mappings and data connections using the `*` wildcard. + +[tabs] +==== +XML:: ++ +-- + +.Apply permissions to a mapping +[source,xml] +---- + + + create + destroy + + +---- + +.Apply permissions to all mappings +[source,xml] +---- + + + create + destroy + + +---- + +.Apply permissions to a data connection +[source,xml] +---- + + + drop-dataconnection + view-dataconnection + + +---- +-- + +YAML:: ++ +-- +.Apply permissions to a mapping + +[source,yaml] +---- +sql: + - name: "mapping_name" + actions: + - create + - destroy +---- + +.Apply permissions to all mappings +[source,yaml] +---- +sql: + - name: "*" + actions: + - create + - destroy +---- + +.Apply permissions to a data connection + +[source,yaml] +---- +sql: + - name: "data_connection_name" + actions: + - drop-dataconnection + - view-dataconnection +---- +-- +==== + +[[handling-permissions-when-a-new-member-joins]] +=== Handling Permissions When a New Member Joins + +By default, the set of permissions defined in the leader member of a cluster is +distributed to the newly joining members, overriding their own permission +configurations, if any. However, you can configure a new member to be joined, so that +it keeps its own set of permissions and even send these to the existing members in +the cluster. This can be done dynamically, without needing to restart the +cluster, using either one of the following configuration options: + +* the `on-join-operation` configuration attribute +* the `setOnJoinPermissionOperation()` method + +Using the above, you can choose whether a new member joining to a cluster will +apply the client permissions stored in its own configuration, or use the ones +defined in the cluster. The behaviors that you can specify with the configuration +are `RECEIVE`, `SEND` and `NONE`, which are described after the examples below. + +The following are the examples for both approaches on how to use them: + +**Declarative Configuration:** + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + ... + + + + + + ... + +---- +-- + +YAML:: ++ +[source,yaml] +---- +hazelcast: + security: + enabled: true + client-permissions: + on-join-operation: SEND +---- +==== + +**Programmatic Configuration:** + +[source,java] +---- +Config config = new Config(); +config.getSecurityConfig() + .setEnabled(true) + .setOnJoinPermissionOperation(OnJoinPermissionOperationName.SEND); +---- + +The behaviors are explained below: + +* `RECEIVE`: Applies the permissions from the leader member in the +cluster before join. This is the default value. +* `SEND`: Doesn't apply the permissions from the leader member before join. +If the security is enabled, then it refreshes or replaces the cluster wide +permissions with the ones in the new member after the join is complete. +This option is suitable for the scenarios where you need to replace the +cluster wide permissions without restarting the cluster. +* `NONE`: Neither applies pre-join permissions, nor sends the local permissions +to the other members. It means that the new member does not send its own +permission definitions to the cluster, but keeps them when it joins. However, +after the join, when you update the permissions in the other cluster members, +those updates are also sent to the newly joining member. Therefore, this option +is suitable for the scenarios where you need to elevate privileges temporarily +on a single member (preferably a xref:management:cluster-utilities.adoc#enabling-lite-members[lite member]) for a +limited time period. The clients which want to use these temporary permissions +have to access the cluster through this single new member, meaning that you need +to configure the xref:clients:java.adoc#configure-cluster-routing-mode[SINGLE_MEMBER] cluster routing mode for such clients. ++ +Note that, the `create` and `destroy` permissions will not work when using +the `NONE` option, since the distributed objects need to be created/destroyed on all the members. ++ +The following is an example for a scenario where `NONE` is used: ++ +[source,java,options="nowrap"] +---- +// temporary member, in the below case a lite member +Config config = new Config().setLiteMember(true); +PermissionConfig allPermission = new PermissionConfig(PermissionType.ALL, "*", null); +config.getSecurityConfig() + .setEnabled(true) + .setOnJoinPermissionOperation(OnJoinPermissionOperationName.NONE) + .addClientPermissionConfig(allPermission); +HazelcastInstance hzLite = Hazelcast.newHazelcastInstance(config); + +// temporary client connecting only to the lite member +String memberAddr = ...; +ClientConfig clientConfig = new ClientConfig(); +clientConfig.getNetworkConfig().setSmartRouting(false) + .addAddress(memberAddr); +HazelcastInstance client = HazelcastClient.newHazelcastClient(clientConfig); + +// do operations with escalated privileges: +client.getMap("protectedConfig").put("master.resolution", "1920"); + +// shutdown the client and lite member +client.shutdown(); +hzLite.shutdown(); +---- + +[[deny-permissions]] +=== Deny Permissions + +Hazelcast employs Additive Access Control as its default security mechanism. +When a client connects to a security-enabled cluster, it is initially granted +no permissions. As a result, access to protected resources is inherently denied +unless explicit permissions are configured and granted to specific roles. + +The Additive Access Control approach has limited expression capabilities and +is not well-suited for configurations involving simple exclusions. +For example, it's challenging to allow access to all maps except +the one named `"private"`. + +To address this limitation, Hazelcast introduces the concept of Deny Permissions +(or Deny Rules). + +Within the permission configuration, there is a `boolean` flag called `deny` +that enables permission subtraction. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + ... + + + + + + all + + + + + + all + + + + + ... + +---- +-- + +YAML:: ++ +[source,yaml] +---- +hazelcast: + security: + enabled: true + client-permissions: + map: + - name: * + actions: + - all + - name: private + deny: true + actions: + - all +---- +==== + +[[priority-of-grant-and-deny-permissions]] +=== Priority of Grant and Deny Permissions + +By default, when a permission is both granted and denied, the denial takes precedence. +In other words, if conflicting permissions exist, denial prevails. + +In certain scenarios, it might be beneficial to reverse this behavior and give higher +priority to permission grants. +Hazelcast supports this by introducing the `boolean` flag `priority-grant`, +which can be set to `true`. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + ... + + + ... + + + ... + +---- +-- + +YAML:: ++ +[source,yaml] +---- +hazelcast: + security: + enabled: true + client-permissions: + priority-grant: false +---- +==== + +[[permission-evaluation-table]] +==== Permission Evaluation Table + +The table below illustrates how permission evaluation changes when `priority-grant` is configured. + +[options="header"] +|============================================================================ +| Permission Implication | `priority-grant=false` (default) | `priority-grant=true` +| No Grant or Deny Implication | Denied | Granted +| Implication from Grant only | Granted | Granted +| Implication from Deny only | Denied | Denied +| Both Grant and Deny Imply | Denied | Granted +|============================================================================ diff --git a/docs/modules/security/pages/cluster-member-security.adoc b/docs/modules/security/pages/cluster-member-security.adoc index 30a895a1e..64933638e 100644 --- a/docs/modules/security/pages/cluster-member-security.adoc +++ b/docs/modules/security/pages/cluster-member-security.adoc @@ -1,10 +1,10 @@ = Cluster Member Security :page-enterprise: true -Hazelcast supports the standard Java Security (JAAS) based authentication -between the cluster members. A xref:security:security-realms.adoc[Security Realm] can -be referenced by `` element to define authentication -between the member and identity of the current member. +Hazelcast xref::authentication-overview.adoc[authentication types] are supported +between the cluster members. A Security Realm can +be referenced by `member-authentication` property in `security` configuration to define authentication +between the members and identity of the current member. [tabs] ==== @@ -55,4 +55,4 @@ hazelcast: member-authentication: realm: memberRealm ---- -==== \ No newline at end of file +==== diff --git a/docs/modules/security/pages/enabling-jaas.adoc b/docs/modules/security/pages/enabling-security.adoc similarity index 77% rename from docs/modules/security/pages/enabling-jaas.adoc rename to docs/modules/security/pages/enabling-security.adoc index f6adf2362..e4f30ba32 100644 --- a/docs/modules/security/pages/enabling-jaas.adoc +++ b/docs/modules/security/pages/enabling-security.adoc @@ -1,12 +1,14 @@ -= Enabling JAAS Security += Enabling Security :page-enterprise: true +:page-aliases: enabling-jaas.adoc -With Hazelcast's extensible, JAAS based security feature, you can: +With Hazelcast's extensible security feature, you can: * authenticate both cluster members and clients * and perform access control checks on client operations. -Access control can be done according to endpoint principal -and/or endpoint address. + +Access control can be done according to roles assigned to clients +and client endpoint address. You can enable security declaratively or programmatically, as shown below. @@ -50,4 +52,4 @@ include::ROOT:example$/security/EnablingSecurity.java[tag=es] Also, see the xref:deploy:using-enterprise-edition.adoc#setting-the-license-key[Setting License Key section] for information about how to set your [blue]#Hazelcast {enterprise-product-name}# -license. \ No newline at end of file +license. diff --git a/docs/modules/security/pages/identity-configuration.adoc b/docs/modules/security/pages/identity-configuration.adoc new file mode 100644 index 000000000..30d0105e7 --- /dev/null +++ b/docs/modules/security/pages/identity-configuration.adoc @@ -0,0 +1,200 @@ += Identity Configuration +:page-enterprise: true + +The Identity configuration allows defining own <>. +These Credentials are used to authenticate to other systems. + +Available identity configuration types are as follows: + +* `username-password`: Defines a new `PasswordCredentials` object. +* `token`: Defines a new `TokenCredentials` object. +* `kerberos`: Defines the Kerberos identity which uses the +service tickets stored in the `TokenCredentials` object. +* `credentials-factory`: Configures the factory class which creates the `Credentials` objects. + +== Username-Password Identity + +The username with password is the most typical type of credentials. +It is configured by the `` +XML configuration element as shown below: + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- +include::ROOT:example$/hazelcast-password-realm.xml[tag=password] +---- +-- + +YAML:: ++ +[source,yaml] +---- +realms: + name: passwordRealm + identity: + username-password: + username: member1 + password: s3crEt +member-authentication: + realm: passwordRealm +---- +==== + +The equivalent programmatic configuration is shown below: + +[source,java] +---- +include::ROOT:example$/SecurityXmlTest.java[tag=password-realm] +---- + +== Token Identity + +Tokens are also simply configurable for +identity representation. The `` XML configuration element +allows using either plain ASCII tokens or Base64 encoded values. +Its optional argument `encoding` can have either `base64` or `none` (default) +as its value. + +The following two realms define the same token value - bytes of the "Hazelcast" string: + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- +include::ROOT:example$/hazelcast-authentication-types.xml[tag=token] +---- +-- + +YAML:: ++ +[source,yaml] +---- +realms: + - name: tokenRealm1 + identity: + token: + value: Hazelcast + - name: tokenRealm2 + identity: + token: + encoding: base64 + value: SGF6ZWxjYXN0 +---- +-- + +Java:: ++ +[source,java] +---- +include::ROOT:example$/SecurityXmlTest.java[tag=token-realm] +---- +==== + +Hazelcast doesn't provide an xref:authentication-overview.adoc[authentication type] with direct `token` identity support. Tokens are usually used together with custom JAAS login modules. + +== Kerberos Identity + +The `kerberos` identity type is used to retrieve Kerberos service tickets to access +a member with the `kerberos` authentication type configured. +Read more about `kerberos` identity in +the xref:kerberos-authentication.adoc[Kerberos authentication section]. + +== Credentials Factory + +The most flexible way to define an identity is via <> objects +created by a custom credential factory. It is an implementation +of `com.hazelcast.security.ICredentialsFactory` +interface. Its `newCredentials()` method is the one which provides credentials. + +The XML configuration uses `` element to define the factory class. + +The behavior of credential factories can be controlled by specifying factory properties. +The properties are provided in the `init(Properties)` method. + +A sample configuration is shown below: + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- +include::ROOT:example$/hazelcast-authentication-types.xml[tag=credentialsFactoryRealm] +---- +-- + +YAML:: ++ +[source,yaml] +---- +realms: + name: credentialsFactoryRealm + identity: + credentials-factory: + class-name: com.examples.TOTPCredentialsFactory + properties: + seed: 3132333435363738393031323334353637383930 +---- +==== + +[[credentials]] +=== Credentials + +One of the key elements in Hazelcast security is the `Credentials` object, which +represents evidence of the identity (member or client). +The content of `Credentials` object is verified during the authentication. +Credentials is an interface which extends `Serializable`. + +[source,java] +---- +public interface Credentials extends Serializable { + String getName(); +} +---- + +There are two subtype interfaces which simplify the `Credentials` usage. +The subtypes reflect data provided in the client authentication messages: + +* Name and password (`com.hazelcast.security.PasswordCredentials`) +* Byte array token (`com.hazelcast.security.TokenCredentials`) + +The interfaces have the following forms: + +[source,java] +---- +public interface PasswordCredentials extends Credentials { + String getPassword(); +} +---- + +[source,java] +---- +public interface TokenCredentials extends Credentials { + byte[] getToken(); + + default Data asData() { + return new HeapData(getToken()); + } +} +---- + +The `Credentials` instance can be retrieved in the login modules +by handling a `CredentialsCallback`. + +Here is an example: + +[source,java] +---- +include::ROOT:example$/security/CustomLoginModuleTest.java[tag=credentials-callback] +---- diff --git a/docs/modules/security/pages/jaas-authentication.adoc b/docs/modules/security/pages/jaas-authentication.adoc index e4da0edf4..70a5ac631 100644 --- a/docs/modules/security/pages/jaas-authentication.adoc +++ b/docs/modules/security/pages/jaas-authentication.adoc @@ -1,7 +1,49 @@ -= JAAS authentication += JAAS Authentication [[jaas-authentication]] :page-enterprise: true +The `jaas` authentication setting is the most flexible +form of authentication, but it requires knowledge +of JAAS login modules and related concepts. It allows using +custom login modules and ordering them in a login module stack. + +The following is a sample configuration which authenticates against an LDAP server or +database as a fallback: + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- +include::ROOT:example$/hazelcast-authentication-types.xml[tag=jaas] +---- +-- + +YAML:: ++ +[source,yaml] +---- + realms: + - name: jaasRealm + authentication: + jaas: + - class-name: com.examples.LdapLoginModule + usage: SUFFICIENT + properties: + url: ldap://corp-ldap + - class-name: com.examples.DatabaseLoginModule + usage: SUFFICIENT + properties: + type: ora18 + host: corp-db + table: USERS +---- +==== + + == JAAS Principals used in Hazelcast Hazelcast works with the following JAAS https://docs.oracle.com/javase/8/docs/api/java/security/Principal.html[Principal^] @@ -23,7 +65,7 @@ Set hazelcastPrincipals = subject.getPrincipals(HazelcastPrincipal.class); ---- -=== Callbacks Supported in Login Modules +== Callbacks Supported in Login Modules JAAS https://docs.oracle.com/javase/8/docs/api/javax/security/auth/callback/Callback.html[Callback^] instances are used for accessing different kinds of data from the @@ -43,7 +85,7 @@ The callbacks are usually used in the `login()` method of a login module: [source,java] ---- -include::ROOT:example$/CustomLoginModuleTest.java[tag=callback-sample] +include::ROOT:example$/security/CustomLoginModuleTest.java[tag=callback-sample] ---- == ClusterLoginModule @@ -129,4 +171,4 @@ return the roles that are attributed to the user. These roles can then be used for data structure authorization. NOTE: See the http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html[JAAS Reference Guide^] -for further information. \ No newline at end of file +for further information. diff --git a/docs/modules/security/pages/kerberos-authentication.adoc b/docs/modules/security/pages/kerberos-authentication.adoc new file mode 100644 index 000000000..95494c330 --- /dev/null +++ b/docs/modules/security/pages/kerberos-authentication.adoc @@ -0,0 +1,420 @@ += Kerberos Authentication +:page-enterprise: true + +The Kerberos authentication protocol is one of the standard solutions +for single sign-on (SSO). It's well established in many companies. Hazelcast +supports Kerberos authentication as an {enterprise-product-name} feature and it also +provides Kerberos integration to LDAP-based authorization. + +The Kerberos support in Hazelcast has 2 configuration parts: identity +and authentication. The identity part is responsible for retrieving the service +ticket from Kerberos KDC (Key Distribution Center). +The authentication part verifies the service tickets. + +Default Service principal names for Hazelcast members are in the form +`hz/address@REALM`, for example `hz/192.168.1.1@ACME.COM`. + +Before a service ticket is issued, the client side of the connection has to be +authenticated, which means the TGT (Ticket Granting Ticket) is present in the Subject. + +== Simplified Kerberos Configuration + +Both Hazelcast `kerberos` identity, and `kerberos` authentication delegate the ticket related tasks (such as TGT retrieval) to vendor specific `Krb5LoginModule` +implementations. It's https://docs.oracle.com/en/java/javase/17/docs/api/jdk.security.auth/com/sun/security/auth/module/Krb5LoginModule.html[`com.sun.security.auth.module.Krb5LoginModule`] class in most of the cases. +The `security-ream` property in `kerberos` configurations allows referencing another realm with `Krb5LoginModule` configured. + +To simplify the Kerberos configuration process for new users, Hazelcast allows +skipping `Krb5LoginModule` JAAS configuration within separate security realms. +Instead, it's possible to define the `principal` and `keytab-file` options in the +`kerberos` identity and authentication configurations. +If these options are used instead of the `security-realm`, then a new temporary +realm is generated on the fly during the authentication. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + + hz/127.0.0.1@HAZELCAST.COM + /opt/localhost.keytab + + + + + HAZELCAST.COM + hz/127.0.0.1@HAZELCAST.COM + /opt/localhost.keytab + + + +---- +-- + +YAML:: ++ +[source,yaml] +---- + realms: + - name: simpleKerberosRealm + authentication: + kerberos: + principal: hz/127.0.0.1@HAZELCAST.COM + keytab-file: /opt/localhost.keytab + identity: + kerberos: + realm: HAZELCAST.COM + principal: hz/127.0.0.1@HAZELCAST.COM + keytab-file: /opt/localhost.keytab +---- +==== + +A warning is logged during the first usage of the simplified configuration form. +It includes the generated configuration, so you can use it as a starting point +to define the full Kerberos configuration. An example warning log is shown below: + +``` +12:37:41,187 WARN [KerberosCredentialsFactory] Using generated Kerberos initiator +realm configuration is not intended for production use. It's recommended +to properly configure the Krb5LoginModule manually to fit your needs. +Following configuration was generated from provided keytab and principal properties: + + + + + + true + true + true + true + true + /opt/localhost.keytab + hz/127.0.0.1@HAZELCAST.COM + + + + + +``` + +== Identity configuration + +The full Kerberos identity configuration references a security realm with `Krb5LoginModule` configured as an initiator: + +[tabs] +==== +Sample Kerberos Identity Configuration XML:: ++ +-- + +[source,xml] +---- + + + + ACME.COM + krb5Initiator + + + + + + + + + true + true + + + + + +---- +-- + +YAML:: ++ +[source,yaml] +---- + realms: + - name: kerberosRealm + identity: + kerberos: + realm: ACME.COM + security-realm: krb5Initiator + - name: krb5Initiator + authentication: + jaas: + class-name: com.sun.security.auth.module.Krb5LoginModule + properties: + useTicketCache: true + doNotPrompt: true +---- +==== + +The `` identity configuration has the following properties: + +[cols="1,1,3",options="header",] +.The Identity Configuration Options +|======================================================================= +| Property name +| Default value +| Description + +| `spn` +| +| Allows configuring static Service Principal Name (SPN). It's +meant for use cases where all the members share a single Kerberos identity. + +| `service-name-prefix` +| `"hz/"` +| Defines the prefix of SPN. By default the member's +principal name (for which this credentials +factory asks the service ticket) is in the form +`"[servicePrefix][memberIpAddress]@[REALM]"`, e.g., +`"hz/192.168.1.1@ACME.COM"`. + +| `realm` +| +| Kerberos realm name, e.g., `"ACME.COM"`. + +| `security-realm` +| +| Security realm name in the Hazelcast configuration used +for Kerberos authentication. The authentication configuration in the +referenced security realm will be used to fill the Subject with the Kerberos +credentials, e.g., TGT. + +| `use-canonical-hostname` +| `false` +| Flag which controls if canonical hostnames should be used instead of IP addresses +in generated Service Principal names. +This property is only used when Service Principal name is not static, i.e., when `spn` option +is not configured). + +| `principal` +| +| Kerberos principal name. This is a helper option which can be used together +with the `keytab-file` to replace the `security-realm` configuration. + +_We don't recommend using this property in production!_ + +| `keytab-file` +| +| Path to a keytab file with the current principal's secrets. +This is a helper option which can be used together +with the `principal` to replace the `security-realm` configuration. + +_We don't recommend using this property in production!_ +|======================================================================= + + +== Kerberos Authentication + +The authenticating part on the server side is able to +accept the Kerberos tickets and verify them. Again the Kerberos +authentication is delegated to another realm with the Kerberos login module +configured. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + + krb5Acceptor + + + + + + + + + false + false + true + true + true + hz/192.168.1.1@ACME.COM + /opt/member1.keytab + + + + + +---- +-- + +YAML:: ++ +[source,yaml] +---- + realms: + name: kerberosRealm + authentication: + kerberos: + security-realm: krb5Acceptor + name: krb5Acceptor + authentication: + jaas: + - class-name: com.sun.security.auth.module.Krb5LoginModule + usage: REQUIRED + properties: + isInitiator: false + useTicketCache: false + doNotPrompt: true + useKeyTab: true + storeKey: true + principal: hz/192.168.1.1@ACME.COM + keyTab: /opt/member1.keytab +---- +==== + +The `krb5Acceptor` realm configuration in the snippet only loads the Kerberos secrets from +a keytab file and it doesn't authenticate against a KDC. + + +[cols="1,1,3",options="header",] +.The Authentication Configuration Options +|======================================================================= +| Property name +| Default value +| Description + +| `relax-flags-check` +| `false` +| Allows disabling some of the checks on the +incoming token, e.g., passes authentication even if the mutual +authentication is required by the token. + +| `use-name-without-realm` +| `false` +| When set to `true`, then the Kerberos realm part is removed from the +authenticated name, e.g., `"jduke@ACME.COM"` becomes just `"jduke"`. + +| `security-realm` +| +|Security realm name in the Hazelcast configuration used +for Kerberos authentication. The authentication configuration in the +referenced security realm will be used to fill the Subject with the Kerberos +credentials, e.g., Keytab. + +| `principal` +| +| Kerberos principal name. This is a helper option which can be used together +with the `keytab-file` to replace the `security-realm` configuration. + +_We don't recommend using this property in production!_ + +| `keytab-file` +| +| Path to a keytab file with the current principal's secrets. +This is a helper option which can be used together +with the `principal` to replace the `security-realm` configuration. + +_We don't recommend using this property in production!_ +|======================================================================= + +The `GssApiLoginModule` (implementing Kerberos authentication) +derives from the abstract `ClusterLoginModule`. As a result the `` +configuration supports the common options, too: `skip-identity`, `skip-endpoint` and +`skip-role`. + +[NOTE] +==== +* The Kerberos authentication in Hazelcast is only able to validate connections on +the server side. It doesn't support mutual authentication. +* The Generic Security Services API (GSS-API) is not used for protecting (wrapping) +the messages after the authentication, e.g., encryption, integrity checks. It's only used for +accepting tokens. +* The token itself is not protected against Man-in-the-Middle (MITM) attacks. +If an attacker is able to eavesdrop the token and use it before the +original sender, then the attacker succeeds with the authentication but +the original sender won't. +** There is a replay protection in Java which caches the already used tokens. +** Java Kerberos implementation accepts the token for 5 minutes (by default) +from its creation. +* Time has to be synchronized on the machines where the Kerberos is +used. + +If you are running Hazelcast in an untrusted network with a MITM attack +risk, then enable encryption on Hazelcast protocols to prevent stealing +the token. +==== + +=== Kerberos and LDAP integration + +The Kerberos authentication allows loading role mapping information from +an LDAP server (usually the one backing the Kerberos KDC server, too). +Therefore, the `` authentication configuration is also available as +sub-configuration of the `` authentication. + +[tabs] +==== +Sample Kerberos Identity Configuration XML:: ++ +-- + +[source,xml] +---- + + + + true + krb5Acceptor + + ldap://ldap.hazelcast.com + GSSAPI + memberOf + krb5Initiator + (krb5PrincipalName=\{login}) + true + + + + +---- +-- + +YAML:: ++ +[source,yaml] +---- + realms: + - name: kerberosRealm + authentication: + kerberos: + skip-role: true + security-realm: krb5Acceptor + ldap: + url: ldap://ldap.hazelcast.com + system-authentication: GSSAPI + security-realm: krb5Initiator + skip-authentication: true + user-filter: "(krb5PrincipalName=\{login})" + role-mapping-attribute: memberOf +---- +==== + +NOTE: The Kerberos-LDAP integration doesn't support credentials delegation, +i.e., reusing client's ticket for accessing the LDAP. It only allows using +the member's Kerberos credentials to authenticate into the LDAP. + + +== Troubleshooting + +Usually `Krb5LoginModule` implementations provided by JVMs have a `debug` option allowing you to print details related to authentication. Please refer your JVM documentation to find more details. + +Also look into the xref:security-debugging.adoc[Security Debugging section] to find out +how to enable more debug output for Kerberos in your JVM. diff --git a/docs/modules/security/pages/ldap-authentication.adoc b/docs/modules/security/pages/ldap-authentication.adoc new file mode 100644 index 000000000..596fc04ed --- /dev/null +++ b/docs/modules/security/pages/ldap-authentication.adoc @@ -0,0 +1,295 @@ += LDAP Authentication +:page-enterprise: true + +LDAP servers are one of the most popular identity stores. +They can track information about organization structure, +users, groups, servers and configurations. + +Hazelcast supports authentication and authorization against LDAP servers. +The authentication verifies the provided name and password. +The authorization part allows to map roles to the authenticated user. + +The password verification during the authentication is possible by: + +* making a new LDAP bind operation with the given name and password +* using a separate "admin connection" to verify the provided password +against an LDAP object attribute. + +The LDAP authentication allows also a role mapping. +As there are more ways how roles can be mapped in the LDAP, +Hazelcast provides several approaches to retrieve them: + +* `attribute`: The role name is stored as an attribute in the object representing the identity. +* `direct` mapping: The identity object contains an attribute with reference to the role object(s). +* `reverse` mapping: The role objects having a reference to the identity object are searched. + +The `direct` and `reverse` mapping modes also allow a role search recursion. + +[cols="1,1,3"] +.LDAP Configuration Options +|=== +| Option Name +| Default Value +| Description + +| `url` +| +| URL of the LDAP server. The value is configured as the JNDI environment +property, i.e., `java.naming.provider.url`. + +| `socket-factory-class-name` +| +| Socket factory class name. The factory can be used for fine-grained +configuration of the TLS