问题
We are changing one of our application to use Hazelcast 3.11 Community Edition and do some locking between multiple JVMs running on a few hosts. We configure our cluster grammatically like below:
public class HazelcastBuilder {
private final String name;
private final String password;
private final String members;
private final String hostName;
private final String applicationName;
public HazelcastInstance getHazelcastInstance() {
Config hazelcastConfig = new Config();
GroupConfig groupConfig = new GroupConfig(name, password);
hazelcastConfig.setGroupConfig(groupConfig);
TcpIpConfig tcpIpConfig = new TcpIpConfig();
tcpIpConfig.setEnabled(true);
for (String member : members.split(",")) {
tcpIpConfig.addMember(member.trim());
}
hazelcastConfig.getNetworkConfig().getJoin().setTcpIpConfig(tcpIpConfig);
// By default the multicast config is enabled. Disable it here.
hazelcastConfig.getNetworkConfig().getJoin().getMulticastConfig().setEnabled(false);
String instanceName = applicationName + "-" + hostName;
hazelcastConfig.setInstanceName(instanceName);
logger.info("Creating hazelcast instance: " + instanceName);
return Hazelcast.getOrCreateHazelcastInstance(hazelcastConfig);
}
}
All works fine and the cluster gets created properly and working as expected.
However I created an unit tests and configured a local cluster with the same name as the application uses then I added my developer machine to it. All worked fine and my local host joined the application cluster without any issues.
Of course such a thing cannot be accepted in a production environment and here is my question for:
Given we have a list of host names that can run our application what is the best way to prevent unauthorized member to join a given hazelcast cluster.
Thank you in advance for your help.
回答1:
If you are searching for security features, then you should use Hazelcast Enterprise edition. Check the feature lists:
- OS features
- EE features
If you only need to prevent arbitrary machines connecting to your cluster, then there are several options in the opensource edition:
- use a unique group name for each of your clusters;
- as an additional level of protection you can define a validation token in your configuration - just set
hazelcast.application.validation.tokenHazelcast property (or system property) - look at reference manual for details - specify which network interfaces should be used (doc) and disable binding to all local interfaces by setting
hazelcast.socket.bind.anyproperty tofalse. Usually, your production cluster runs in a trusted LAN environment so you want to make it accessible only within that LAN. - Multicast discovery mechanism (doc) adds also the
<trusted-interfaces>configuration, which could help you. You're using TCP discovery, so it's not valid for your scenario.
Final note: The group password field is not checked in Hazelcast opensource edition!
来源:https://stackoverflow.com/questions/56214166/preventing-unauthorized-member-for-joining-hazelcast-cluster