Search in sources :

Example 1 with SecurityConfig

use of com.hazelcast.config.SecurityConfig in project hazelcast by hazelcast.

the class TestFullApplicationContext method testSecurity.

@Test
public void testSecurity() {
    SecurityConfig securityConfig = config.getSecurityConfig();
    assertEquals(OnJoinPermissionOperationName.SEND, securityConfig.getOnJoinPermissionOperation());
    final Set<PermissionConfig> clientPermissionConfigs = securityConfig.getClientPermissionConfigs();
    assertFalse(securityConfig.getClientBlockUnmappedActions());
    assertTrue(isNotEmpty(clientPermissionConfigs));
    assertEquals(PermissionType.values().length, clientPermissionConfigs.size());
    final PermissionConfig pnCounterPermission = new PermissionConfig(PermissionType.PN_COUNTER, "pnCounterPermission", "*").addAction("create").setEndpoints(Collections.emptySet());
    assertContains(clientPermissionConfigs, pnCounterPermission);
    Set<PermissionType> permTypes = new HashSet<>(Arrays.asList(PermissionType.values()));
    for (PermissionConfig pc : clientPermissionConfigs) {
        permTypes.remove(pc.getType());
    }
    assertTrue("All permission types should be listed in fullConfig. Not found ones: " + permTypes, permTypes.isEmpty());
    RealmConfig kerberosRealm = securityConfig.getRealmConfig("kerberosRealm");
    assertNotNull(kerberosRealm);
    KerberosAuthenticationConfig kerbAuthentication = kerberosRealm.getKerberosAuthenticationConfig();
    assertNotNull(kerbAuthentication);
    assertEquals(TRUE, kerbAuthentication.getRelaxFlagsCheck());
    assertEquals(TRUE, kerbAuthentication.getUseNameWithoutRealm());
    assertEquals("krb5Acceptor", kerbAuthentication.getSecurityRealm());
    assertNotNull(kerbAuthentication.getLdapAuthenticationConfig());
    KerberosIdentityConfig kerbIdentity = kerberosRealm.getKerberosIdentityConfig();
    assertNotNull(kerbIdentity);
    assertEquals("HAZELCAST.COM", kerbIdentity.getRealm());
    assertEquals(TRUE, kerbIdentity.getUseCanonicalHostname());
    RealmConfig simpleRealm = securityConfig.getRealmConfig("simpleRealm");
    assertNotNull(simpleRealm);
    SimpleAuthenticationConfig simpleAuthnCfg = simpleRealm.getSimpleAuthenticationConfig();
    assertNotNull(simpleAuthnCfg);
    assertEquals(2, simpleAuthnCfg.getUsernames().size());
    assertTrue(simpleAuthnCfg.getUsernames().contains("test"));
    assertEquals("a1234", simpleAuthnCfg.getPassword("test"));
    Set<String> expectedRoles = new HashSet<>();
    expectedRoles.add("monitor");
    expectedRoles.add("hazelcast");
    assertEquals(expectedRoles, simpleAuthnCfg.getRoles("test"));
}
Also used : PermissionConfig(com.hazelcast.config.PermissionConfig) RealmConfig(com.hazelcast.config.security.RealmConfig) SecurityConfig(com.hazelcast.config.SecurityConfig) PermissionType(com.hazelcast.config.PermissionConfig.PermissionType) KerberosAuthenticationConfig(com.hazelcast.config.security.KerberosAuthenticationConfig) SimpleAuthenticationConfig(com.hazelcast.config.security.SimpleAuthenticationConfig) HashSet(java.util.HashSet) KerberosIdentityConfig(com.hazelcast.config.security.KerberosIdentityConfig) Test(org.junit.Test) QuickTest(com.hazelcast.test.annotation.QuickTest)

Example 2 with SecurityConfig

use of com.hazelcast.config.SecurityConfig in project hazelcast by hazelcast.

the class OnJoinOp method run.

@Override
public void run() throws Exception {
    if (!operations.isEmpty()) {
        SecurityConfig securityConfig = getNodeEngine().getConfig().getSecurityConfig();
        boolean runPermissionUpdates = securityConfig.getOnJoinPermissionOperation() == OnJoinPermissionOperationName.RECEIVE;
        for (Operation op : operations) {
            if ((op instanceof UpdatePermissionConfigOperation) && !runPermissionUpdates) {
                continue;
            }
            try {
                // not running via OperationService since we don't want any restrictions like cluster state check etc.
                runDirect(op);
            } catch (Exception e) {
                getLogger().warning("Error while running post-join operation: " + op, e);
            }
        }
        final ClusterService clusterService = getService();
        // if executed on master, broadcast to all other members except sender (joining member)
        if (clusterService.isMaster()) {
            final OperationService operationService = getNodeEngine().getOperationService();
            for (Member member : clusterService.getMembers()) {
                if (!member.localMember() && !member.getUuid().equals(getCallerUuid())) {
                    OnJoinOp operation = new OnJoinOp(operations);
                    operationService.invokeOnTarget(getServiceName(), operation, member.getAddress());
                }
            }
        }
    }
}
Also used : ClusterService(com.hazelcast.internal.cluster.ClusterService) SecurityConfig(com.hazelcast.config.SecurityConfig) UpdatePermissionConfigOperation(com.hazelcast.internal.management.operation.UpdatePermissionConfigOperation) Operation(com.hazelcast.spi.impl.operationservice.Operation) UpdatePermissionConfigOperation(com.hazelcast.internal.management.operation.UpdatePermissionConfigOperation) UrgentSystemOperation(com.hazelcast.spi.impl.operationservice.UrgentSystemOperation) OperationService(com.hazelcast.spi.impl.operationservice.OperationService) Member(com.hazelcast.cluster.Member) IOException(java.io.IOException)