protocol on top of the LDAP protocol, i.e., `ldaps` scheme. + +| `parse-dn` +| false +| If set to `true`, it treats the value of `role-mapping-attribute` as a DN and +extracts only the `role-name-attribute` values as role names. If set to `false`, +the whole value of `role-mapping-attribute` is used as a role name. + +This option is only used when the `role-mapping-mode` option has the value `attribute`. + +| `role-context` +| +| LDAP Context in which assigned roles are searched, e.g., `ou=Roles,dc=hazelcast,dc=com`. + +This option is only used when the `role-mapping-mode` option has the value `reverse`. + +| `role-filter` +| `([role-mapping-attribute]=\{MEMBERDN})` +| LDAP search string which usually contains a placeholder `\{MEMBERDN}` to be +replaced by the provided login name, e.g., `(member=\{MEMBERDN})`. + +If the role search recursion is enabled (see `role-recursion-max-depth`), the `\{MEMBERDN}` +is replaced by role DNs in the recurrent searches. + +This option is only used when the `role-mapping-mode` option has the value `reverse`. + +| `role-mapping-attribute` +| +| Name of the LDAP attribute which contains either the role name or role DN. + +This option is used when the `role-mapping-mode` option has the value `attribute` or `direct`. +If the mapping mode is `reverse`, the value is used in `role-filter` default value. + +| `role-mapping-mode` +| `attribute` +a| Role mapping mode. It can have one of the following values: + +* `attribute`: The user object in the LDAP contains directly role name in the +given attribute. Role name can be parsed from a DN string when `parse-dn=true` +No additional LDAP query is done to find assigned roles. +* `direct`: The user object contains an attribute with DN(s) of assigned +role(s). Role object(s) is/are loaded from the LDAP and the role name is +retrieved from its attributes. Role search recursion can be enabled for this mode. +* `reverse`: The role objects are located by executing an LDAP search query +with the given `role-filter`. In this case, the role object usually contains +attributes with DNs of the assigned users. Role search recursion can be enabled for this mode. + +| `role-name-attribute` +| +| This option may refer to a name of LDAP attribute within the role object which +contains the role name in case of `direct` and `reverse` role mapping mode. It may also refer +to the attribute name within X.500 name stored in `role-mapping-attribute` when +`role-mapping-mode=attribute` and `parse-dn=true`. + +| `role-recursion-max-depth` +| 1 +| Sets the maximum depth of role search recursion. The default value 1 means +the role search recursion is disabled. + +This option is only used when the `role-mapping-mode` option has value `direct` or `reverse`. + +| `role-search-scope` +| `subtree` +a| LDAP search scope used for `role-filter` search. It can have one of the following values: + +* `subtree`: Searches for objects in the given context and its subtree. +* `one-level`: Searches just one-level under the given context. +* `object`: Searches (or tests) just for the context object itself (if it matches the filter criteria). + +This option is only used when the `role-mapping-mode` option has the value `reverse`. + +| `user-name-attribute` +| `uid` +| LDAP attribute name whose value is used as a name in +`ClusterIdentityPrincipal` added to the JAAS Subject. + +| `system-user-dn` +| +a| Admin account DN. If configured, then the following are true: + +* For the user and role object, search queries are used an admin connection instead +of the "user" one created by LDAP bind with provided credentials. +* LDAP authentication doesn't expect the full user DN to be provided as a login name. +It rather expects names like `"jduke"` than `"uid=jduke,ou=Engineering,o=Hazelcast,dc=com"`; +* The admin connection allows verifying the provided user credentials against a +value defined in the `password-attribute` option. + +| `system-user-password` +| +| Admin's password (for `system-user-dn` account). + + +| `system-authentication` +| `simple` +| Name of the authentication mechanism used for the admin LDAP connection. +It's used as a value for JNDI environment property `Context#SECURITY_AUTHENTICATION`. +You can specify `GSSAPI` to authenticate with the Kerberos protocol. + +| `password-attribute` +| +| Credentials verification is done by the new LDAP binds by default. +Nevertheless, the password can be stored in a non-default LDAP attribute, +and in this case use `password-attribute` to configure against which +LDAP attribute (within the user object) is the provided password compared +during the login. As a result, if the `password-attribute` option is provided, +then the extra LDAP bind to verify credentials is not done and passwords +are just compared within the Hazelcast code after retrieving the user object from LDAP server. + +This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. + +| `user-context` +| +| LDAP context in which the user objects are searched, e.g., `ou=Users,dc=hazelcast,dc=com`. + +This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. + +| `user-filter` +| `(uid=\{login})` +| LDAP search string for retrieving the user objects based on the provided login name. +It usually contains a placeholder substring `\{login}` which is replaced by the provided login name. + +This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. + +| `user-search-scope` +| `subtree` +a| LDAP search scope used for `user-filter` search. It can have one of the following values: + +* `subtree`: Searches for objects in the given context and its subtree. +* `one-level`: Searches just one-level under the given context. +* `object`: Searches (or tests) just for the context object itself (if it matches the filter criteria). + +This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. + +| `skip-authentication` +| `false` +a| Flag which allows disabling password verification and +only takes care about filling `HazelcastPrincipal` instances into the +Subject. + +This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. + +| `security-realm` +| +a| If specified, given realm name is used for authentication of +a (temporary) Subject which is then used for doing LDAP queries. + +This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. +|=== + +Detailed logging for LDAP authentication can be enabled by +configuring a more verbose logger level for the `com.hazelcast.security` +package as described in the xref:security-debugging.adoc[Security Debugging section]. + +NOTE: The LDAP authentication implementation provided by Hazelcast doesn't handle LDAP referrals, i.e., references to other LDAP trees. + +==== TLS Protected LDAP Server Connections + +The LDAP authentication type supports TLS protected connections +to LDAP servers, using the `ldaps` protocol scheme. The TLS is +handled on the Java runtime side (JNDI API and URL handlers). + +When using TLS, the LDAP provider will, by default, use the socket factory, +`javax.net.ssl.SSLSocketFactory` for creating a TLS socket to communicate +with the server, using the default JSSE configuration. By default, the server's +certificate is validated against Java default CA certificate store and hostname +in LDAPs URL is verified against the name(s) in the server certificate. The behavior +can be controlled globally by using `javax.net.ssl.*` properties. Here is an example: + +[source,shell] +---- +java -Djavax.net.ssl.trustStore=/opt/hazelcast.truststore \ + -Djavax.net.ssl.trustStorePassword=123456 \ + -Djavax.net.ssl.keyStore=/opt/hazelcast.keystore \ + -Djavax.net.ssl.keyStorePassword=123456 \ + ... +---- + +There can be also properties specific to vendor or Java version allowing more +fine-grained control. Here is an example on disabling host name validation: + +[source,shell] +---- +-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true +---- + +When even more control is necessary, you can implement your own +`SSLSocketFactory` and use its class name as the value in the `ldap` +authentication option `socket-factory-class-name`. + +Here is an example custom socket factory class: + +[source,java] +---- +include::ROOT:example$/security/ldap/CustomSSLSocketFactory.java[] +---- + +The authentication configuration could look like as follows: + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- +include::ROOT:example$/hazelcast-authentication-types.xml[tag=ldaps] +---- +-- + +YAML:: ++ +[source,yaml] +---- + realms: + - name: ldapsRealm + authentication: + ldap: + url: ldaps://ldapserver.acme.com + socket-factory-class-name: security.ldap.CustomSSLSocketFactory + role-mapping-attribute: cn +---- +==== + +The LDAP authentication is backed by the JNDI API in Java. +It has also the failover support. You can configure multiple space-separated +URLs in the `` option: + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- +include::ROOT:example$/hazelcast-authentication-types.xml[tag=ldap-fallback] +---- +-- + +YAML:: ++ +[source,yaml] +---- + realms: + - name: ldapFallbackRealm + authentication: + ldap: + url: ldap://ldap-master.example.com ldap://ldap-backup.example.com +---- +==== + +LDAP can also be used for role retrieval when the xref:kerberos-authentication.adoc[Kerberos authentication] is used. More details is in the xref:kerberos-authentication.adoc[Kerberos authentication] documentation. diff --git a/docs/modules/security/pages/native-client-security.adoc b/docs/modules/security/pages/native-client-security.adoc index d851e1562..4f1c69afe 100644 --- a/docs/modules/security/pages/native-client-security.adoc +++ b/docs/modules/security/pages/native-client-security.adoc @@ -1,68 +1,9 @@ -= Client Security -:description: To protect your members from a malicious client, you can allow them to identify clients and restrict their permissions to access either data in data structures or features such as user code deployment. += Native Client Security :page-enterprise: true -{description} - -To allow members to identify clients, set up <>. - -To allow members to restrict client permissions, set up <>. - -== Authenticating Clients - -To implement the client authentication, reference a xref:security-realms.adoc[Security Realm] -with the `authentication` section defined in the `client-authentication` setting -of a cluster member's configuration. - -The `authentication` configuration defines a method used to verify the client's identity -and assign its roles. - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - ... - - - - - - ldap://corp-ldap.example.com/ - cn - - - - - - - ... - ----- --- - -YAML:: -+ -[source,yaml] ----- -hazelcast: - security: - enabled: true - realms: - name: clientRealm - authentication: - ldap: - url: ldap://corp-ldap.example.com/ - role-mapping-attribute: cn - client-authentication: - realm: clientRealm ----- -==== +As described in xref::authentication-overview.adoc[authentication] and xref::client-authorization.adoc[authorization] sections you can define access control mechanisms for clients. +Java native client which is part of Hazelcast codebase, can be provided with an identity used for authentication to a cluster. The identity of the connecting client is defined on the client side. Usually, there are no security realms on the clients, but just identity defined directly in the security configuration. @@ -104,223 +45,11 @@ On the clients, you can use the same identity types as in security realms: * `kerberos` (may require an additional security realm definition) * `credentials-factory` -== Authorizing Clients - -Hazelcast client authorization is configured by a client permission -policy. Hazelcast has a default permission policy implementation that uses -permission configurations defined in the Hazelcast security configuration. -Default policy permission checks are done against instance types (map, queue, etc.), -instance names, instance actions (put, read, remove, add, etc.), -the client endpoint address (`ClusterEndpointPrincipal`), and client roles (`ClusterRolePrincipal`). - -The default permission policy allows to use comma separated names in the `principal` -attribute configuration. - -[NOTE] -==== -Unless part of the role name, do not include spaces when adding names to the `principal` attribute. - -Hazelcast does not automatically remove spaces in role names. If you include spaces that are not part of the name, permission is not granted to the intended role. - -For example, if you configure permissions for the *admin* and *devel* roles using ``principal=" admin ,devel"``, the *admin* role is not granted the permission. -==== - -You can define the instance and principal names as wildcards using the `"*"` character. -See the xref:configuration:using-wildcards.adoc[Using Wildcards] section for details. - -The endpoint names can use range characters `"-"` and `"*"` as described -in the xref:clusters:network-configuration.adoc#interfaces[Interfaces] section. - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - ... - - - - - - 127.0.0.1 - - - - - - - create - destroy - put - read - - - - - - - 10.10.*.* - 127.0.0.1 - - - put - read - remove - - - - - - - 192.168.1.1-100 - 192.168.2.* - - - create - add - remove - - - - - - - - ... - ----- --- - -YAML:: -+ -[source,yaml] ----- -hazelcast: - security: - enabled: true - client-permissions: - on-join-operation: RECEIVE - all: - principal: admin,root - endpoints: - - 127.0.0.1 - map: - - name: myMap - principal: dev - endpoints: - - 127.0.0.1 - actions: - - create - - destroy - - put - - read - map: - - name: com.foo.entity - principal: dev - endpoints: - - 10.10.*.* - - 127.0.0.1 - actions: - - put - - read - - remove - queue: - - name: "*" - principal: dev - endpoints: - - 192.168.1.1-100 - - 192.168.2.