use of com.hazelcast.config.SecurityConfig in project hazelcast by hazelcast.
the class TestFullApplicationContext method testSecurity.
@Test
public void testSecurity() {
SecurityConfig securityConfig = config.getSecurityConfig();
assertEquals(OnJoinPermissionOperationName.SEND, securityConfig.getOnJoinPermissionOperation());
final Set<PermissionConfig> clientPermissionConfigs = securityConfig.getClientPermissionConfigs();
assertFalse(securityConfig.getClientBlockUnmappedActions());
assertTrue(isNotEmpty(clientPermissionConfigs));
assertEquals(PermissionType.values().length, clientPermissionConfigs.size());
final PermissionConfig pnCounterPermission = new PermissionConfig(PermissionType.PN_COUNTER, "pnCounterPermission", "*").addAction("create").setEndpoints(Collections.emptySet());
assertContains(clientPermissionConfigs, pnCounterPermission);
Set<PermissionType> permTypes = new HashSet<>(Arrays.asList(PermissionType.values()));
for (PermissionConfig pc : clientPermissionConfigs) {
permTypes.remove(pc.getType());
}
assertTrue("All permission types should be listed in fullConfig. Not found ones: " + permTypes, permTypes.isEmpty());
RealmConfig kerberosRealm = securityConfig.getRealmConfig("kerberosRealm");
assertNotNull(kerberosRealm);
KerberosAuthenticationConfig kerbAuthentication = kerberosRealm.getKerberosAuthenticationConfig();
assertNotNull(kerbAuthentication);
assertEquals(TRUE, kerbAuthentication.getRelaxFlagsCheck());
assertEquals(TRUE, kerbAuthentication.getUseNameWithoutRealm());
assertEquals("krb5Acceptor", kerbAuthentication.getSecurityRealm());
assertNotNull(kerbAuthentication.getLdapAuthenticationConfig());
KerberosIdentityConfig kerbIdentity = kerberosRealm.getKerberosIdentityConfig();
assertNotNull(kerbIdentity);
assertEquals("HAZELCAST.COM", kerbIdentity.getRealm());
assertEquals(TRUE, kerbIdentity.getUseCanonicalHostname());
RealmConfig simpleRealm = securityConfig.getRealmConfig("simpleRealm");
assertNotNull(simpleRealm);
SimpleAuthenticationConfig simpleAuthnCfg = simpleRealm.getSimpleAuthenticationConfig();
assertNotNull(simpleAuthnCfg);
assertEquals(2, simpleAuthnCfg.getUsernames().size());
assertTrue(simpleAuthnCfg.getUsernames().contains("test"));
assertEquals("a1234", simpleAuthnCfg.getPassword("test"));
Set<String> expectedRoles = new HashSet<>();
expectedRoles.add("monitor");
expectedRoles.add("hazelcast");
assertEquals(expectedRoles, simpleAuthnCfg.getRoles("test"));
}
use of com.hazelcast.config.SecurityConfig in project hazelcast by hazelcast.
the class OnJoinOp method run.
@Override
public void run() throws Exception {
if (!operations.isEmpty()) {
SecurityConfig securityConfig = getNodeEngine().getConfig().getSecurityConfig();
boolean runPermissionUpdates = securityConfig.getOnJoinPermissionOperation() == OnJoinPermissionOperationName.RECEIVE;
for (Operation op : operations) {
if ((op instanceof UpdatePermissionConfigOperation) && !runPermissionUpdates) {
continue;
}
try {
// not running via OperationService since we don't want any restrictions like cluster state check etc.
runDirect(op);
} catch (Exception e) {
getLogger().warning("Error while running post-join operation: " + op, e);
}
}
final ClusterService clusterService = getService();
// if executed on master, broadcast to all other members except sender (joining member)
if (clusterService.isMaster()) {
final OperationService operationService = getNodeEngine().getOperationService();
for (Member member : clusterService.getMembers()) {
if (!member.localMember() && !member.getUuid().equals(getCallerUuid())) {
OnJoinOp operation = new OnJoinOp(operations);
operationService.invokeOnTarget(getServiceName(), operation, member.getAddress());
}
}
}
}
}
use of com.hazelcast.config.SecurityConfig in project hazelcast by hazelcast.
the class NodeSecurityBanner method printSecurityFeaturesInfo.
