/hazelcast-documentation/src/main/docbook/manual/content/security/ClientSecurity.xml

https://bitbucket.org/gabral6_gmailcom/hazelcast · XML · 522 lines · 472 code · 25 blank · 25 comment · 0 complexity · a48971458823a6dd817299ce34cbbad4 MD5 · raw file

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <!--
  3. ~ Copyright (c) 2008-2013, Hazelcast, Inc. All Rights Reserved.
  4. ~
  5. ~ Licensed under the Apache License, Version 2.0 (the "License");
  6. ~ you may not use this file except in compliance with the License.
  7. ~ You may obtain a copy of the License at
  8. ~
  9. ~ http://www.apache.org/licenses/LICENSE-2.0
  10. ~
  11. ~ Unless required by applicable law or agreed to in writing, software
  12. ~ distributed under the License is distributed on an "AS IS" BASIS,
  13. ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14. ~ See the License for the specific language governing permissions and
  15. ~ limitations under the License.
  16. -->
  17. <sect1 xml:id="ClientSecurity" version="5.0"
  18. xmlns="http://docbook.org/ns/docbook"
  19. xmlns:xi="http://www.w3.org/2001/XInclude"
  20. xmlns:xlink="http://www.w3.org/1999/xlink"
  21. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  22. xsi:schemaLocation="http://docbook.org/ns/docbook http://www.docbook.org/xml/5.0/xsd/docbook.xsd
  23. http://www.w3.org/1999/xlink http://www.w3.org/1999/xlink.xsd">
  24. <title>Native Client Security</title>
  25. <para>Hazelcast's Client security includes both authentication and authorization.</para>
  26. <sect2>
  27. <title>Authentication</title>
  28. <para>Authentication mechanism just works the same as cluster member authentication. Implementation of client
  29. authentication requires a
  30. <literal>Credentials</literal>
  31. and one or more
  32. <literal>LoginModule</literal>(s). Client side does not have/need a factory object to
  33. create
  34. <literal>Credentials</literal>
  35. objects like<literal>ICredentialsFactory</literal>.
  36. <literal>Credentials</literal>
  37. must be created at client side and sent to connected node
  38. during connection process.
  39. <programlisting language="xml"><![CDATA[
  40. <security enabled="true">
  41. <client-login-modules>
  42. <login-module class-name="com.hazelcast.examples.MyRequiredClientLoginModule" usage="required">
  43. <properties>
  44. <property name="property3">value3</property>
  45. </properties>
  46. </login-module>
  47. <login-module class-name="com.hazelcast.examples.MySufficientClientLoginModule" usage="sufficient">
  48. <properties>
  49. <property name="property4">value4</property>
  50. </properties>
  51. </login-module>
  52. <login-module class-name="com.hazelcast.examples.MyOptionalClientLoginModule" usage="optional">
  53. <properties>
  54. <property name="property5">value5</property>
  55. </properties>
  56. </login-module>
  57. </client-login-modules>
  58. ...
  59. </security>
  60. ]]></programlisting>
  61. </para>
  62. <para>You can define as many as<literal>LoginModule</literal>s you wanted in
  63. configuration. Those are executed in given order. Usage attribute has 4 values; 'required',
  64. 'requisite', 'sufficient' and 'optional' as defined in
  65. <code>javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag</code>.
  66. </para>
  67. <para>
  68. <programlisting language="java"><![CDATA[
  69. final Credentials credentials = new UsernamePasswordCredentials("dev", "dev-pass");
  70. HazelcastInstance client = HazelcastClient.newHazelcastClient(credentials, "localhost");
  71. ]]></programlisting>
  72. </para>
  73. </sect2>
  74. <sect2>
  75. <title>Authorization</title>
  76. <para>Hazelcast client authorization is configured by a client permission policy. Hazelcast has a default
  77. permission policy
  78. implementation that uses permission configurations defined in Hazelcast security configuration. Default
  79. policy permission checks are done
  80. against instance types (map, queue...), instance names (map, queue etc. name), instance actions (put, get,
  81. remove, add...),
  82. client endpoint addresses and client principal defined by
  83. <literal>Credentials</literal>
  84. object.
  85. <emphasis role="italic">Instance and principal names and endpoint addresses
  86. can be defined as wildcards(*). Take a look at
  87. <link xlink:href="#WildcardConfiguration">Wildcard Name Configuration</link>
  88. and
  89. <link xlink:href="#ConfigSpecifyInterfaces">Newtwork Configuration</link>
  90. pages.