* - actions: - - create - - add - - remove - transaction: ----- -==== - -You can also define your own policy by implementing `com.hazelcast.security.IPermissionPolicy`. +== Security Realms on the Client Side -[source,java] ----- -package com.hazelcast.security; -/** - * IPermissionPolicy is used to determine any Subject's - * permissions to perform a security sensitive Hazelcast operation. - * - */ -public interface IPermissionPolicy { - void configure( SecurityConfig securityConfig, Properties properties ); - - PermissionCollection getPermissions( Subject subject, - Class type ); - - void destroy(); -} ----- - -Permission policy implementations can access client-permissions that are in the -configuration by using `SecurityConfig.getClientPermissionConfigs()` when -Hazelcast calls the `configure(SecurityConfig securityConfig, Properties properties)` method. - -The `IPermissionPolicy.getPermissions(Subject subject, Class type)` -method is used to determine a client request that has been granted permission to -perform a security-sensitive operation. - -Permission policy should return a `PermissionCollection` containing permissions -of the given type for the given `Subject`. The Hazelcast access controller calls -`PermissionCollection.implies(Permission)` on returning `PermissionCollection` and -it decides whether the current `Subject` has permission to access the requested resources. - -== Permissions - -The following is the list of client permissions that can be configured on the member: - -=== All Permission - -This permission grants clients access to all data and features. - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -all: - principal: principal - endpoints: - - .. ----- -==== - -=== Management Permission - -This permission defines which -client principals/endpoints are allowed to perform management tasks. -Here, the client we mention is the one that is used by Hazelcast Management Center -when it connects to the clusters. To learn more about this client, see xref:{page-latest-supported-mc}@management-center:ROOT:connecting-members.adoc[]. +Hazelcast offers limited support for security realms in native clients. +The configuration allows specifying JAAS login modules which can be referenced from +the Kerberos identity configuration. [tabs] ==== @@ -330,304 +59,26 @@ XML:: [source,xml] ---- - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -management: - principal: mcadmin - endpoints: - - .. ----- -==== - -=== Map Permission - -Actions: all, create, destroy, index, intercept, listen, lock, put, read, remove - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -map: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Queue Permission - -Actions: add, all, create, destroy, listen, read, remove - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -queue: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== MultiMap Permission - -Actions: all, create, destroy, listen, lock, put, read, remove - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -multimap: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Replicated Map Permission - -Actions: all, create, destroy, index, intercept, listen, lock, put, read, remove - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -replicatedmap: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Topic Permission - -Actions: create, destroy, listen, publish - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -topic: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Reliable Topic Permission - -Actions: create, destroy, listen, publish - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -reliable-topic: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== List Permission - -Actions: add, all, create, destroy, listen, read, remove - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -list: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Set Permission - -Actions: add, all, create, destroy, listen, read, remove - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - + + + ACME.COM + krb5Initiator + + + + + + + + true + true + + + + + + + ---- -- @@ -635,1131 +86,18 @@ YAML:: + [source,yaml] ---- -set: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. +security: + kerberos: + realm: ACME.COM + security-realm: krb5Initiator + realms: + name: krb5Initiator + authentication: + jaas: + class-name: com.sun.security.auth.module.Krb5LoginModule + usage: REQUIRED + properties: + useTicketCache: true + doNotPrompt: true ---- ==== - -=== Ringbuffer Permission - -Actions: add, put, read, create, destroy - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -ringbuffer: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Lock Permission - -Actions: all, create, destroy, lock, read - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -lock: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== AtomicLong Permission - -Actions: all, create, destroy, modify, read - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -atomic-long: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== AtomicReference Permission - -Actions: all, create, destroy, modify, read - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -atomic-reference: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - - -=== CountDownLatch Permission - -Actions: all, create, destroy, modify, read - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -countdown-latch: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== FlakeIdGenerator Permission - -Actions: all, create, destroy, modify, read - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -flake-id-generator: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Semaphore Permission - -Actions: all, acquire, create, destroy, read, release - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -semaphore: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Executor Service Permission - -Actions: all, create, destroy - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -executor-service: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Durable Executor Service Permission - -Actions: all, create, destroy - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -durable-executor-service: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Scheduled Executor Service Permission - -Actions: all, create, destroy, read, modify - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -scheduled-executor-service: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Cardinality Estimator Permission - -Actions: all, create, destroy, read, modify - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -cardinality-estimator: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== PN Counter Permission - -Actions: all, create, destroy, read, modify - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -pn-counter: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Transaction Permission - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -transaction: - principal: principal - endpoints: - - .. ----- -==== - -=== Cache Permission - -Actions: all, create, destroy, listen, put, read, remove - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -cache: - - name: /hz/cache-name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -NOTE: The name provided in `cache-permission` must be the Hazelcast distributed -object name corresponding to the `Cache` as described in -the xref:jcache:hazelcast-integration.adoc[JCache - Hazelcast Instance Integration section]. - -=== Vector Collection Permission (Beta) - -Actions: all, create, destroy, put, read, remove, optimize - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -vector-collection: - - name: name - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== User Code Deployment Permission - -Actions: all, deploy - -include::clusters:partial$ucn-migrate-tip.adoc[] - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -user-code-deployment: - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -If you have migrated to {ucn} use the following permissions: - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -user-code-namespace: - principal: principal - endpoints: - - .. - actions: - - .. ----- -==== - -=== Configuration Permission - -This permission defines which -client principals/endpoints are allowed to -xref:configuration:dynamic-config.adoc[add data structure configurations at runtime]. - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -config: - principal: principal - endpoints: - - .. ----- -==== - -=== Job Permission - -Actions: - -- `submit`: Submit a new job, without uploading resources. -- `cancel`: Cancel a running job. -- `read`: Get or list information about a job (by ID or name) such as job configuration, job status, and -submission time. -+ -WARNING: When you query a streaming source with SQL, Hazelcast runs that query as a job. As a result, clients with the `read` permission for jobs can see the SQL query and any parameters. -- `restart`: Suspend and resume a running job. -- `export-snapshot`: Export or read snapshots. -- `add-resources`: Upload resources and classes as well as jobs to members. -+ -WARNING: Hazelcast cannot check permissions in code that's uploaded with a job, If you enable this permission, clients can xref:pipelines:job-security.adoc[upload custom code] that ignores any configured permissions. -- `all`: Enable all actions. - -All actions for job permissions also enable the `read` action. For example if you enable the `create` action, the `read` action is automatically enabled as well. - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ... - - ----- --- - -YAML:: -+ -[source,yaml] ----- -job: - - principal: "principal" - actions: - - .. ----- -==== - - -=== Connector Permission - -You can give permissions to the following xref:integrate:connectors.adoc[connectors]: - -- File -- Socket - -Actions: - -- `read`: Read data from sources. -- `write`: Write data to sinks. -- `all`: Enable all actions. - -[tabs] -==== -XML:: -+ --- -.File Connector - -```xml - - - - ... - - -``` - -.Socket Connector - -```xml - - - ... - - -``` - --- - -YAML:: -+ --- -.File Connector - -[source,yaml] ----- -connector: - - name: "file:directory_name" - actions: - - .. ----- - -.Socket Connector - -[source,yaml] ----- -connector: - - name: "socket:host:port" - actions: - - .. ----- - --- -==== - -WARNING: To protect external systems from being reached by external connectors (JDBC, Mongo, S3, ...), use other means than Hazelcast client permissions. -Traditionally, this is done by enabling authentication on the external system and/or setting up firewall rules. - -=== SQL Permission - -You can give clients permission to use the following xref:sql:sql-statements.adoc[SQL statements]: - -- xref:sql:create-mapping.adoc[`CREATE MAPPING`] -- xref:sql:drop-mapping.adoc[`DROP MAPPING`] -- xref:sql:create-index.adoc[`CREATE INDEX`] -- xref:sql:create-view.adoc[`CREATE VIEW`] -- xref:sql:drop-view.adoc[`DROP VIEW`] -- xref:sql:create-data-connection.adoc[`CREATE DATA CONNECTION`] -- xref:sql:drop-data-connection.adoc[`DROP DATA CONNECTION`] -- xref:sql:show-resources.adoc[`SHOW RESOURCES`] - -Actions: - -- `create`: Use the `CREATE MAPPING` statement to create new mappings or replace existing ones. -- `destroy`: Use the `DROP MAPPING` statement to delete mappings. -- `create-index`: Use the `CREATE INDEX` statement to create a new index for a map. -- `create-view`: Use the `CREATE VIEW` statement to create new views or replace existing ones. -- `drop-view`: Use the `DROP VIEW` statement to delete an existing view. -- `create-dataconnection`: Use the `CREATE DATA CONNECTION` statement to create new data connections or replace existing ones. -- `drop-dataconnection`: Use the `DROP DATA CONNECTION` statement to delete data connections. -- `view-dataconnection`: Use the `SHOW RESOURCES` statement to view the resources and data types accessible via data connections. -- `all`: Enable all actions. - -To apply permissions to certain mappings or data connections, provide their names in the `name` attribute. Or, you can apply permissions to all mappings and data connections using the `*` wildcard. - -[tabs] -==== -XML:: -+ --- - -.Apply permissions to a mapping -[source,xml] ----- - - - create - destroy - - ----- - -.Apply permissions to all mappings -[source,xml] ----- - - - create - destroy - - ----- - -.Apply permissions to a data connection -[source,xml] ----- - - - drop-dataconnection - view-dataconnection - - ----- --- - -YAML:: -+ --- -.Apply permissions to a mapping - -[source,yaml] ----- -sql: - - name: "mapping_name" - actions: - - create - - destroy ----- - -.Apply permissions to all mappings -[source,yaml] ----- -sql: - - name: "*" - actions: - - create - - destroy ----- - -.Apply permissions to a data connection - -[source,yaml] ----- -sql: - - name: "data_connection_name" - actions: - - drop-dataconnection - - view-dataconnection ----- --- -==== - -[[handling-permissions-when-a-new-member-joins]] -=== Handling Permissions When a New Member Joins - -By default, the set of permissions defined in the leader member of a cluster is -distributed to the newly joining members, overriding their own permission -configurations, if any. However, you can configure a new member to be joined, so that -it keeps its own set of permissions and even send these to the existing members in -the cluster. This can be done dynamically, without needing to restart the -cluster, using either one of the following configuration options: - -* the `on-join-operation` configuration attribute -* the `setOnJoinPermissionOperation()` method - -Using the above, you can choose whether a new member joining to a cluster will -apply the client permissions stored in its own configuration, or use the ones -defined in the cluster. The behaviors that you can specify with the configuration -are `RECEIVE`, `SEND` and `NONE`, which are described after the examples below. - -The following are the examples for both approaches on how to use them: - -**Declarative Configuration:** - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - ... - - - - - - ... - ----- --- - -YAML:: -+ -[source,yaml] ----- -hazelcast: - security: - enabled: true - client-permissions: - on-join-operation: SEND ----- -==== - -**Programmatic Configuration:** - -[source,java] ----- -Config config = new Config(); -config.getSecurityConfig() - .setEnabled(true) - .setOnJoinPermissionOperation(OnJoinPermissionOperationName.SEND); ----- - -The behaviors are explained below: - -* `RECEIVE`: Applies the permissions from the leader member in the -cluster before join. This is the default value. -* `SEND`: Doesn't apply the permissions from the leader member before join. -If the security is enabled, then it refreshes or replaces the cluster wide -permissions with the ones in the new member after the join is complete. -This option is suitable for the scenarios where you need to replace the -cluster wide permissions without restarting the cluster. -* `NONE`: Neither applies pre-join permissions, nor sends the local permissions -to the other members. It means that the new member does not send its own -permission definitions to the cluster, but keeps them when it joins. However, -after the join, when you update the permissions in the other cluster members, -those updates are also sent to the newly joining member. Therefore, this option -is suitable for the scenarios where you need to elevate privileges temporarily -on a single member (preferably a xref:management:cluster-utilities.adoc#enabling-lite-members[lite member]) for a -limited time period. The clients which want to use these temporary permissions -have to access the cluster through this single new member, meaning that you need -to configure the xref:clients:java.adoc#configure-cluster-routing-mode[SINGLE_MEMBER] cluster routing mode for such clients. -+ -Note that, the `create` and `destroy` permissions will not work when using -the `NONE` option, since the distributed objects need to be created/destroyed on all the members. -+ -The following is an example for a scenario where `NONE` is used: -+ -[source,java,options="nowrap"] ----- -// temporary member, in the below case a lite member -Config config = new Config().setLiteMember(true); -PermissionConfig allPermission = new