防止未经授权的成员加入Hazelcast集群 [英] Preventing unauthorized member for joining Hazelcast cluster
问题描述
我们正在将应用程序之一更改为使用Hazelcast 3.11 Community Edition,并在运行于少数主机上的多个JVM之间进行一些锁定. 我们按如下语法配置集群:
We are changing one of our application to use Hazelcast 3.11 Community Edition and do some locking between multiple JVMs running on a few hosts. We configure our cluster grammatically like below:
public class HazelcastBuilder {
private final String name;
private final String password;
private final String members;
private final String hostName;
private final String applicationName;
public HazelcastInstance getHazelcastInstance() {
Config hazelcastConfig = new Config();
GroupConfig groupConfig = new GroupConfig(name, password);
hazelcastConfig.setGroupConfig(groupConfig);
TcpIpConfig tcpIpConfig = new TcpIpConfig();
tcpIpConfig.setEnabled(true);
for (String member : members.split(",")) {
tcpIpConfig.addMember(member.trim());
}
hazelcastConfig.getNetworkConfig().getJoin().setTcpIpConfig(tcpIpConfig);
// By default the multicast config is enabled. Disable it here.
hazelcastConfig.getNetworkConfig().getJoin().getMulticastConfig().setEnabled(false);
String instanceName = applicationName + "-" + hostName;
hazelcastConfig.setInstanceName(instanceName);
logger.info("Creating hazelcast instance: " + instanceName);
return Hazelcast.getOrCreateHazelcastInstance(hazelcastConfig);
}
}
一切正常,可以正确创建群集并按预期工作.
All works fine and the cluster gets created properly and working as expected.
但是,我创建了一个单元测试,并配置了一个与应用程序使用相同名称的本地集群,然后向其中添加了开发人员机器.一切正常,我的本地主机没有任何问题地加入了应用程序集群.
However I created an unit tests and configured a local cluster with the same name as the application uses then I added my developer machine to it. All worked fine and my local host joined the application cluster without any issues.
当然,这种事情在生产环境中是不可接受的,这是我的问题:
Of course such a thing cannot be accepted in a production environment and here is my question for:
给出了可以运行我们的应用程序的主机名列表,这是防止未经授权的成员加入给定的hazelcast群集的最佳方法.
Given we have a list of host names that can run our application what is the best way to prevent unauthorized member to join a given hazelcast cluster.
预先感谢您的帮助.
推荐答案
如果要搜索安全功能,则应使用Hazelcast Enterprise版本.检查功能列表:
If you are searching for security features, then you should use Hazelcast Enterprise edition. Check the feature lists:
- OS features
- EE features
如果只需要防止任意计算机连接到群集,则开源版本中有几个选项:
If you only need to prevent arbitrary machines connecting to your cluster, then there are several options in the opensource edition:
- 为每个群集使用唯一的组名;
- 作为额外的保护级别,您可以在配置中定义验证令牌-只需设置
hazelcast.application.validation.token
Hazelcast属性(或系统属性)-参见 doc ),并通过将hazelcast.socket.bind.any
属性设置为false
来禁用对所有本地接口的绑定.通常,您的生产群集在受信任的LAN环境中运行,因此您希望使其只能在该LAN内访问. - 多播发现机制(
- use a unique group name for each of your clusters;
- as an additional level of protection you can define a validation token in your configuration - just set
hazelcast.application.validation.token
Hazelcast property (or system property) - look at reference manual for details - specify which network interfaces should be used (doc) and disable binding to all local interfaces by setting
hazelcast.socket.bind.any
property tofalse
. Usually, your production cluster runs in a trusted LAN environment so you want to make it accessible only within that LAN. - Multicast discovery mechanism (doc) adds also the
<trusted-interfaces>
configuration, which could help you. You're using TCP discovery, so it's not valid for your scenario.
最后说明:在Hazelcast开源版本中未选中组密码字段!
Final note: The group password field is not checked in Hazelcast opensource edition!
这篇关于防止未经授权的成员加入Hazelcast集群的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!