Example 3 with SecurityConfig

use of com.hazelcast.config.SecurityConfig in project hazelcast by hazelcast.

the class NodeSecurityBanner method printSecurityFeaturesInfo.

@SuppressWarnings({ "checkstyle:CyclomaticComplexity", "checkstyle:MethodLength" })
private void printSecurityFeaturesInfo(Config config, Level logLevel) {
    StringBuilder sb = new StringBuilder("\n").append(getLockEmo()).append("Security recommendations and their status:");
    addSecurityFeatureCheck(sb, "Use a custom cluster name", !Config.DEFAULT_CLUSTER_NAME.equals(config.getClusterName()));
    addSecurityFeatureCheck(sb, "Disable member multicast discovery/join method", !multicastUsed);
    AdvancedNetworkConfig advancedNetworkConfig = config.getAdvancedNetworkConfig();
    addSecurityFeatureCheck(sb, "Use advanced networking, separate client and member sockets", advancedNetworkConfig.isEnabled());
    boolean bindAny = properties.getBoolean(SOCKET_SERVER_BIND_ANY);
    addSecurityFeatureCheck(sb, "Bind Server sockets to a single network interface (disable " + SOCKET_SERVER_BIND_ANY.getName() + ")", !bindAny);
    StringBuilder tlsSb = new StringBuilder();
    boolean tlsUsed = true;
    if (advancedNetworkConfig.isEnabled()) {
        for (Map.Entry<EndpointQualifier, EndpointConfig> e : advancedNetworkConfig.getEndpointConfigs().entrySet()) {
            tlsUsed = addAdvNetworkTlsInfo(tlsSb, e.getKey(), e.getValue().getSSLConfig()) && tlsUsed;
        }
    } else {
        SSLConfig sslConfig = config.getNetworkConfig().getSSLConfig();
        tlsUsed = addSecurityFeatureCheck(tlsSb, "Use TLS communication protection (Enterprise)", sslConfig != null && sslConfig.isEnabled());
    }
    boolean jetEnabled = config.getJetConfig().isEnabled();
    if (jetEnabled) {
        boolean trustedEnv = tlsUsed || !bindAny;
        addSecurityFeatureCheck(sb, "Use Jet in trusted environments only (single network interface and/or TLS enabled)", trustedEnv);
        if (config.getJetConfig().isResourceUploadEnabled()) {
            addSecurityFeatureInfo(sb, "Jet resource upload is enabled. Any uploaded code can be executed within " + "Hazelcast. Use this in trusted environments only.");
        }
    }
    if (config.getUserCodeDeploymentConfig().isEnabled()) {
        addSecurityFeatureInfo(sb, "User code deployment is enabled. Any uploaded code can be executed within " + "Hazelcast. Use this in trusted environments only.");
    }
    addSecurityFeatureCheck(sb, "Disable scripting in the Management Center", !config.getManagementCenterConfig().isScriptingEnabled());
    addSecurityFeatureCheck(sb, "Disable console in the Management Center", !config.getManagementCenterConfig().isConsoleEnabled());
    SecurityConfig securityConfig = config.getSecurityConfig();
    boolean securityEnabled = securityConfig != null && securityConfig.isEnabled();
    addSecurityFeatureCheck(sb, "Enable Security (Enterprise)", securityEnabled);
    if (securityEnabled) {
        checkAuthnConfigured(sb, securityConfig, "member-authentication", securityConfig.getMemberRealm());
        checkAuthnConfigured(sb, securityConfig, "client-authentication", securityConfig.getClientRealm());
    }
    // TLS here
    sb.append(tlsSb.toString());
    PersistenceConfig persistenceConfig = config.getPersistenceConfig();
    if (persistenceConfig != null && persistenceConfig.isEnabled()) {
        EncryptionAtRestConfig encryptionAtRestConfig = persistenceConfig.getEncryptionAtRestConfig();
        addSecurityFeatureCheck(sb, "Enable encryption-at-rest in the Persistence config (Enterprise)", encryptionAtRestConfig != null && encryptionAtRestConfig.isEnabled());
    }
    AuditlogConfig auditlogConfig = config.getAuditlogConfig();
    addSecurityFeatureCheck(sb, "Enable auditlog (Enterprise)", auditlogConfig != null && auditlogConfig.isEnabled());
    sb.append("\nCheck the hazelcast-security-hardened.xml/yaml example config file to find why and how to configure" + " these security related settings.\n");
    securityLogger.log(logLevel, sb.toString());
}
Also used : AdvancedNetworkConfig(com.hazelcast.config.AdvancedNetworkConfig) SSLConfig(com.hazelcast.config.SSLConfig) EncryptionAtRestConfig(com.hazelcast.config.EncryptionAtRestConfig) SecurityConfig(com.hazelcast.config.SecurityConfig) PersistenceConfig(com.hazelcast.config.PersistenceConfig) EndpointQualifier(com.hazelcast.instance.EndpointQualifier) AuditlogConfig(com.hazelcast.config.AuditlogConfig) Map(java.util.Map) EndpointConfig(com.hazelcast.config.EndpointConfig)