PermissionConfig(PermissionType.ALL, "*", null); -config.getSecurityConfig() - .setEnabled(true) - .setOnJoinPermissionOperation(OnJoinPermissionOperationName.NONE) - .addClientPermissionConfig(allPermission); -HazelcastInstance hzLite = Hazelcast.newHazelcastInstance(config); - -// temporary client connecting only to the lite member -String memberAddr = ...; -ClientConfig clientConfig = new ClientConfig(); -clientConfig.getNetworkConfig().setSmartRouting(false) - .addAddress(memberAddr); -HazelcastInstance client = HazelcastClient.newHazelcastClient(clientConfig); - -// do operations with escalated privileges: -client.getMap("protectedConfig").put("master.resolution", "1920"); - -// shutdown the client and lite member -client.shutdown(); -hzLite.shutdown(); ----- - -[[deny-permissions]] -=== Deny Permissions - -Hazelcast employs Additive Access Control as its default security mechanism. -When a client connects to a security-enabled cluster, it is initially granted -no permissions. As a result, access to protected resources is inherently denied -unless explicit permissions are configured and granted to specific roles. - -The Additive Access Control approach has limited expression capabilities and -is not well-suited for configurations involving simple exclusions. -For example, it's challenging to allow access to all maps except -the one named `"private"`. - -To address this limitation, Hazelcast introduces the concept of Deny Permissions -(or Deny Rules). - -Within the permission configuration, there is a `boolean` flag called `deny` -that enables permission subtraction. - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - ... - - - - - - all - - - - - - all - - - - - ... - ----- --- - -YAML:: -+ -[source,yaml] ----- -hazelcast: - security: - enabled: true - client-permissions: - map: - - name: * - actions: - - all - - name: private - deny: true - actions: - - all ----- -==== - -[[priority-of-grant-and-deny-permissions]] -=== Priority of Grant and Deny Permissions - -By default, when a permission is both granted and denied, the denial takes precedence. -In other words, if conflicting permissions exist, denial prevails. - -In certain scenarios, it might be beneficial to reverse this behavior and give higher -priority to permission grants. -Hazelcast supports this by introducing the `boolean` flag `priority-grant`, -which can be set to `true`. - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - ... - - - ... - - - ... - ----- --- - -YAML:: -+ -[source,yaml] ----- -hazelcast: - security: - enabled: true - client-permissions: - priority-grant: false ----- -==== - -[[permission-evaluation-table]] -==== Permission Evaluation Table - -The table below illustrates how permission evaluation changes when `priority-grant` is configured. - -[options="header"] -|============================================================================ -| Permission Implication | `priority-grant=false` (default) | `priority-grant=true` -| No Grant or Deny Implication | Denied | Granted -| Implication from Grant only | Granted | Granted -| Implication from Deny only | Denied | Denied -| Both Grant and Deny Imply | Denied | Granted -|============================================================================ diff --git a/docs/modules/security/pages/overview.adoc b/docs/modules/security/pages/overview.adoc index ec6ddd7db..4daa7d2d8 100644 --- a/docs/modules/security/pages/overview.adoc +++ b/docs/modules/security/pages/overview.adoc @@ -2,10 +2,9 @@ :page-enterprise: true This section provides an introduction to the security features of Hazelcast. -These features allow you to perform security activities, such as intercepting socket -connections and remote operations executed by the clients, encrypting the communications -between the members at socket level and using SSL socket communication. -All the security features explained in this chapter are the features of +These features allow you to perform security activities, such as encrypting network communication using TLS, +controlling access permissions of clients, or logging auditable events. +The security features explained in this chapter are the features of [blue]#Hazelcast {enterprise-product-name}# edition. While Hazelcast supports non-secured cluster members and clients, @@ -13,26 +12,8 @@ it is recommended to secure your deployments. A cluster without security may fac * unauthorized cluster members joining or accessing it * unwanted or malicious clients accessing it - * unauthorized use (access or creation) of cluster resources and data tampering by the malicious cluster members and clients. -And when using Hazelcast's Jet streaming engine, notice the following security considerations: - -* Hazelcast jobs allow you to use your custom codes and these codes must be available on -cluster classpath or deployed to the cluster; this means any client is able to deploy -custom codes to the cluster, so make sure each client is authorized to access the cluster. -* The Jet engine bypasses the access control layer when accessing the data structures in the same cluster. -* The connectors of the Jet engine include 3rd party codes which may increase the attack surface. -* SQL, which is used by the Jet engine, includes file connectors and it can read files on the cluster filesystem. - -Due to the above considerations, Hazelcast's streaming engine is disabled by default for our users who -mostly use Hazelcast's storage engine (formerly known as Hazelcast IMDG) with the JAR distribution -(See the xref:secure-cluster:security-defaults.adoc[Security Defaults section] for information about -the security considerations for different Hazelcast distributions). -xref:configuration:jet-configuration.adoc[Enabling the Jet Engine section] shows how you can -start using the Jet engine; relatedly, see the xref:secure-cluster:hardening-recommendations.adoc[Security Hardening Recommendations section] -to learn the best practices to secure your cluster. - Below, you can see the brief descriptions of Hazelcast's security features. You can evaluate them and decide which ones you want to use based on your security concerns and requirements. @@ -41,27 +22,55 @@ For data privacy: * xref:security:tls-ssl.adoc[TLS/SSL] communication for members and clients for all socket-level communication; uses key stores and trust stores to encrypt communications across a Hazelcast cluster, -as well as between the clusters replicated over WAN. You can also configure -xref:security:tls-configuration.adoc#configuring-cipher-suites[cipher suites] to secure the network communication. +as well as between the clusters replicated over WAN. For authentication: -* xref:security:jaas-authentication.adoc[JAAS-based authentication] between -the cluster members and for pluggable identity verifications; -works with identity, role and endpoint principal implementations. -* xref:security:socket-interceptor.adoc[Socket Interceptor] to interfere socket connections -before a new member or client comes to the cluster; you can perform identity checking using custom -authentication protocols. +* xref:security:jaas-authentication.adoc[authentication] between the cluster members, and for clients accessing the cluster. +xref:security:security-realms.adoc[Security Realms] are used for authentication and identity configurations; * xref:security:tls-ssl.adoc#mutual-authentication[TLS Mutual Authentication] to ensure each TLS-communicating side proves its identity to the other. -* xref:security:security-realms.adoc[Security Realms] for authentication and identity configurations. For authorization: -* xref:security:native-client-security.adoc#authorization[JAAS-based authorization] using +* xref:security:native-client-security.adoc#authorization[authorization] using permission policies for role-based security. + +Hazelcast has a pluggable security component architecture allowing use your own code to control security: +* pluggable identity verifications; +* xref:security:socket-interceptor.adoc[Socket Interceptor] to interfere socket connections +before a new member or client comes to the cluster; you can perform identity checking using custom +authentication protocols. * xref:security:security-interceptor.adoc[Security Interceptor] that provides a callback -point for every operation executed against the cluster. +point for client operations executed against the cluster. See also xref:secure-cluster:hardening-recommendations.adoc[Security Hardening Recommendations section] -to learn more about the best security practices. \ No newline at end of file +to learn more about the best security practices. + +Security-related areas that are covered in other sections of the documentation include: + +* Network and Advanced Network configuration allow specifying bind interfaces; +* Advanced Network configuration allows separating socket addresses for different protocols; +* Management operations can be limited to specific IP addresses where Management Center is allowed to run; +* Untrusted deserialization protection allows control of which types are allowed in Java native deserialization; + +Hazelcast distributions contain security-hardened example configuration files that help users to review configuration sections related to deployment security. + +== Hazelcast Jet considerations + +When using Hazelcast's Jet streaming engine, notice the following security considerations: + +* Hazelcast jobs allow you to use your custom codes and these codes must be available on +cluster classpath or deployed to the cluster; this means any client is able to deploy +custom codes to the cluster, so make sure each client is authorized to access the cluster. +* The Jet engine bypasses the access control layer when accessing the data structures in the same cluster. +* The connectors of the Jet engine include 3rd party codes which may increase the attack surface. +* SQL, which is used by the Jet engine, includes file connectors and it can read files on the cluster filesystem. + +Due to the above considerations, access to Hazelcast's streaming engine is disabled by default for our users who +mostly use Hazelcast's storage engine (formerly known as Hazelcast IMDG) with the JAR distribution +(See the xref:secure-cluster:security-defaults.adoc[Security Defaults section] for information about +the security considerations for different Hazelcast distributions). +xref:configuration:jet-configuration.adoc[Enabling the Jet Engine section] shows how you can +start using the Jet engine; relatedly, see the xref:secure-cluster:hardening-recommendations.adoc[Security Hardening Recommendations section] +to learn the best practices to secure your cluster. diff --git a/docs/modules/security/pages/security-debugging.adoc b/docs/modules/security/pages/security-debugging.adoc index d4260f814..1a1555e44 100644 --- a/docs/modules/security/pages/security-debugging.adoc +++ b/docs/modules/security/pages/security-debugging.adoc @@ -28,7 +28,7 @@ information by using the following system property: ``` See the -https://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html[Troubleshooting Security^] +https://docs.oracle.com/en/java/javase/17/security/troubleshooting-security.html[Troubleshooting Security^] Java guide for more information. == TLS debugging @@ -43,4 +43,13 @@ system property: This property provides a lot of logging output including the TLS/SSL handshake, that can be used to determine the cause of the problem. See the http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html[Debugging TSL/SSL Connections^] -guide for more information. \ No newline at end of file +guide for more information. + +== Kerberos debugging + +Besides the `debug` option which is usually present in `Krb5LoginModule` implementations, there are +Java system properties which might also help to identify issues by printing more output related to Kerberos authentication: + +``` +-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Dcom.ibm.security.krb5.Krb5Debug=all -Dcom.ibm.security.jgss.debug=all +``` diff --git a/docs/modules/security/pages/security-realms.adoc b/docs/modules/security/pages/security-realms.adoc deleted file mode 100644 index 65d67fd86..000000000 --- a/docs/modules/security/pages/security-realms.adoc +++ /dev/null @@ -1,1104 +0,0 @@ -= Security Realms -:page-enterprise: true - -Security realms allow configuring JAAS authentication and/or own identity -independently on the module which consumes this configuration. -The realm is a named configuration and other modules just reference it by name. - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- -include::ROOT:example$/hazelcast-security-realms.xml[tag=realms] ----- --- - -YAML:: -+ -[source,yaml] ----- - security: - enabled: true - realms: - - name: realm1 - authentication: - jaas: - - class-name: com.hazelcast.examples.MyRequiredLoginModule - usage: REQUIRED - properties: - property: value - identity: - credentials-factory: - class-name: com.hazelcast.examples.MyCredentialsFactory - properties: - property: value - member-authentication: - realm: realm1 - client-authentication: - realm: realm1 ----- -==== - -== Authentication Configuration - -There are several types of authentication configuration available in a security realm. -The realm cannot have more than one authentication method specified. - -The following are the available authentication types: - -* `jaas`: Defines JAAS login module stacks. -* `ldap`: Verifies `PasswordCredentials` against an LDAP server. -* `kerberos`: Verifies the Kerberos token provided in `TokenCredentials`. -* `tls`: Verifies that the TLS mutual authentication was used -in the incoming connection and the peer's certificate chain is available. - -=== JAAS Authentication Type - -The `jaas` authentication setting is the most flexible -form of authentication, but it requires knowledge -of JAAS login modules and related concepts. It allows using -custom login modules and ordering them in a login module stack. - -The following is a sample configuration which authenticates against an LDAP server or -database as a fallback: - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- -include::ROOT:example$/hazelcast-authentication-types.xml[tag=jaas] ----- --- - -YAML:: -+ -[source,yaml] ----- - realms: - - name: jaasRealm - authentication: - jaas: - - class-name: com.examples.LdapLoginModule - usage: SUFFICIENT - properties: - url: ldap://corp-ldap - - class-name: com.examples.DatabaseLoginModule - usage: SUFFICIENT - properties: - type: ora18 - host: corp-db - table: USERS ----- -==== - -For more details, see the xref:jaas-authentication.adoc[JAAS authentication section]. - -=== LDAP Authentication Type - -LDAP servers are one of the most popular identity stores. -They can track information about organization structure, -users, groups, servers and configurations. - -Hazelcast supports authentication and authorization against LDAP servers. -The authentication verifies the provided name and password. -The authorization part allows to map roles to the authenticated user. - -The password verification during the authentication is possible by: - -* making