  91. </emphasis>
  92. </para>
  93. <para>
  94. <programlisting language="xml"><![CDATA[
  95. <security enabled="true">
  96. <client-permissions>
  97. <!-- Principal 'admin' from endpoint '127.0.0.1' has all permissions. -->
  98. <all-permissions principal="admin">
  99. <endpoints>
  100. <endpoint>127.0.0.1</endpoint>
  101. </endpoints>
  102. </all-permissions>
  103. <!-- Principals named 'dev' from all endpoints have 'create', 'destroy',
  104. 'put', 'get' permissions for map named 'default'. -->
  105. <map-permission name="default" principal="dev">
  106. <actions>
  107. <action>create</action>
  108. <action>destroy</action>
  109. <action>put</action>
  110. <action>get</action>
  111. </actions>
  112. </map-permission>
  113. <!-- All principals from endpoints '127.0.0.1' or matching to '10.10.*.*'
  114. have 'put', 'get', 'remove' permissions for map
  115. whose name matches to 'com.foo.entity.*'. -->
  116. <map-permission name="com.foo.entity.*">
  117. <endpoints>
  118. <endpoint>10.10.*.*</endpoint>
  119. <endpoint>127.0.0.1</endpoint>
  120. </endpoints>
  121. <actions>
  122. <action>put</action>
  123. <action>get</action>
  124. <action>remove</action>
  125. </actions>
  126. </map-permission>
  127. <!-- Principals named 'dev' from endpoints matching to either
  128. '192.168.1.1-100' or '192.168.2.*'
  129. have 'create', 'offer', 'poll' permissions for all queues. -->
  130. <queue-permission name="*" principal="dev">
  131. <endpoints>
  132. <endpoint>192.168.1.1-100</endpoint>
  133. <endpoint>192.168.2.*</endpoint>
  134. </endpoints>
  135. <actions>
  136. <action>create</action>
  137. <action>offer</action>
  138. <action>poll</action>
  139. </actions>
  140. </queue-permission>
  141. <!-- All principals from all endpoints have transaction permission.-->
  142. <transaction-permission />
  143. </client-permissions>
  144. </security>
  145. ]]></programlisting>
  146. </para>
  147. <para>Users also can define their own policy by implementing<literal>
  148. com.hazelcast.security.IPermissionPolicy</literal>.
  149. <programlisting language="java"><![CDATA[
  150. package com.hazelcast.security;
  151. /**
  152. * IPermissionPolicy is used to determine any Subject's
  153. * permissions to perform a security sensitive Hazelcast operation.
  154. *
  155. */
  156. public interface IPermissionPolicy {
  157. void configure(SecurityConfig securityConfig, Properties properties);
  158. PermissionCollection getPermissions(Subject subject, Class<? extends Permission> type);
  159. void destroy();
  160. }]]></programlisting>
  161. </para>
  162. <para>Permission policy implementations can access
  163. <code>client-permissions</code>
  164. in
  165. configuration by using
  166. <code>SecurityConfig.getClientPermissionConfigs()</code>
  167. during
  168. <code>configure(SecurityConfig securityConfig, Properties properties)</code>
  169. method
  170. is called by Hazelcast.
  171. <code>IPermissionPolicy.getPermissions(Subject subject,
  172. Class&lt;? extends Permission&gt; type)
  173. </code>
  174. method is used to determine a client
  175. request has been granted permission to do a security-sensitive operation. Permission
  176. policy should return a
  177. <literal>PermissionCollection</literal>
  178. containing permissions of
  179. given type for given<literal>Subject</literal>. Hazelcast access controller will call
  180. <code>PermissionCollection.implies(Permission)</code>
  181. on returning
  182. <literal>PermissionCollection</literal>
  183. and will decide if current
  184. <literal>Subject</literal>
  185. has permitted to access to requested resources or
  186. not.
  187. </para>
  188. </sect2>
  189. <sect2>
  190. <title>Permissions</title>
  191. <para>
  192. <orderedlist>
  193. <listitem>
  194. <para>
  195. <emphasis role="bold">All Permission</emphasis>
  196. </para>
  197. <para>
  198. <programlisting language="xml"><![CDATA[
  199. <all-permissions principal="principal">
  200. <endpoints>
  201. ...