@SuppressWarnings({ "checkstyle:CyclomaticComplexity", "checkstyle:MethodLength" })
private void printSecurityFeaturesInfo(Config config, Level logLevel) {
StringBuilder sb = new StringBuilder("\n").append(getLockEmo()).append("Security recommendations and their status:");
addSecurityFeatureCheck(sb, "Use a custom cluster name", !Config.DEFAULT_CLUSTER_NAME.equals(config.getClusterName()));
addSecurityFeatureCheck(sb, "Disable member multicast discovery/join method", !multicastUsed);
AdvancedNetworkConfig advancedNetworkConfig = config.getAdvancedNetworkConfig();
addSecurityFeatureCheck(sb, "Use advanced networking, separate client and member sockets", advancedNetworkConfig.isEnabled());
boolean bindAny = properties.getBoolean(SOCKET_SERVER_BIND_ANY);
addSecurityFeatureCheck(sb, "Bind Server sockets to a single network interface (disable " + SOCKET_SERVER_BIND_ANY.getName() + ")", !bindAny);
StringBuilder tlsSb = new StringBuilder();
boolean tlsUsed = true;
if (advancedNetworkConfig.isEnabled()) {
for (Map.Entry<EndpointQualifier, EndpointConfig> e : advancedNetworkConfig.getEndpointConfigs().entrySet()) {
tlsUsed = addAdvNetworkTlsInfo(tlsSb, e.getKey(), e.getValue().getSSLConfig()) && tlsUsed;
}
} else {
SSLConfig sslConfig = config.getNetworkConfig().getSSLConfig();
tlsUsed = addSecurityFeatureCheck(tlsSb, "Use TLS communication protection (Enterprise)", sslConfig != null && sslConfig.isEnabled());
}
boolean jetEnabled = config.getJetConfig().isEnabled();
if (jetEnabled) {
boolean trustedEnv = tlsUsed || !bindAny;
addSecurityFeatureCheck(sb, "Use Jet in trusted environments only (single network interface and/or TLS enabled)", trustedEnv);
if (config.getJetConfig().isResourceUploadEnabled()) {
addSecurityFeatureInfo(sb, "Jet resource upload is enabled. Any uploaded code can be executed within " + "Hazelcast. Use this in trusted environments only.");
}
}
if (config.getUserCodeDeploymentConfig().isEnabled()) {
addSecurityFeatureInfo(sb, "User code deployment is enabled. Any uploaded code can be executed within " + "Hazelcast. Use this in trusted environments only.");
}
addSecurityFeatureCheck(sb, "Disable scripting in the Management Center", !config.getManagementCenterConfig().isScriptingEnabled());
addSecurityFeatureCheck(sb, "Disable console in the Management Center", !config.getManagementCenterConfig().isConsoleEnabled());
SecurityConfig securityConfig = config.getSecurityConfig();
boolean securityEnabled = securityConfig != null && securityConfig.isEnabled();
addSecurityFeatureCheck(sb, "Enable Security (Enterprise)", securityEnabled);
if (securityEnabled) {
checkAuthnConfigured(sb, securityConfig, "member-authentication", securityConfig.getMemberRealm());
checkAuthnConfigured(sb, securityConfig, "client-authentication", securityConfig.getClientRealm());
}
// TLS here
sb.append(tlsSb.toString());
PersistenceConfig persistenceConfig = config.getPersistenceConfig();
if (persistenceConfig != null && persistenceConfig.isEnabled()) {
EncryptionAtRestConfig encryptionAtRestConfig = persistenceConfig.getEncryptionAtRestConfig();
addSecurityFeatureCheck(sb, "Enable encryption-at-rest in the Persistence config (Enterprise)", encryptionAtRestConfig != null && encryptionAtRestConfig.isEnabled());
}
AuditlogConfig auditlogConfig = config.getAuditlogConfig();
addSecurityFeatureCheck(sb, "Enable auditlog (Enterprise)", auditlogConfig != null && auditlogConfig.isEnabled());
sb.append("\nCheck the hazelcast-security-hardened.xml/yaml example config file to find why and how to configure" + " these security related settings.\n");
securityLogger.log(logLevel, sb.toString());
}
use of com.hazelcast.config.SecurityConfig in project hazelcast by hazelcast.
the class DefaultNodeExtension method checkSecurityAllowed.
private void checkSecurityAllowed() {
SecurityConfig securityConfig = node.getConfig().getSecurityConfig();
if (securityConfig != null && securityConfig.isEnabled()) {
if (!BuildInfoProvider.getBuildInfo().isEnterprise()) {
throw new IllegalStateException("Security requires Hazelcast Enterprise Edition");
}
}
SymmetricEncryptionConfig symmetricEncryptionConfig = getActiveMemberNetworkConfig(node.getConfig()).getSymmetricEncryptionConfig();
if (symmetricEncryptionConfig != null && symmetricEncryptionConfig.isEnabled()) {
if (!BuildInfoProvider.getBuildInfo().isEnterprise()) {
throw new IllegalStateException("Symmetric Encryption requires Hazelcast Enterprise Edition");
}
}
AuditlogConfig auditlogConfig = node.getConfig().getAuditlogConfig();
if (auditlogConfig != null && auditlogConfig.isEnabled()) {
if (!BuildInfoProvider.getBuildInfo().isEnterprise()) {
throw new IllegalStateException("Auditlog requires Hazelcast Enterprise Edition");
}
}
}
use of com.hazelcast.config.SecurityConfig in project hazelcast by hazelcast.
the class MemberDomConfigProcessor method handleSecurityPermission.
void handleSecurityPermission(Node node, PermissionConfig.PermissionType type) {
SecurityConfig cfg = config.getSecurityConfig();
Node nameNode = getNamedItemNode(node, "name");
String name = nameNode != null ? getTextContent(nameNode) : null;
Node principalNode = getNamedItemNode(node, "principal");
String principal = principalNode != null ? getTextContent(principalNode) : null;
PermissionConfig permConfig = new PermissionConfig(type, name, principal);
cfg.addClientPermissionConfig(permConfig);
for (Node child : childElements(node)) {
String nodeName = cleanNodeName(child);
if (matches("endpoints", nodeName)) {
handleSecurityPermissionEndpoints(child, permConfig);
} else if (matches("actions", nodeName)) {
handleSecurityPermissionActions(child, permConfig);
}
}
}
Aggregations