Example 4 with SecurityConfig

use of com.hazelcast.config.SecurityConfig in project hazelcast by hazelcast.

the class DefaultNodeExtension method checkSecurityAllowed.

private void checkSecurityAllowed() {
    SecurityConfig securityConfig = node.getConfig().getSecurityConfig();
    if (securityConfig != null && securityConfig.isEnabled()) {
        if (!BuildInfoProvider.getBuildInfo().isEnterprise()) {
            throw new IllegalStateException("Security requires Hazelcast Enterprise Edition");
        }
    }
    SymmetricEncryptionConfig symmetricEncryptionConfig = getActiveMemberNetworkConfig(node.getConfig()).getSymmetricEncryptionConfig();
    if (symmetricEncryptionConfig != null && symmetricEncryptionConfig.isEnabled()) {
        if (!BuildInfoProvider.getBuildInfo().isEnterprise()) {
            throw new IllegalStateException("Symmetric Encryption requires Hazelcast Enterprise Edition");
        }
    }
    AuditlogConfig auditlogConfig = node.getConfig().getAuditlogConfig();
    if (auditlogConfig != null && auditlogConfig.isEnabled()) {
        if (!BuildInfoProvider.getBuildInfo().isEnterprise()) {
            throw new IllegalStateException("Auditlog requires Hazelcast Enterprise Edition");
        }
    }
}
Also used : SecurityConfig(com.hazelcast.config.SecurityConfig) AuditlogConfig(com.hazelcast.config.AuditlogConfig) SymmetricEncryptionConfig(com.hazelcast.config.SymmetricEncryptionConfig)

Example 5 with SecurityConfig

use of com.hazelcast.config.SecurityConfig in project hazelcast by hazelcast.

the class MemberDomConfigProcessor method handleSecurityPermission.

void handleSecurityPermission(Node node, PermissionConfig.PermissionType type) {
    SecurityConfig cfg = config.getSecurityConfig();
    Node nameNode = getNamedItemNode(node, "name");
    String name = nameNode != null ? getTextContent(nameNode) : null;
    Node principalNode = getNamedItemNode(node, "principal");
    String principal = principalNode != null ? getTextContent(principalNode) : null;
    PermissionConfig permConfig = new PermissionConfig(type, name, principal);
    cfg.addClientPermissionConfig(permConfig);
    for (Node child : childElements(node)) {
        String nodeName = cleanNodeName(child);
        if (matches("endpoints", nodeName)) {
            handleSecurityPermissionEndpoints(child, permConfig);
        } else if (matches("actions", nodeName)) {
            handleSecurityPermissionActions(child, permConfig);
        }
    }
}
Also used : PermissionConfig(com.hazelcast.config.PermissionConfig) SecurityConfig(com.hazelcast.config.SecurityConfig) Node(org.w3c.dom.Node)

Aggregations

SecurityConfig (com.hazelcast.config.SecurityConfig)9 QuickTest (com.hazelcast.test.annotation.QuickTest)4 Test (org.junit.Test)4 ParallelJVMTest (com.hazelcast.test.annotation.ParallelJVMTest)3 AuditlogConfig (com.hazelcast.config.AuditlogConfig)2 PermissionConfig (com.hazelcast.config.PermissionConfig)2 SymmetricEncryptionConfig (com.hazelcast.config.SymmetricEncryptionConfig)2 HazelcastInstance (com.hazelcast.core.HazelcastInstance)2 TestHazelcastInstanceFactory (com.hazelcast.test.TestHazelcastInstanceFactory)2 Node (org.w3c.dom.Node)2 Member (com.hazelcast.cluster.Member)1 AdvancedNetworkConfig (com.hazelcast.config.AdvancedNetworkConfig)1 Config (com.hazelcast.config.Config)1 EncryptionAtRestConfig (com.hazelcast.config.EncryptionAtRestConfig)1 EndpointConfig (com.hazelcast.config.EndpointConfig)1 PermissionType (com.hazelcast.config.PermissionConfig.PermissionType)1 PermissionPolicyConfig (com.hazelcast.config.PermissionPolicyConfig)1 PersistenceConfig (com.hazelcast.config.PersistenceConfig)1 SSLConfig (com.hazelcast.config.SSLConfig)1 KerberosAuthenticationConfig (com.hazelcast.config.security.KerberosAuthenticationConfig)1