This is a prerelease version.

View latest

Simple Authentication

Simple authentication enables you to define users and their roles directly in the Hazelcast member configuration.

Compared to advanced authentication methods, with simple authentication you don’t need additional infrastructure for Hazelcast’s enterprise-level authentication (LDAP server, Kerberos, etc.). You also don’t need to provide custom login module implementations as described in JAAS-based authentication.

Simple authentication closes the gap between default authentication and advanced authentication methods.

An example security configuration with simple authentication used for client protocol is shown below, with configuration done on the member side.

  • XML

  • YAML

<hazelcast>
    <security enabled="true">
        <realms>
            <realm name="simpleRealm">
                <authentication>
                    <simple>
                        <user username="test" password="a1234">
                            <role>monitor</role>
                            <role>hazelcast</role>
                        </user>
                        <user username="root" password="secret">
                            <role>admin</role>
                        </user>
                    </simple>
                </authentication>
            </realm>
        </realms>
        <client-authentication realm="simpleRealm" />
        <client-permissions>
            <all-permissions principal="admin" />
        </client-permissions>
    </security>
</hazelcast>
hazelcast:
  security:
    enabled: true
    realms:
      - name: simpleRealm
      authentication:
        simple:
          users:
            - username: test
              password: 'a1234'
              roles:
                - monitor
                - hazelcast
            - username: root
              password: 'secret'
              roles:
                - admin
    client-authentication:
      realm: simpleRealm
    client-permissions:
      all:
        principal: admin

You can also provide multiple roles within a single role configuration element using comma separated values, as shown below:

  • XML

  • YAML

<hazelcast>
    <security enabled="true">
        <realms>
            <realm name="simpleRealm">
                <authentication>
                    <simple>
                        <user username="test" password="a1234">
                            <role>monitor,hazelcast</role>
                        </user>
                        ...
hazelcast:
  security:
    enabled: true
    realms:
      - name: simpleRealm
      authentication:
        simple:
          users:
            - username: test
              password: 'a1234'
              roles:
                - monitor,hazelcast
                ...

You should not use the comma character in role names because it’s the default role separator. However, if you need to use a comma character in a role name, you can specify a different role separator character using the role-separator element. The following example sets the separator character to &:

  • XML

  • YAML

<hazelcast>
    <security enabled="true">
        <realms>
            <realm name="simpleRealm">
                <authentication>
                    <simple>
                        <role-separator>&</role-separator>
                        <user username="test" password="a1234">
                            <role>monitor&hazelcast</role>
                        </user>
                        ...
hazelcast:
  security:
    enabled: true
    realms:
      - name: simpleRealm
      authentication:
        simple:
          role-separator: &
          users:
            - username: test
              password: 'a1234'
              roles:
                - monitor&hazelcast
                ...