  202. </endpoints>
  203. </all-permissions>
  204. ]]></programlisting>
  205. </para>
  206. </listitem>
  207. <listitem>
  208. <para>
  209. <emphasis role="bold">Map Permission</emphasis>
  210. </para>
  211. <para>
  212. <programlisting language="xml"><![CDATA[
  213. <map-permission name="name" principal="principal">
  214. <endpoints>
  215. ...
  216. </endpoints>
  217. <actions>
  218. ...
  219. </actions>
  220. </map-permission>
  221. ]]></programlisting>
  222. </para>
  223. <para>
  224. <emphasis role="bold">Actions:</emphasis>
  225. <emphasis role="italic">all, create, destroy,
  226. put, get, remove, listen, lock, stats
  227. </emphasis>
  228. </para>
  229. </listitem>
  230. <listitem>
  231. <para>
  232. <emphasis role="bold">Queue Permission</emphasis>
  233. </para>
  234. <para>
  235. <programlisting language="xml"><![CDATA[
  236. <queue-permission name="name" principal="principal">
  237. <endpoints>
  238. ...
  239. </endpoints>
  240. <actions>
  241. ...
  242. </actions>
  243. </queue-permission>
  244. ]]></programlisting>
  245. </para>
  246. <para>
  247. <emphasis role="bold">Actions:</emphasis>
  248. <emphasis role="italic">all, create, destroy,
  249. offer, poll, get, remove, listen, stats
  250. </emphasis>
  251. </para>
  252. </listitem>
  253. <listitem>
  254. <para>
  255. <emphasis role="bold">Multimap Permission</emphasis>
  256. </para>
  257. <para>
  258. <programlisting language="xml"><![CDATA[
  259. <multimap-permission name="name" principal="principal">
  260. <endpoints>
  261. ...
  262. </endpoints>
  263. <actions>
  264. ...
  265. </actions>
  266. </multimap-permission>
  267. ]]></programlisting>
  268. </para>
  269. <para>
  270. <emphasis role="bold">Actions:</emphasis>
  271. <emphasis role="italic">all, create, destroy,
  272. put, get, remove, listen, lock, stats
  273. </emphasis>
  274. </para>
  275. </listitem>
  276. <listitem>
  277. <para>
  278. <emphasis role="bold">Topic Permission</emphasis>
  279. </para>
  280. <para>
  281. <programlisting language="xml"><![CDATA[
  282. <topic-permission name="name" principal="principal">
  283. <endpoints>
  284. ...
  285. </endpoints>
  286. <actions>
  287. ...
  288. </actions>
  289. </topic-permission>
  290. ]]></programlisting>
  291. </para>
  292. <para>
  293. <emphasis role="bold">Actions:</emphasis>
  294. <emphasis role="italic">create, destroy,
  295. publish, listen, stats
  296. </emphasis>
  297. </para>
  298. </listitem>
  299. <listitem>
  300. <para>
  301. <emphasis role="bold">List Permission</emphasis>
  302. </para>
  303. <para>
  304. <programlisting language="xml"><![CDATA[
  305. <list-permission name="name" principal="principal">
  306. <endpoints>
  307. ...
  308. </endpoints>
  309. <actions>
  310. ...
  311. </actions>
  312. </list-permission>
  313. ]]></programlisting>
  314. </para>
  315. <para>
  316. <emphasis role="bold">Actions:</emphasis>
  317. <emphasis role="italic">all, create, destroy,
  318. add, set, get, remove, listen
  319. </emphasis>
  320. </para>
  321. </listitem>
  322. <listitem>
  323. <para>
  324. <emphasis role="bold">Set Permission</emphasis>
  325. </para>
  326. <para>
  327. <programlisting language="xml"><![CDATA[
  328. <set-permission name="name" principal="principal">
  329. <endpoints>
  330. ...
  331. </endpoints>
  332. <actions>
  333. ...
  334. </actions>
  335. </set-permission>
  336. ]]></programlisting>
  337. </para>
  338. <para>
  339. <emphasis role="bold">Actions:</emphasis>
  340. <emphasis role="italic">all, create, destroy,
  341. add, get, remove, listen
  342. </emphasis>
  343. </para>
  344. </listitem>
  345. <listitem>
  346. <para>
  347. <emphasis role="bold">Lock Permission</emphasis>
  348. </para>
  349. <para>
  350. <programlisting language="xml"><![CDATA[
  351. <lock-permission name="name" principal="principal">
  352. <endpoints>
  353. ...