a new LDAP bind operation with the given name and password -* using a separate "admin connection" to verify the provided password -against an LDAP object attribute. - -The LDAP authentication allows also a role mapping. -As there are more ways how roles can be mapped in the LDAP, -Hazelcast provides several approaches to retrieve them: - -* `attribute`: The role name is stored as an attribute in the object representing the identity. -* `direct` mapping: The identity object contains an attribute with reference to the role object(s). -* `reverse` mapping: The role objects having a reference to the identity object are searched. - -The `direct` and `reverse` mapping modes also allow a role search recursion. - -[cols="1,1,3"] -.LDAP Configuration Options -|=== -| Option Name -| Default Value -| Description - -| `url` -| -| URL of the LDAP server. The value is configured as the JNDI environment -property, i.e., `java.naming.provider.url`. - -| `socket-factory-class-name` -| -| Socket factory class name. The factory can be used for fine-grained -configuration of the TLS protocol on top of the LDAP protocol, i.e., `ldaps` scheme. - -| `parse-dn` -| false -| If set to `true`, it treats the value of `role-mapping-attribute` as a DN and -extracts only the `role-name-attribute` values as role names. If set to `false`, -the whole value of `role-mapping-attribute` is used as a role name. - -This option is only used when the `role-mapping-mode` option has the value `attribute`. - -| `role-context` -| -| LDAP Context in which assigned roles are searched, e.g., `ou=Roles,dc=hazelcast,dc=com`. - -This option is only used when the `role-mapping-mode` option has the value `reverse`. - -| `role-filter` -| `([role-mapping-attribute]=\{MEMBERDN})` -| LDAP search string which usually contains a placeholder `\{MEMBERDN}` to be -replaced by the provided login name, e.g., `(member=\{MEMBERDN})`. - -If the role search recursion is enabled (see `role-recursion-max-depth`), the `\{MEMBERDN}` -is replaced by role DNs in the recurrent searches. - -This option is only used when the `role-mapping-mode` option has the value `reverse`. - -| `role-mapping-attribute` -| -| Name of the LDAP attribute which contains either the role name or role DN. - -This option is used when the `role-mapping-mode` option has the value `attribute` or `direct`. -If the mapping mode is `reverse`, the value is used in `role-filter` default value. - -| `role-mapping-mode` -| `attribute` -a| Role mapping mode. It can have one of the following values: - -* `attribute`: The user object in the LDAP contains directly role name in the -given attribute. Role name can be parsed from a DN string when `parse-dn=true` -No additional LDAP query is done to find assigned roles. -* `direct`: The user object contains an attribute with DN(s) of assigned -role(s). Role object(s) is/are loaded from the LDAP and the role name is -retrieved from its attributes. Role search recursion can be enabled for this mode. -* `reverse`: The role objects are located by executing an LDAP search query -with the given `role-filter`. In this case, the role object usually contains -attributes with DNs of the assigned users. Role search recursion can be enabled for this mode. - -| `role-name-attribute` -| -| This option may refer to a name of LDAP attribute within the role object which -contains the role name in case of `direct` and `reverse` role mapping mode. It may also refer -to the attribute name within X.500 name stored in `role-mapping-attribute` when -`role-mapping-mode=attribute` and `parse-dn=true`. - -| `role-recursion-max-depth` -| 1 -| Sets the maximum depth of role search recursion. The default value 1 means -the role search recursion is disabled. - -This option is only used when the `role-mapping-mode` option has value `direct` or `reverse`. - -| `role-search-scope` -| `subtree` -a| LDAP search scope used for `role-filter` search. It can have one of the following values: - -* `subtree`: Searches for objects in the given context and its subtree. -* `one-level`: Searches just one-level under the given context. -* `object`: Searches (or tests) just for the context object itself (if it matches the filter criteria). - -This option is only used when the `role-mapping-mode` option has the value `reverse`. - -| `user-name-attribute` -| `uid` -| LDAP attribute name whose value is used as a name in -`ClusterIdentityPrincipal` added to the JAAS Subject. - -| `system-user-dn` -| -a| Admin account DN. If configured, then the following are true: - -* For the user and role object, search queries are used an admin connection instead -of the "user" one created by LDAP bind with provided credentials. -* LDAP authentication doesn't expect the full user DN to be provided as a login name. -It rather expects names like `"jduke"` than `"uid=jduke,ou=Engineering,o=Hazelcast,dc=com"`; -* The admin connection allows verifying the provided user credentials against a -value defined in the `password-attribute` option. - -| `system-user-password` -| -| Admin's password (for `system-user-dn` account). - - -| `system-authentication` -| `simple` -| Name of the authentication mechanism used for the admin LDAP connection. -It's used as a value for JNDI environment property `Context#SECURITY_AUTHENTICATION`. -You can specify `GSSAPI` to authenticate with the Kerberos protocol. - -| `password-attribute` -| -| Credentials verification is done by the new LDAP binds by default. -Nevertheless, the password can be stored in a non-default LDAP attribute, -and in this case use `password-attribute` to configure against which -LDAP attribute (within the user object) is the provided password compared -during the login. As a result, if the `password-attribute` option is provided, -then the extra LDAP bind to verify credentials is not done and passwords -are just compared within the Hazelcast code after retrieving the user object from LDAP server. - -This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. - -| `user-context` -| -| LDAP context in which the user objects are searched, e.g., `ou=Users,dc=hazelcast,dc=com`. - -This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. - -| `user-filter` -| `(uid=\{login})` -| LDAP search string for retrieving the user objects based on the provided login name. -It usually contains a placeholder substring `\{login}` which is replaced by the provided login name. - -This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. - -| `user-search-scope` -| `subtree` -a| LDAP search scope used for `user-filter` search. It can have one of the following values: - -* `subtree`: Searches for objects in the given context and its subtree. -* `one-level`: Searches just one-level under the given context. -* `object`: Searches (or tests) just for the context object itself (if it matches the filter criteria). - -This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. - -| `skip-authentication` -| `false` -a| Flag which allows disabling password verification and -only takes care about filling `HazelcastPrincipal` instances into the -Subject. - -This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. - -| `security-realm` -| -a| If specified, given realm name is used for authentication of -a (temporary) Subject which is then used for doing LDAP queries. - -This option is only used when the admin connection is configured, i.e., when `system-user-dn` or `system-authentication` is defined. -|=== - -Detailed logging for LDAP authentication can be enabled by -configuring a more verbose logger level for the `com.hazelcast.security` -package as described in the xref:security-debugging.adoc[Security Debugging section]. - -NOTE: The LDAP authentication implementation provided by Hazelcast doesn't handle LDAP referrals, i.e., references to other LDAP trees. - -==== TLS Protected LDAP Server Connections - -The LDAP authentication type supports TLS protected connections -to LDAP servers, using the `ldaps` protocol scheme. The TLS is -handled on the Java runtime side (JNDI API and URL handlers). - -When using TLS, the LDAP provider will, by default, use the socket factory, -`javax.net.ssl.SSLSocketFactory` for creating a TLS socket to communicate -with the server, using the default JSSE configuration. By default, the server's -certificate is validated against Java default CA certificate store and hostname -in LDAPs URL is verified against the name(s) in the server certificate. The behavior -can be controlled globally by using `javax.net.ssl.*` properties. Here is an example: - -[source,shell] ----- -java -Djavax.net.ssl.trustStore=/opt/hazelcast.truststore \ - -Djavax.net.ssl.trustStorePassword=123456 \ - -Djavax.net.ssl.keyStore=/opt/hazelcast.keystore \ - -Djavax.net.ssl.keyStorePassword=123456 \ - ... ----- - -There can be also properties specific to vendor or Java version allowing more -fine-grained control. Here is an example on disabling host name validation: - -[source,shell] ----- --Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true ----- - -When even more control is necessary, you can implement your own -`SSLSocketFactory` and use its class name as the value in the `ldap` -authentication option `socket-factory-class-name`. - -Here is an example custom socket factory class: - -[source,java] ----- -include::ROOT:example$/security/ldap/CustomSSLSocketFactory.java[] ----- - -The authentication configuration could look like as follows: - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- -include::ROOT:example$/hazelcast-authentication-types.xml[tag=ldaps] ----- --- - -YAML:: -+ -[source,yaml] ----- - realms: - - name: ldapsRealm - authentication: - ldap: - url: ldaps://ldapserver.acme.com - socket-factory-class-name: security.ldap.CustomSSLSocketFactory - role-mapping-attribute: cn ----- -==== - -The LDAP authentication is backed by the JNDI API in Java. -It has also the failover support. You can configure multiple space-separated -URLs in the `` option: - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- -include::ROOT:example$/hazelcast-authentication-types.xml[tag=ldap-fallback] ----- --- - -YAML:: -+ -[source,yaml] ----- - realms: - - name: ldapFallbackRealm - authentication: - ldap: - url: ldap://ldap-master.example.com ldap://ldap-backup.example.com ----- -==== - -[[kerberos-authentication]] -=== Kerberos Authentication Type - -The Kerberos authentication protocol is one of the standard solutions -for single sign-on (SSO). It's well established in many companies. Hazelcast -supports Kerberos authentication as an {enterprise-product-name} feature and it also -provides Kerberos integration to LDAP-based authorization. - -The Kerberos support in Hazelcast has 2 configuration parts: identity -and authentication. The identity part is responsible for retrieving the service -ticket from Kerberos KDC (Key Distribution Center). -The authentication part verifies the service tickets. - -Default Service principal names for Hazelcast members are in the form -`hz/address@REALM`, for example `hz/192.168.1.1@ACME.COM`. - -Before a service ticket is issued, the client side of the connection has to be -authenticated, which means the TGT (Ticket Granting Ticket) is present in the Subject. - -Hazelcast delegates the TGT retrieval to vendor specific `Krb5LoginModule` -implementations (find the correct login module and its options in your Java -documentation). On the Hazelcast side, the `security-ream` property allows -referencing another realm with `Krb5LoginModule` configured. - -[tabs] -==== -Sample Kerberos Identity Configuration XML:: -+ --- - -[source,xml] ----- - - - - ACME.COM - krb5Initiator - - - - - - - - - true - true - - - - - ----- --- - -YAML:: -+ -[source,yaml] ----- - realms: - - name: kerberosRealm - identity: - kerberos: - realm: ACME.COM - security-realm: krb5Initiator - - name: krb5Initiator - authentication: - jaas: - class-name: com.sun.security.auth.module.Krb5LoginModule - properties: - useTicketCache: true - doNotPrompt: true ----- -==== - -The `` identity configuration has the following properties: - -[cols="1,1,3",options="header",] -.The Identity Configuration Options -|======================================================================= -| Property name -| Default value -| Description - -| `spn` -| -| Allows configuring static Service Principal Name (SPN). It's -meant for use cases where all the members share a single Kerberos identity. - -| `service-name-prefix` -| `"hz/"` -| Defines the prefix of SPN. By default the member's -principal name (for which this credentials -factory asks the service ticket) is in the form -`"[servicePrefix][memberIpAddress]@[REALM]"`, e.g., -`"hz/192.168.1.1@ACME.COM"`. - -| `realm` -| -| Kerberos realm name, e.g., `"ACME.COM"`. - -| `security-realm` -| -| Security realm name in the Hazelcast configuration used -for Kerberos authentication. The authentication configuration in the -referenced security realm will be used to fill the Subject with the Kerberos -credentials, e.g., TGT. - -| `use-canonical-hostname` -| `false` -| Flag which controls if canonical hostnames should be used instead of IP addresses -in generated Service Principal names. -This property is only used when Service Principal name is not static, i.e., when `spn` option -is not configured). - -| `principal` -| -| Kerberos principal name. This is a helper option which can be used together -with the `keytab-file` to replace the `security-realm` configuration. - -_We don't recommend using this property in production!_ - -| `keytab-file` -| -| Path to a keytab file with the current principal's secrets. -This is a helper option which can be used together -with the `principal` to replace the `security-realm` configuration. - -_We don't recommend using this property in production!_ -|======================================================================= - -The authenticating part on the server side is able to -accept the Kerberos tickets and verify them. Again the Kerberos -authentication is delegated to another realm with the Kerberos login module -configured. - -[tabs] -==== -Sample Kerberos Identity Configuration XML:: -+ --- - -[source,xml] ----- - - - - krb5Acceptor - - - - - - - - - false - false - true - true - true - hz/192.168.1.1@ACME.COM - /opt/member1.keytab - - - - - ----- --- - -YAML:: -+ -[source,yaml] ----- - realms: - name: kerberosRealm - authentication: - kerberos: - security-realm: krb5Acceptor - name: krb5Acceptor - authentication: - jaas: - - class-name: com.sun.security.auth.module.Krb5LoginModule - usage: REQUIRED - properties: - isInitiator: false - useTicketCache: false - doNotPrompt: true - useKeyTab: true - storeKey: true - principal: hz/192.168.1.1@ACME.COM - keyTab: /opt/member1.keytab ----- -==== - -The `krb5Acceptor` realm configuration in the snippet only loads the Kerberos secrets from -a keytab file and it doesn't authenticate against a KDC. - - -[cols="1,1,3",options="header",] -.The Authentication Configuration Options -|======================================================================= -| Property name -| Default value -| Description - -| `relax-flags-check` -| `false` -| Allows disabling some of the checks on the -incoming token, e.g., passes authentication even if the mutual -authentication is required by the token. - -| `use-name-without-realm` -| `false` -| When set to `true`, then the Kerberos realm part is removed from the -authenticated name, e.g., `"jduke@ACME.COM"` becomes just `"jduke"`. - -| `security-realm` -| -|Security realm name in the Hazelcast configuration used -for Kerberos authentication. The authentication configuration in the -referenced security realm will be used to fill the Subject with the Kerberos -credentials, e.g., Keytab. - -| `principal` -| -| Kerberos principal name. This is a helper option which can be used together -with the `keytab-file` to replace the `security-realm` configuration. - -_We don't recommend using this property in production!