Security Overview
This section provides an introduction to the security features of Hazelcast. These features allow you to perform security activities, such as encrypting network communication using TLS, controlling access permissions of clients, or logging auditable events. The security features explained in this chapter are the features of Hazelcast Enterprise Edition edition.
While Hazelcast supports non-secured cluster members and clients, it is recommended to secure your deployments. A cluster without security may face with:
-
unauthorized cluster members joining or accessing it
-
unwanted or malicious clients accessing it
-
unauthorized use (access or creation) of cluster resources and data tampering by the malicious cluster members and clients.
Below, you can see the brief descriptions of Hazelcast’s security features. You can evaluate them and decide which ones you want to use based on your security concerns and requirements.
For data privacy:
-
TLS communication for members and clients for all socket-level communication; uses key stores and trust stores to encrypt communications across a Hazelcast cluster, as well as between the clusters replicated over WAN.
For authentication:
-
authentication between the cluster members, and for clients accessing the cluster. Security Realms are used for authentication and identity configurations;
-
TLS Mutual Authentication to ensure each TLS-communicating side proves its identity to the other.
For authorization:
-
authorization using permission policies for role-based security.
Hazelcast has a pluggable security component architecture allowing use your own code to control security:
-
pluggable authentication and identity;
-
Socket Interceptor to interfere socket connections before a new member or client comes to the cluster; you can perform identity checking using custom authentication protocols.
-
Security Interceptor that provides a callback point for client operations executed against the cluster.
See also Security Hardening Recommendations section to learn more about the best security practices.
Security-related areas that are covered in other sections of the documentation include:
-
Network and Advanced Network configuration allow specifying bind interfaces;
-
Advanced Network configuration allows separating socket addresses for different protocols;
-
Management operations can be limited to specific IP addresses where Management Center is allowed to run;
-
Untrusted deserialization protection allows control of which types are allowed in Java native deserialization;
Hazelcast distributions contain security-hardened example configuration files that help users to review configuration sections related to deployment security.
Hazelcast Jet considerations
When using Hazelcast’s Jet streaming engine, notice the following security considerations:
-
Hazelcast jobs allow you to use your custom code and this code must be available on cluster classpath or deployed to the cluster; this means any client is able to deploy custom code to the cluster, so make sure each client is authorized to access the cluster.
-
The Jet engine bypasses the access control layer when accessing the data structures in the same cluster.
-
The connectors of the Jet engine include third-party code which may increase the attack surface.
-
SQL, which is used by the Jet engine, includes file connectors and it can read files on the cluster filesystem.
Due to the above considerations, access to Hazelcast’s streaming engine is disabled by default for our users who mostly use Hazelcast’s storage engine (formerly known as Hazelcast IMDG) with the JAR distribution (See the Security Defaults section for information about the security considerations for different Hazelcast distributions). Enabling the Jet Engine section shows how you can start using the Jet engine; relatedly, see the Security Hardening Recommendations section to learn the best practices to secure your cluster.