I am using hazelcast 3.11.2, free version. Trying to enforce authentication, i.e. group password, but it is not working. Hazelcast is ignoring it, and letting nodes join the cluster anyway, without specifying or specifying a wrong password.
According to hazelcast resources on the net, newer versions starting with 3.8.2 will let members join the cluster with the same group name even if the group password is different / not specified. On the other hand JAAS is supported with Enterprise version only.
So, how should authentication be added in the hazelcast's community edition? Try and hack in something when the members are joining or there is a better, standardized way?
Open to recommendations... Thx!
Group password was removed because it wasn't meant to be used as security. For community edition, you can try setting hazelcast.application.validation.token at runtime for all your members.
Security is an enterprise feature and can not be accessed in community version.
Related
We observed vulnerability CVE-2022-29464 being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE) found from here
This affects WSO2 API Manager 2.2.0 and above, Identity Server 5.2.0 and above, Identity Server Analytics 5.4.0 to 5.6.0, Identity Server as Key Manager 5.3.0 and above, Open Banking AM 1.4.0 and above, and Enterprise Integrator 6.2.0 and above.
We're using WSO2 EI Product V6.4.0/6.5.0.
I have seen Security Advisory WSO2-2021-1738 guideline too.
We don't have Support Subscription, So I'm planning to remove <FileUploadConfig>mappings in the <product_home>/conf/carbon.xml as suggested in same WSO2 Security Advisory page.
Is this mitigations step enough or do we need to concentrate further more on this?
As per the advisory, it seems disabling the file upload services is not a complete fix. If you look at the fix that has been implemented it has code-level changes as well.[1]
[1] - https://github.com/wso2/carbon-kernel/pull/3152/files
Which options to pick during application generation for being able to pick the option:
Clustered HTTP sessions using Hazelcast
This option is mentioned in the documentation https://www.jhipster.tech/creating-an-app/#2
But somehow I am not able to pick it. Is is automatically selected when I choose hazelcast as cache provider?
Is there an equivalent yo-rc.json setting?
It has been removed with this PR following a public vote on our mailing list. So obviously the documentation has not been updated.
How can I monitor partition groups using Hazelcast Management Center to validate my configuration.
Is there a way to understand how my custom partition grouping works?
Hazelcast mancenter seems missing that feature and it is also not possible to see it in the logs.
It is possible to see the partition group config of a member in the Member details page under the "Member Configuration" box. There you can see the effective configuration of a member, including the partition group config.
I'm not sure what you mean by how my custom partition grouping works. If there's a feature you want to be included, you can create an issue in the Hazelcast GitHub repository. Please make sure to explain what you want in more precise terms if you decide to do so.
I need to restrict one of my Ignite Cache with user level access permissions, couldn't find the reference for the same. any assistance on this is very much helpful.
Apache ignite provides only the possibility of authentification with password out of the box. It described here:
https://apacheignite.readme.io/docs/advanced-security
In case if you require for specific security that could grant some access permissions then you can implement the GridSecurityProcessor interface as part of a custom plugin or choose to use a 3rd party implementation (e.g. Gridgain).
Apache Ignite does not provide these kinds of security capabilities with its open-source version. As mentioned by #Andrei, you can either implement it on your own or use commercial Gridgain distribution.
Here, you can find steps to implement a custom plugin.
You would need to implement GridSecurityProcessor which would be used to authenticate the joining node using authenticate() and cache level access permissions can be managed using authorize() API.
This blog has more details and custom security plugin source code.
https://www.bugdbug.com/post/how-to-secure-apache-ignite-cluster
Is there an advantage to using one or the classes to execute statement in a .Net application. As a .Net developer using CqlConnection and CqlCommand is very similar what is done for other dbs (like SqlServer). I read on some web sites that Cluster and Session is a better way to go.
The documentation in DataStax does not describe the differences or any suggestions of which to use under what circumstances.
Thanks
Use the cluster and session objects in the DataStax driver
DataStax drivers provide critical functionality for enterprise cassandra apps, including configurable load balancing policies, automatic failover, retry policy, and tunability. These features are exposed via the cluster and session objects.
Notice that CqlConnection and CqlCommand are not even mentioned in the DataStax documentation. This is because they are used under the hood by the driver.
You can certainly use these to connect and read/write to cassandra but you will be missing out on the features I mentioned.
Pro Tip: Check the code comments here to see the functionality of the Cluster object. DataStax drivers are Open Source so feel free to go code diving!