防止未经授权的成员加入Hazelcast集群

本文介绍了防止未经授权的成员加入Hazelcast集群的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我们正在将应用程序之一更改为使用Hazelcast 3.11 Community Edition，并在运行于少数主机上的多个JVM之间进行一些锁定. 我们按如下语法配置集群:

We are changing one of our application to use Hazelcast 3.11 Community Edition and do some locking between multiple JVMs running on a few hosts. We configure our cluster grammatically like below:

public class HazelcastBuilder { private final String name; private final String password; private final String members; private final String hostName; private final String applicationName; public HazelcastInstance getHazelcastInstance() { Config hazelcastConfig = new Config(); GroupConfig groupConfig = new GroupConfig(name, password); hazelcastConfig.setGroupConfig(groupConfig); TcpIpConfig tcpIpConfig = new TcpIpConfig(); tcpIpConfig.setEnabled(true); for (String member : members.split(",")) { tcpIpConfig.addMember(member.trim()); } hazelcastConfig.getNetworkConfig().getJoin().setTcpIpConfig(tcpIpConfig); // By default the multicast config is enabled. Disable it here. hazelcastConfig.getNetworkConfig().getJoin().getMulticastConfig().setEnabled(false); String instanceName = applicationName + "-" + hostName; hazelcastConfig.setInstanceName(instanceName); logger.info("Creating hazelcast instance: " + instanceName); return Hazelcast.getOrCreateHazelcastInstance(hazelcastConfig); } }

一切正常，可以正确创建群集并按预期工作.

All works fine and the cluster gets created properly and working as expected.

但是，我创建了一个单元测试，并配置了一个与应用程序使用相同名称的本地集群，然后向其中添加了开发人员机器.一切正常，我的本地主机没有任何问题地加入了应用程序集群.

However I created an unit tests and configured a local cluster with the same name as the application uses then I added my developer machine to it. All worked fine and my local host joined the application cluster without any issues.

当然，这种事情在生产环境中是不可接受的，这是我的问题:

Of course such a thing cannot be accepted in a production environment and here is my question for:

给出了可以运行我们的应用程序的主机名列表，这是防止未经授权的成员加入给定的hazelcast群集的最佳方法.

Given we have a list of host names that can run our application what is the best way to prevent unauthorized member to join a given hazelcast cluster.

预先感谢您的帮助.

推荐答案

如果要搜索安全功能，则应使用Hazelcast Enterprise版本.检查功能列表:

If you are searching for security features, then you should use Hazelcast Enterprise edition. Check the feature lists:

• 操作系统功能
• EE功能

• OS features
• EE features

如果只需要防止任意计算机连接到群集，则开源版本中有几个选项:

If you only need to prevent arbitrary machines connecting to your cluster, then there are several options in the opensource edition:

• 为每个群集使用唯一的组名；
• 作为额外的保护级别，您可以在配置中定义验证令牌-只需设置hazelcast.application.validation.token Hazelcast属性(或系统属性)-参见参考手册了解详情
• 指定应使用的网络接口( doc )，并通过将hazelcast.socket.bind.any属性设置为false来禁用对所有本地接口的绑定.通常，您的生产群集在受信任的LAN环境中运行，因此您希望使其只能在该LAN内访问.
• 多播发现机制( doc )还添加了<trusted-interfaces>配置，这可以为您提供帮助.您正在使用TCP发现，因此它不适用于您的情况.

• use a unique group name for each of your clusters;
• as an additional level of protection you can define a validation token in your configuration - just set hazelcast.application.validation.token Hazelcast property (or system property) - look at reference manual for details
• specify which network interfaces should be used (doc) and disable binding to all local interfaces by setting hazelcast.socket.bind.any property to false. Usually, your production cluster runs in a trusted LAN environment so you want to make it accessible only within that LAN.
• Multicast discovery mechanism (doc) adds also the <trusted-interfaces> configuration, which could help you. You're using TCP discovery, so it's not valid for your scenario.

最后说明:在Hazelcast开源版本中未选中组密码字段！

Final note: The group password field is not checked in Hazelcast opensource edition!