_ - -| `keytab-file` -| -| Path to a keytab file with the current principal's secrets. -This is a helper option which can be used together -with the `principal` to replace the `security-realm` configuration. - -_We don't recommend using this property in production!_ -|======================================================================= - -The `GssApiLoginModule` (implementing Kerberos authentication) -derives from the abstract `ClusterLoginModule`. As a result the `` -configuration supports the common options, too: `skip-identity`, `skip-endpoint` and -`skip-role`. - -[NOTE] -==== -* The Kerberos authentication in Hazelcast is only able to validate connections on -the server side. It doesn't support mutual authentication. -* The Generic Security Services API (GSS-API) is not used for protecting (wrapping) -the messages after the authentication, e.g., encryption, integrity checks. It's only used for -accepting tokens. -* The token itself is not protected against Man-in-the-Middle (MITM) attacks. -If an attacker is able to eavesdrop the token and use it before the -original sender, then the attacker succeeds with the authentication but -the original sender won't. -** There is a replay protection in Java which caches the already used tokens. -** Java Kerberos implementation accepts the token for 5 minutes (by default) -from its creation. -* Time has to be synchronized on the machines where the Kerberos is -used. - -If you are running Hazelcast in an untrusted network with a MITM attack -risk, then enable encryption on Hazelcast protocols to prevent stealing -the token. -==== - -=== Kerberos and LDAP integration - -The Kerberos authentication allows loading role mapping information from -an LDAP server (usually the one backing the Kerberos KDC server, too). -Therefore, the `` authentication configuration is also available as -sub-configuration of the `` authentication. - -[tabs] -==== -Sample Kerberos Identity Configuration XML:: -+ --- - -[source,xml] ----- - - - - true - krb5Acceptor - - ldap://ldap.hazelcast.com - GSSAPI - memberOf - krb5Initiator - (krb5PrincipalName=\{login}) - true - - - - ----- --- - -YAML:: -+ -[source,yaml] ----- - realms: - - name: kerberosRealm - authentication: - kerberos: - skip-role: true - security-realm: krb5Acceptor - ldap: - url: ldap://ldap.hazelcast.com - system-authentication: GSSAPI - security-realm: krb5Initiator - skip-authentication: true - user-filter: "(krb5PrincipalName=\{login})" - role-mapping-attribute: memberOf ----- -==== - -NOTE: The Kerberos-LDAP integration doesn't support credentials delegation, -i.e., reusing client's ticket for accessing the LDAP. It only allows using -the member's Kerberos credentials to authenticate into the LDAP. - -=== Simplified Kerberos Configuration - -To simplify the Kerberos configuration process for new users, Hazelcast allows -skipping `Krb5LoginModule` JAAS configuration within separate security realms. -Instead, it's possible to define the `principal` and `keytab-file` options in the -`kerberos` identity and authentication configurations. -If these options are used instead of the `security-realm`, then a new temporary -realm is generated on the fly during the authentication. - -[tabs] -==== -Sample Kerberos Identity Configuration XML:: -+ --- - -[source,xml] ----- - - - - hz/127.0.0.1@HAZELCAST.COM - /opt/localhost.keytab - - - - - HAZELCAST.COM - hz/127.0.0.1@HAZELCAST.COM - /opt/localhost.keytab - - - ----- --- - -YAML:: -+ -[source,yaml] ----- - realms: - - name: simpleKerberosRealm - authentication: - kerberos: - principal: hz/127.0.0.1@HAZELCAST.COM - keytab-file: /opt/localhost.keytab - identity: - kerberos: - realm: HAZELCAST.COM - principal: hz/127.0.0.1@HAZELCAST.COM - keytab-file: /opt/localhost.keytab ----- -==== - -A warning is logged during the first usage of the simplified configuration form. -It includes the generated configuration, so you can use it as a starting point -to define the full Kerberos configuration. An example warning log is shown below: - -``` -12:37:41,187 WARN [KerberosCredentialsFactory] Using generated Kerberos initiator -realm configuration is not intended for production use. It's recommended -to properly configure the Krb5LoginModule manually to fit your needs. -Following configuration was generated from provided keytab and principal properties: - - - - - - true - true - true - true - true - /opt/localhost.keytab - hz/127.0.0.1@HAZELCAST.COM - - - - - -``` - -=== TLS Authentication Type - -Hazelcast is able to protect network communication using TLS. -The TLS mutual authentication is also supported. It means not only the -server side identifies itself to a client side (member, client, REST client, etc.), -but also the client side needs to prove its identity by using a TLS (X.509) certificate. - -The `tls` authentication type verifies within the JAAS authentication -that the incoming connection already authenticated the client's TLS certificate. -A `ClusterIdentityPrincipal` uses the subject DN (distinguished name) -from the client's TLS certificate. - -This authentication type is able to parse a role name from the client's certificate -subject DN. The `` element has an attribute, `roleAttribute`, which specifies -a part of DN to be used as a role name. - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- -include::ROOT:example$/hazelcast-authentication-types.xml[tag=tls] ----- --- - -YAML:: -+ -[source,yaml] ----- -realms: - name: tlsRealm - authentication: - tls: - roleAttribute: cn ----- -==== - -This `tls` authentication uses `cn` attribute from the subject DN as the role name. -If the subject DN in the certificate is `cn=admin,ou=Devs,o=Hazelcast` for instance, -then the following `Principals` are added: - -* `ClusterIdentityPrincipal: CN=admin,OU=Devs,O=Hazelcast` -* `ClusterRolePrincipal: admin` -* `ClusterEndpointPrincipal: [remote address of the connecting party]` - -== Identity Configuration - -The Identity configuration allows defining own <>. -These Credentials are used to authenticate to other systems. - -Available identity configuration types are as follows: - -* `username-password`: Defines a new `PasswordCredentials` object. -* `token`: Defines a new `TokenCredentials` object. -* `kerberos`: Defines the Kerberos identity which uses the -service tickets stored in the `TokenCredentials` object. -* `credentials-factory`: Configures the factory class which creates the `Credentials` objects. - -[[credentials]] -=== Credentials - -One of the key elements in Hazelcast security is the `Credentials` object, which -represents evidence of the identity (member or client). -The content of `Credentials` object is verified during the authentication. -Credentials is an interface which extends `Serializable`. - -[source,java] ----- -public interface Credentials extends Serializable { - String getName(); -} ----- - -There are two subtype interfaces which simplify the `Credentials` usage. -The subtypes reflect data provided in the client authentication messages: - -* Name and password (`com.hazelcast.security.PasswordCredentials`) -* Byte array token (`com.hazelcast.security.TokenCredentials`) - -The interfaces have the following forms: - -[source,java] ----- -public interface PasswordCredentials extends Credentials { - String getPassword(); -} ----- - -[source,java] ----- -public interface TokenCredentials extends Credentials { - byte[] getToken(); - - default Data asData() { - return new HeapData(getToken()); - } -} ----- - -The `Credentials` instance can be retrieved in the login modules -by handling a `CredentialsCallback`. - -Here is an example: - -[source,java] ----- -include::ROOT:example$/CustomLoginModuleTest.java[tag=credentials-callback] ----- - -=== Password Credentials - -A `PasswordCredentials` implementation can be configured as a -simple identity representation. It is configured by the `` -XML configuration element as shown below: - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- -include::ROOT:example$/hazelcast-password-realm.xml[tag=password] ----- --- - -YAML:: -+ -[source,yaml] ----- -realms: - name: passwordRealm - identity: - username-password: - username: member1 - password: s3crEt -member-authentication: - realm: passwordRealm ----- -==== - -The equivalent programmatic configuration is shown below: - -[source,java] ----- -include::ROOT:example$/SecurityXmlTest.java[tag=password-realm] ----- - -=== Token Credentials - -`TokenCredentials` instances are also simply configurable for -identity representation. The `` XML configuration element -allows using either plain ASCII tokens or Base64 encoded values. -Its optional argument `encoding` can have either `base64` or `none` (default) -as its value. - -The following two realms define the same token value - bytes of the "Hazelcast" string: - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- -include::ROOT:example$/hazelcast-authentication-types.xml[tag=token] ----- --- - -YAML:: -+ -[source,yaml] ----- -realms: - - name: tokenRealm1 - identity: - token: - value: Hazelcast - - name: tokenRealm2 - identity: - token: - encoding: base64 - value: SGF6ZWxjYXN0 ----- -==== - -The equivalent programmatic configuration is as follows: - -[source,java] ----- -include::ROOT:example$/SecurityXmlTest.java[tag=token-realm] ----- - -=== Kerberos Identity - -The `kerberos` identity type is used to retrieve Kerberos service tickets to access -a member with the `kerberos` authentication type configured. The resulting tickets -are `TokenCredentials` instances. Read more about `kerberos` identity in -the <>. - -=== Credentials Factory - -The most flexible way to define the `Credentials` objects -is using a custom credential factory. It is an implementation -of `com.hazelcast.security.ICredentialsFactory` -interface. Its `newCredentials()` method is the one which provides credentials. - -The XML configuration uses `` element to define the factory class. - -The behavior of credential factories can be controlled by specifying factory properties. -The properties are provided in the `init(Properties)` method. - -A sample configuration is shown below: - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- -include::ROOT:example$/hazelcast-authentication-types.xml[tag=credentialsFactoryRealm] ----- --- - -YAML:: -+ -[source,yaml] ----- -realms: - name: credentialsFactoryRealm - identity: - credentials-factory: - class-name: com.examples.TOTPCredentialsFactory - properties: - seed: 3132333435363738393031323334353637383930 ----- -==== - -== Security Realms on the Client Side - -Hazelcast offers limited support for security realms in native clients. -The configuration allows specifying JAAS login modules which can be referenced from -the Kerberos identity configuration. - -[tabs] -==== -XML:: -+ --- - -[source,xml] ----- - - - ACME.COM - krb5Initiator - - - - - - - - true - true - - - - - - - ----- --- - -YAML:: -+ -[source,yaml] ----- -security: - kerberos: - realm: ACME.COM - security-realm: krb5Initiator - realms: - name: krb5Initiator - authentication: - jaas: - class-name: com.sun.security.auth.module.Krb5LoginModule - usage: REQUIRED - properties: - useTicketCache: true - doNotPrompt: true ----- -==== diff --git a/docs/modules/security/pages/simple-authentication.adoc b/docs/modules/security/pages/simple-authentication.adoc index e490c0b8e..79bc635bb 100644 --- a/docs/modules/security/pages/simple-authentication.adoc +++ b/docs/modules/security/pages/simple-authentication.adoc @@ -5,11 +5,7 @@ The simple authentication enables you to define users and their roles **directly** in the Hazelcast member configuration. -The xref:default-authentication.adoc[default authentication] is based on the member's -identity configuration (when defined) or cluster name (otherwise); it does not -allow defining users and assigning them roles. - -And when using the advanced authentication methods, you either need additional infrastructure for Hazelcast's enterprise-level authentication (LDAP server, Kerberos, etc.) or you need to provide your login module implementations in xref:jaas-authentication.adoc[JAAS-based authentication]. +Compared to advanced authentication methods, with the simple authentication you don't need an additional infrastructure for Hazelcast's enterprise-level authentication (LDAP server, Kerberos, etc.). Neither you need to provide custom login module implementations as in xref:jaas-authentication.adoc[JAAS-based authentication]. Simple authentication closes the gap between the default authentication and advanced authentication methods. @@ -125,10 +121,9 @@ hazelcast: ==== You should not use the comma character in the role names since it is the -default role separator. However, in some cases (for example when using String based -login modules), you may want to use the comma character in a role name. For this, -you need to specify a different role separator character using the `role-separator` element -so that Hazelcast understands the default separator is changed. See the below example where +default role separator. However, in cases where you want to use the comma character +in a role name, you need to specify a different role separator character using +the `role-separator` element so that Hazelcast understands the default separator is changed. See the below example where we set the separator character as `&`: [tabs] diff --git a/docs/modules/security/pages/tls-authentication.adoc b/docs/modules/security/pages/tls-authentication.adoc new file mode 100644 index 000000000..881b5eb66 --- /dev/null +++ b/docs/modules/security/pages/tls-authentication.adoc @@ -0,0 +1,296 @@ += TLS Authentication +:page-enterprise: true + +Hazelcast is able to protect network communication using TLS. +The TLS mutual authentication is also supported. It means not only the +server side identifies itself to a client side (member, client, REST client, etc.), +but also the client side needs to prove its identity by using a TLS (X.509) certificate. + +The `tls` authentication type verifies within the Hazelcast authentication +that the incoming connection already authenticated the client's TLS certificate. + +This authentication type is able to parse a role name (or names) from the client's certificate +subject DN. The `roleAttribute` property specifies the attribute name (a part of the Subject's DN) +to be used as a role name in Hazelcast. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- +include::ROOT:example$/hazelcast-authentication-types.xml[tag=tls] +---- +-- + +YAML:: ++ +[source,yaml] +---- +realms: + name: tlsRealm + authentication: + tls: + roleAttribute: cn +---- +==== + +This `tls` authentication uses `cn` attribute from the subject DN as the role name. +If the subject DN in the certificate is `cn=admin,ou=Devs,o=Hazelcast` for instance, +then the `"admin"` role name is assigned to the client. + +== Identity Configuration + +The Identity configuration allows defining own <>. +These Credentials are used to authenticate to other systems. + +Available identity configuration types are as follows: + +* `username-password`: Defines a new `PasswordCredentials` object. +* `token`: Defines a new `TokenCredentials` object. +* `kerberos`: Defines the Kerberos identity which uses the +service tickets stored in the `TokenCredentials` object. +* `credentials-factory`: Configures the factory class which creates the `Credentials` objects. + +[[credentials]] +=== Credentials + +One of the key elements in Hazelcast security is the `Credentials` object, which +represents evidence of the identity (member or client). +The content of `Credentials` object is verified during the authentication. +Credentials is an interface which extends `Serializable`. + +[source,java] +---- +public interface Credentials extends Serializable { + String getName(); +} +---- + +There are two subtype interfaces which simplify the `Credentials` usage. +The subtypes reflect data provided in the client authentication messages: + +* Name and password (`com.hazelcast.security.PasswordCredentials`) +* Byte array token (`com.hazelcast.security.TokenCredentials`) + +The interfaces have the following forms: + +[source,java] +---- +public interface PasswordCredentials extends Credentials { + String getPassword(); +} +---- + +[source,java] +---- +public interface TokenCredentials extends Credentials { + byte[] getToken(); + + default Data asData() { + return new HeapData(getToken()); + } +} +---- + +The `Credentials` instance can be retrieved in the login modules +by handling a `CredentialsCallback`. + +Here is an example: + +[source,java] +---- +include::ROOT:example$/security/CustomLoginModuleTest.java[tag=credentials-callback] +---- + +=== Password Credentials + +A `PasswordCredentials` implementation can be configured as a +simple identity representation. It is configured by the `` +XML configuration element as shown below: + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- +include::ROOT:example$/hazelcast-password-realm.xml[tag=password] +---- +-- + +YAML:: ++ +[source,yaml] +---- +realms: + name: passwordRealm + identity: + username-password: + username: member1 + password: s3crEt +member-authentication: + realm: passwordRealm +---- +==== + +The equivalent programmatic configuration is shown below: + +[source,java] +---- +include::ROOT:example$/SecurityXmlTest.java[tag=password-realm] +---- + +=== Token Credentials + +`TokenCredentials` instances are also simply configurable for +identity representation. The `` XML configuration element +allows using either plain ASCII tokens or Base64 encoded values. +Its optional argument `encoding` can have either `base64` or `none` (default) +as its value. + +The following two realms define the same token value - bytes of the "Hazelcast" string: + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- +include::ROOT:example$/hazelcast-authentication-types.xml[tag=token] +---- +-- + +YAML:: ++ +[source,yaml] +---- +realms: + - name: tokenRealm1 + identity: + token: + value: Hazelcast + - name: tokenRealm2 + identity: + token: + encoding: base64 + value: SGF6ZWxjYXN0 +---- +==== + +The equivalent programmatic configuration is as follows: + +[source,java] +---- +include::ROOT:example$/SecurityXmlTest.java[tag=token-realm] +---- + +=== Kerberos Identity + +The `kerberos` identity type is used to retrieve Kerberos service tickets to access +a member with the `kerberos` authentication type configured. The resulting tickets +are `TokenCredentials` instances. Read more about `kerberos` identity in +the <>. + +=== Credentials Factory + +The most flexible way to define the `Credentials` objects +is using a custom credential factory. It is an implementation +of `com.hazelcast.security.ICredentialsFactory` +interface. Its `newCredentials()` method is the one which provides credentials. + +The XML configuration uses `` element to define the factory class. + +The behavior of credential factories can be controlled by specifying factory properties. +The properties are provided in the `init(Properties)` method. + +A sample configuration is shown below: + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- +include::ROOT:example$/hazelcast-authentication-types.xml[tag=credentialsFactoryRealm] +---- +-- + +YAML:: ++ +[source,yaml] +---- +realms: + name: credentialsFactoryRealm + identity: + credentials-factory: + class-name: com.examples.TOTPCredentialsFactory + properties: + seed: 3132333435363738393031323334353637383930 +---- +==== + +== Security Realms on the Client Side + +Hazelcast offers limited support for security realms in native clients. +The configuration allows specifying JAAS login modules which can be referenced from +the Kerberos identity configuration. + +[tabs] +==== +XML:: ++ +-- + +[source,xml] +---- + + + ACME.COM + krb5Initiator + + + + + + + + true + true + + + + + + + +---- +-- + +YAML:: ++ +[source,yaml] +---- +security: + kerberos: + realm: ACME.COM + security-realm: krb5Initiator + realms: + name: krb5Initiator + authentication: + jaas: + class-name: com.sun.security.auth.module.Krb5LoginModule + usage: REQUIRED + properties: + useTicketCache: true + doNotPrompt: true +---- +==== diff --git a/docs/modules/security/partials/security-nav.adoc b/docs/modules/security/partials/security-nav.adoc deleted file mode 100644 index 42982f7f3..000000000 --- a/docs/modules/security/partials/security-nav.adoc +++ /dev/null @@ -1,18 +0,0 @@ -* xref:security:overview.adoc[] -** xref:security:management-center.adoc[Management Center] -** xref:security:enabling-jaas.adoc[] -** xref:security:socket-interceptor.adoc[] -** xref:security:security-interceptor.adoc[] -** xref:security:encryption.adoc[] -** xref:security:tls-ssl.adoc[] -** xref:security:integrating-openssl.adoc[] -** xref:security:tls-configuration.adoc[] -** xref:security:validating-secrets.adoc[] -** xref:security:security-realms.adoc[] -** xref:security:jaas-authentication.adoc[] -** xref:security:cluster-member-security.adoc[] -** xref:security:default-authentication.adoc[] -** xref:security:native-client-security.adoc[] -** xref:security:logging-auditable-events.adoc[] -** xref:security:security-debugging.adoc[] -** xref:security:fips-140-2.adoc[] diff --git a/docs/modules/sql/pages/create-data-connection.adoc b/docs/modules/sql/pages/create-data-connection.adoc index 94685e07a..dc7a66238 100644 --- a/docs/modules/sql/pages/create-data-connection.adoc +++ b/docs/modules/sql/pages/create-data-connection.adoc @@ -68,7 +68,7 @@ Replacing a data connection will not affect any queries that are already running == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. +If xref:security:enabling-security.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. [[examples]] == Examples diff --git a/docs/modules/sql/pages/create-index.adoc b/docs/modules/sql/pages/create-index.adoc index 4e79c8f1b..74c30ce3c 100644 --- a/docs/modules/sql/pages/create-index.adoc +++ b/docs/modules/sql/pages/create-index.adoc @@ -79,7 +79,7 @@ For details, see xref:query:indexing-maps.adoc#bitmap-indexes[Bitmap Indexes]. == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. +If xref:security:enabling-security.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. == Examples diff --git a/docs/modules/sql/pages/create-mapping.adoc b/docs/modules/sql/pages/create-mapping.adoc index 09912fab2..813f16a8a 100644 --- a/docs/modules/sql/pages/create-mapping.adoc +++ b/docs/modules/sql/pages/create-mapping.adoc @@ -150,7 +150,7 @@ OPTIONS ( == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. +If xref:security:enabling-security.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. == Auto-resolving Columns and Options diff --git a/docs/modules/sql/pages/create-view.adoc b/docs/modules/sql/pages/create-view.adoc index f9fe45a0c..95b971e7c 100644 --- a/docs/modules/sql/pages/create-view.adoc +++ b/docs/modules/sql/pages/create-view.adoc @@ -59,7 +59,7 @@ columns are in `information_schema.columns` table. == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. +If xref:security:enabling-security.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. == Examples diff --git a/docs/modules/sql/pages/drop-mapping.adoc b/docs/modules/sql/pages/drop-mapping.adoc index ec1e54e1a..776ef6426 100644 --- a/docs/modules/sql/pages/drop-mapping.adoc +++ b/docs/modules/sql/pages/drop-mapping.adoc @@ -35,7 +35,7 @@ The `DROP MAPPING` statement accepts the following parameters. == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. +If xref:security:enabling-security.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. == Examples diff --git a/docs/modules/sql/pages/drop-view.adoc b/docs/modules/sql/pages/drop-view.adoc index 67d26e87b..08ee34fc1 100644 --- a/docs/modules/sql/pages/drop-view.adoc +++ b/docs/modules/sql/pages/drop-view.adoc @@ -35,7 +35,7 @@ The `view_name` parameter is required. == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. +If xref:security:enabling-security.adoc[security] is enabled, you can grant or deny permission for certain clients to use this statement. See xref:security:native-client-security.adoc#sql-permission[SQL Permissions]. == Examples diff --git a/docs/modules/sql/pages/mapping-to-a-file-system.adoc b/docs/modules/sql/pages/mapping-to-a-file-system.adoc index 890ba9270..c8506bfa4 100644 --- a/docs/modules/sql/pages/mapping-to-a-file-system.adoc +++ b/docs/modules/sql/pages/mapping-to-a-file-system.adoc @@ -22,7 +22,7 @@ Depending on the <>, you may also == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can set up permissions to restrict clients' access to your files. For details, see xref:pipelines:job-security.adoc[]. +If xref:security:enabling-security.adoc[security] is enabled, you can set up permissions to restrict clients' access to your files. For details, see xref:pipelines:job-security.adoc[]. == Configuration Options diff --git a/docs/modules/sql/pages/mapping-to-kafka.adoc b/docs/modules/sql/pages/mapping-to-kafka.adoc index c490b0383..00dd7fe7c 100644 --- a/docs/modules/sql/pages/mapping-to-kafka.adoc +++ b/docs/modules/sql/pages/mapping-to-kafka.adoc @@ -20,7 +20,7 @@ or greater than 1.0.0. == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, your clients may need permissions to use this connector. For details, see xref:pipelines:job-security.adoc[]. +If xref:security:enabling-security.adoc[security] is enabled, your clients may need permissions to use this connector. For details, see xref:pipelines:job-security.adoc[]. == Creating a Kafka Mapping diff --git a/docs/modules/sql/pages/mapping-to-maps.adoc b/docs/modules/sql/pages/mapping-to-maps.adoc index 2afd0766c..71734366e 100644 --- a/docs/modules/sql/pages/mapping-to-maps.adoc +++ b/docs/modules/sql/pages/mapping-to-maps.adoc @@ -15,7 +15,7 @@ This connector is included in Hazelcast. == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can set up permissions to restrict clients' access to maps. +If xref:security:enabling-security.adoc[security] is enabled, you can set up permissions to restrict clients' access to maps. For example, to restrict reads on maps, you can use the `create` and `read` permissions. To restrict inserts, you can use the `put` permission. diff --git a/docs/modules/sql/pages/mapping-to-mongo.adoc b/docs/modules/sql/pages/mapping-to-mongo.adoc index e1e2645e3..9bb77da1d 100644 --- a/docs/modules/sql/pages/mapping-to-mongo.adoc +++ b/docs/modules/sql/pages/mapping-to-mongo.adoc @@ -46,7 +46,7 @@ NOTE: To be able to use SQL over MongoDB, you have to include `hazelcast-sql` as == Permissions [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, your clients may need permissions to use this connector. +If xref:security:enabling-security.adoc[security] is enabled, your clients may need permissions to use this connector. For details, see xref:pipelines:job-security.adoc[]. == Before you Begin diff --git a/docs/modules/sql/pages/sql-overview.adoc b/docs/modules/sql/pages/sql-overview.adoc index b6550d939..cba2420c5 100644 --- a/docs/modules/sql/pages/sql-overview.adoc +++ b/docs/modules/sql/pages/sql-overview.adoc @@ -89,7 +89,7 @@ Keywords or built-in function names are case-insensitive. == Permissions and Security [.enterprise]*{enterprise-product-name}* -If xref:security:enabling-jaas.adoc[security] is enabled, you can set xref:security:native-client-security.adoc[permissions] for the following: +If xref:security:enabling-security.adoc[security] is enabled, you can set xref:security:native-client-security.adoc[permissions] for the following: - xref:security:native-client-security.adoc#connector-permission[Connectors] (mappings) - Some xref:security:native-client-security.adoc#sql-permission[SQL statements] diff --git a/docs/modules/wan/pages/rest-api.adoc b/docs/modules/wan/pages/rest-api.adoc index 10e57fada..a6ec2a9dc 100644 --- a/docs/modules/wan/pages/rest-api.adoc +++ b/docs/modules/wan/pages/rest-api.adoc @@ -17,7 +17,7 @@ are shown as placeholders in the REST calls: member on which you run the REST calls. * `clusterOnSource`: Name of your local (source) cluster. * `clusterPassword`: Password, if set, of your source cluster. -Note that you need to enable the xref:security:enabling-jaas.adoc[security] +Note that you need to enable the xref:security:enabling-security.adoc[security] when you need a cluster password. If not set, the parameter is empty. * `wanRepName`: Name of the WAN Replication configuration. * `publisherId`: WAN replication publisher ID. If not set, diff --git a/pom.xml b/pom.xml new file mode 100644 index 000000000..69502e367 --- /dev/null +++ b/pom.xml @@ -0,0 +1,72 @@ + + 4.0.0 + + hzdocs + hzdocs + 0.1-SNAPSHOT + jar + + ${project.artifactId} + + + UTF-8 + 17 + 5.5.0 + + + + docs/modules/ROOT/examples + + + + + com.hazelcast + hazelcast-enterprise + ${version.hazelcast} + + + junit + junit + 4.13.2 + + + javax.cache + cache-api + 1.1.1 + + + javax.transaction + jta + 1.1 + + + com.atomikos + transactions-jta + 3.7.0 + + + org.mongodb + mongo-java-driver + 3.12.14 + + + + + + snapshot-repository + https://repository.hazelcast.com/snapshot/ + + false + + + + release-repository + https://repository.hazelcast.com/release/ + + false + + + +