Changing Cluster Client Filtering

The Filter tab is only available with Hazelcast license that includes the Cluster Client Filtering feature.

The Filter tab includes Cluster Client Filtering status, Cluster Client Filter Settings and Client Filtering Lists sections, as shown below.

Client Filtering View

The Cluster Client Filtering status section describes if there is a deployed client filtering list available to all cluster members (Enabled status), or if the feature is disabled for the cluster and the members allow any clients (Disabled status).

The Cluster Client Filter Settings section allows to specify the filtering type and to deploy any modifications made in client filtering lists to the deployed list available to all cluster members.

  • If the status is Disabled, then the SAVE CONFIGURATION button appears; click on it to clear all the client filtering lists from the cluster members. With this, the members will start allowing any client to connect.

Save Configuration Button

  • If the status is Enabled, then DEPLOY CONFIGURATION button appears; click on it to apply all the entries of matching lists from the Filtering Lists section to all cluster members. Matching lists are selected by their status (List Status must be Active) and type (List Type must match the value of the Client Filter Type selection).

Deploy Configuration Button

Once a cluster member receives the deployed client filtering list from the Management Center, it immediately applies the list to all currently connected clients and then uses it for newly connecting clients. Deny-listed clients may connect to another cluster if they are configured to support blue-green deployment. If they are not, they shut down when denied access to the cluster. Please see the Blue-Green Deployment and Disaster Recovery section in the Hazelcast documentation for more information.

If some of the cluster members are not reachable from the Management Center, those members keep using the last client list applied to them.

The Filter Lists section allows creation, editing and deletion of the client filtering lists. To create a new client filtering list, you need to click the NEW LIST button, which will open the Create List form, as shown below. Once you enter all fields and entries for the new list, click the SAVE or SAVE AND DEPLOY button to save your modifications.

If the modified list is active and matches the deployed type (Allow-list or Deny-list) then SAVE AND DEPLOY button appears and the saved modifications are deployed to the cluster members immediately. Otherwise SAVE button appears and the modifications are just saved to the Management Center configuration and aren’t sent to the cluster members.

Add Client Filtering List

The following formats of list entry values are supported:

  • For the IP Address entry type you can specify IP address (IPv4 or IPv6) with optional range characters (* and -) instead of any byte group. For instance, 10.3.10.* refers to IPs between 10.3.10.0 and 10.3.10.255. The 10.3.10.4-18 refers to IPs between 10.3.10.4 and 10.3.10.18 (4 and 18 included).

  • For the Label entry type you can specify any string with optional wildcard characters (*). For instance, green* refers to any label values that start with the green string.

  • For the Instance Name entry type you can specify any string with optional wildcard characters (*). For instance, *-client refers to any label values that end with the -client string.

To modify an existing client filtering list, you need to click the Edit button, which will open the Edit List form, as shown below.

Edit Client Filtering List

To delete an existing client filtering list, you need to click the Delete button and confirm your action in the opened dialog.

Deploying an empty allow list disconnects all clients.

Example Client Filtering

In this section we show how you can deploy your filtering list for better understanding. In the beginning, the client filtering feature is disabled and there are no filter lists.

Example Step 1

Let’s create a new filter list:

  • We click the New List button and a screen with two forms appears.

  • We fill the first form as follows:

    • Filter Name: 'Example_allow_list'

    • Filter Status: 'Active'

    • Filter Type: 'Allow-list'

  • Next we want to add two IP addresses and one label to our soon-to-be allow-list. To achieve this we need to fill the second form three times:

    • First entry:

      • Type: 'IP Address'

      • Value: '1.2.3.4'

  • We hit the Add Entry button.

    • Second entry:

      • Type: 'IP Address'

      • Value: '2.3.4.5'

  • We hit the Add Entry button.

    • Third entry:

      • Type: 'Label'

      • Value: 'blue*'

  • Again, we hit the Add Entry button.

Example Step 2

To save our brand new allow-list we hit the SAVE button. The allow-list is saved and we are back to client filtering overview as shown on the image bellow.

Example Step 3

When we change Filter Status value to 'Enabled' and select Filter Type as 'Allow-list', we are able to deploy our new allow-list; the DEPLOY CONFIGURATION button is enabled and our allow-list has a little orange status indicator next to the list name. The orange status indicator means that the list will be deployed if we hit the DEPLOY CONFIGURATION button.

Example Step 4

Finally, let’s deploy our changes by clicking the DEPLOY CONFIGURATION button. After a brief moment, we have our allow-list deployed. The DEPLOY CONFIGURATION button become hidden again and our list has a green status indicator next to the name, it means the list is currently deployed.

Example Step 5

Now we can see the currently deployed rules (from all lists) by hitting the REPORT button:

Example Step 6

Wildcard rules like blue* are shown first.