  354. </endpoints>
  355. <actions>
  356. ...
  357. </actions>
  358. </lock-permission>
  359. ]]></programlisting>
  360. </para>
  361. <para>
  362. <emphasis role="bold">Actions:</emphasis>
  363. <emphasis role="italic">all, create, destroy,
  364. lock, stats
  365. </emphasis>
  366. </para>
  367. </listitem>
  368. <listitem>
  369. <para>
  370. <emphasis role="bold">AtomicNumber Permission</emphasis>
  371. </para>
  372. <para>
  373. <programlisting language="xml"><![CDATA[
  374. <atomic-number-permission name="name" principal="principal">
  375. <endpoints>
  376. ...
  377. </endpoints>
  378. <actions>
  379. ...
  380. </actions>
  381. </atomic-number-permission>
  382. ]]></programlisting>
  383. </para>
  384. <para>
  385. <emphasis role="bold">Actions:</emphasis>
  386. <emphasis role="italic">all, create, destroy,
  387. increment, decrement, get, set, add, stats
  388. </emphasis>
  389. </para>
  390. </listitem>
  391. <listitem>
  392. <para>
  393. <emphasis role="bold">CountDownLatch Permission</emphasis>
  394. </para>
  395. <para>
  396. <programlisting language="xml"><![CDATA[
  397. <countdown-latch-permission name="name" principal="principal">
  398. <endpoints>
  399. ...
  400. </endpoints>
  401. <actions>
  402. ...
  403. </actions>
  404. </countdown-latch-permission>
  405. ]]></programlisting>
  406. </para>
  407. <para>
  408. <emphasis role="bold">Actions:</emphasis>
  409. <emphasis role="italic">all, create, destroy,
  410. countdown, set, stats
  411. </emphasis>
  412. </para>
  413. </listitem>
  414. <listitem>
  415. <para>
  416. <emphasis role="bold">Semaphore Permission</emphasis>
  417. </para>
  418. <para>
  419. <programlisting language="xml"><![CDATA[
  420. <semaphore-permission name="name" principal="principal">
  421. <endpoints>
  422. ...
  423. </endpoints>
  424. <actions>
  425. ...
  426. </actions>
  427. </semaphore-permission>
  428. ]]></programlisting>
  429. </para>
  430. <para>
  431. <emphasis role="bold">Actions:</emphasis>
  432. <emphasis role="italic">all, create, destroy,
  433. acquire, release, drain, stats
  434. </emphasis>
  435. </para>
  436. </listitem>
  437. <listitem>
  438. <para>
  439. <emphasis role="bold">Executor Service Permission</emphasis>
  440. </para>
  441. <para>
  442. <programlisting language="xml"><![CDATA[
  443. <executor-service-permission name="name" principal="principal">
  444. <endpoints>
  445. ...
  446. </endpoints>
  447. <actions>
  448. ...
  449. </actions>
  450. </executor-service-permission>
  451. ]]></programlisting>
  452. </para>
  453. <para>
  454. <emphasis role="bold">Actions:</emphasis>
  455. <emphasis role="italic">all, create, destroy,
  456. execute
  457. </emphasis>
  458. </para>
  459. </listitem>
  460. <listitem>
  461. <para>
  462. <emphasis role="bold">Listener Permission</emphasis>
  463. </para>
  464. <para>
  465. <programlisting language="xml"><![CDATA[
  466. <listener-permission name="name" principal="principal">
  467. <endpoints>
  468. ...
  469. </endpoints>
  470. </listener-permission>
  471. ]]></programlisting>
  472. </para>
  473. <para>
  474. <emphasis role="bold">Names:</emphasis>
  475. <emphasis role="italic">all, instance,
  476. member
  477. </emphasis>
  478. </para>
  479. </listitem>
  480. <listitem>
  481. <para>
  482. <emphasis role="bold">Transaction Permission</emphasis>
  483. </para>
  484. <para>
  485. <programlisting language="xml"><![CDATA[
  486. <transaction-permission principal="principal">
  487. <endpoints>
  488. ...
  489. </endpoints>
  490. </transaction-permission>
  491. ]]></programlisting>
  492. </para>
  493. </listitem>
  494. </orderedlist>
  495. </para>
  496. </sect2>
  497. </sect1>