我们正在将应用程序之一更改为使用Hazelcast 3.11 Community Edition,并在运行于少数主机上的多个JVM之间进行一些锁定. 我们按如下语法配置集群:
We are changing one of our application to use Hazelcast 3.11 Community Edition and do some locking between multiple JVMs running on a few hosts. We configure our cluster grammatically like below:
public class HazelcastBuilder { private final String name; private final String password; private final String members; private final String hostName; private final String applicationName; public HazelcastInstance getHazelcastInstance() { Config hazelcastConfig = new Config(); GroupConfig groupConfig = new GroupConfig(name, password); hazelcastConfig.setGroupConfig(groupConfig); TcpIpConfig tcpIpConfig = new TcpIpConfig(); tcpIpConfig.setEnabled(true); for (String member : members.split(",")) { tcpIpConfig.addMember(member.trim()); } hazelcastConfig.getNetworkConfig().getJoin().setTcpIpConfig(tcpIpConfig); // By default the multicast config is enabled. Disable it here. hazelcastConfig.getNetworkConfig().getJoin().getMulticastConfig().setEnabled(false); String instanceName = applicationName + "-" + hostName; hazelcastConfig.setInstanceName(instanceName); logger.info("Creating hazelcast instance: " + instanceName); return Hazelcast.getOrCreateHazelcastInstance(hazelcastConfig); } }一切正常,可以正确创建群集并按预期工作.
All works fine and the cluster gets created properly and working as expected.
但是,我创建了一个单元测试,并配置了一个与应用程序使用相同名称的本地集群,然后向其中添加了开发人员机器.一切正常,我的本地主机没有任何问题地加入了应用程序集群.
However I created an unit tests and configured a local cluster with the same name as the application uses then I added my developer machine to it. All worked fine and my local host joined the application cluster without any issues.
当然,这种事情在生产环境中是不可接受的,这是我的问题:
Of course such a thing cannot be accepted in a production environment and here is my question for:
给出了可以运行我们的应用程序的主机名列表,这是防止未经授权的成员加入给定的hazelcast群集的最佳方法.
Given we have a list of host names that can run our application what is the best way to prevent unauthorized member to join a given hazelcast cluster.
预先感谢您的帮助.
推荐答案如果要搜索安全功能,则应使用Hazelcast Enterprise版本.检查功能列表:
If you are searching for security features, then you should use Hazelcast Enterprise edition. Check the feature lists:
- 操作系统功能
- EE功能
- OS features
- EE features
如果只需要防止任意计算机连接到群集,则开源版本中有几个选项:
If you only need to prevent arbitrary machines connecting to your cluster, then there are several options in the opensource edition:
- 为每个群集使用唯一的组名;
- 作为额外的保护级别,您可以在配置中定义验证令牌-只需设置hazelcast.application.validation.token Hazelcast属性(或系统属性)-参见参考手册了解详情
- 指定应使用的网络接口( doc ),并通过将hazelcast.socket.bind.any属性设置为false来禁用对所有本地接口的绑定.通常,您的生产群集在受信任的LAN环境中运行,因此您希望使其只能在该LAN内访问.
- 多播发现机制( doc )还添加了<trusted-interfaces>配置,这可以为您提供帮助.您正在使用TCP发现,因此它不适用于您的情况.
- use a unique group name for each of your clusters;
- as an additional level of protection you can define a validation token in your configuration - just set hazelcast.application.validation.token Hazelcast property (or system property) - look at reference manual for details
- specify which network interfaces should be used (doc) and disable binding to all local interfaces by setting hazelcast.socket.bind.any property to false. Usually, your production cluster runs in a trusted LAN environment so you want to make it accessible only within that LAN.
- Multicast discovery mechanism (doc) adds also the <trusted-interfaces> configuration, which could help you. You're using TCP discovery, so it's not valid for your scenario.
最后说明:在Hazelcast开源版本中未选中组密码字段!
Final note: The group password field is not checked in Hazelcast opensource edition!
更多推荐
防止未经授权的成员加入Hazelcast集群
发布评论