You can define filter lists to allow or disallow client connections to clusters, using the REST API in Management Center.
Before you begin
-
Configure your Hazelcast clients with one or more failover clusters to make sure that disconnected clients can connect to another cluster. For a tutorial, see 5.7@hazelcast:getting-started:blue-green.adoc.
-
Enable clustered REST, using the
hazelcast.mc.rest.enabledproperty. -
If you are not using Management Center in dev mode, generate an authentication token to use in HTTP requests.
You can deploy either an allow list or a deny list to a cluster, not both. If you deploy an allow list, the cluster disallows connections from any clients that aren’t in the allow list. If you deploy a deny list, the cluster allows connections from any client that isn’t in the deny list.
Create a filter list
Use the /clientfiltering/lists endpoint to create a new filter list.
This example creates a deny list that blocks all client connections on the cluster.
curl --location --request POST "$MANAGEMENT_CENTER_IP:$MANAGEMENT_CENTER_PORT/rest/clusters/$CLUSTER_NAME/clientfiltering/lists" \
--header 'Content-Type: application/json' \
--data-raw '{ "name": "block all clients", "status": "ACTIVE",
"type": "DENYLIST",
"entries": [
{
"type": "INSTANCE_NAME",
"value": "*"
}
]}'Deploy a filter list to a connected cluster
To deploy an active filter list to a connected cluster, use the /clientfiltering/deploy endpoint.
This example deploys all active deny lists.
curl --location --request POST "$MANAGEMENT_CENTER_IP:$MANAGEMENT_CENTER_PORT/rest/clusters/$CLUSTER_NAME/clientfiltering/deploy" \
--header 'Content-Type: application/json' \
--data-raw '{
"status": "ENABLED",
"type": "DENYLIST"
}'Example scripts
To automate the process of managing filter lists, you can use bash scripts. These examples are for enabling and disabling a deny list that blocks all client connections from a cluster.
| These examples assume that Management Center is in dev mode. If you use another security provider, make sure to provide an authentication token in these scripts. |
#!/bin/bash
# Parameters: port cluster
defPort=8081
defCluster="hazelcast-b"
defIP="localhost"
argC=$#
help="False"
if [[ "$argC" -gt "3" ]]
then
help="True"
fi
if [[ "$argC" == "1" ]] && [[ "$1" == "--help" ]]
then
help="True"
fi
if [[ "$help" == "True" ]]
then
echo Creates a Client Filtering rule to block all clients on the chosen cluster via Management Center
echo ""
echo usage: $0
echo usage: $0 [port]
echo usage: $0 [port] [MC IP]
echo usage: $0 [port] [MC IP] [clustername]
echo ""
echo "Defaults to MC running on $defIP:$defPort and cluster: $defCluster"
exit
fi
if [[ "$argC" -eq "3" ]]
then
port=$1
ip=$2
cluster=$3
fi
if [[ "$argC" -eq "2" ]]
then
port=$1
ip=$2
cluster=$defCluster
fi
if [[ "$argC" -eq "1" ]]
then
port=$1
ip=$defIP
cluster=$defCluster
fi
if [[ "$argC" -eq "0" ]]
then
port=$defPort
ip=$defIP
cluster=$defCluster
fi
echo "Creating Client Filtering rule to block all clients on MC running on $ip:$port for cluster $cluster"
echo ""
set -x
curl --location --request POST "${ip}:${port}/rest/clusters/${cluster}/clientfiltering/lists" \
--header 'Content-Type: application/json' \
--data-raw '{ "name": "block all clients", "status": "ACTIVE",
"type": "DENYLIST",
"entries": [
{
"type": "INSTANCE_NAME",
"value": "*"
}
]}'#!/bin/bash
# Parameters: port cluster
defPort=8081
defCluster="hazelcast-b"
defIP="localhost"
argC=$#
help="False"
if [[ "$argC" -gt "3" ]]
then
help="True"
fi
if [[ "$argC" == "1" ]] && [[ "$1" == "--help" ]]
then
help="True"
fi
if [[ "$help" == "True" ]]
then
echo Enables Client Filtering on the chosen cluster via Management Center
echo ""
echo usage: enable-client-filtering.sh
echo usage: enable-client-filtering.sh [port]
echo usage: enable-client-filtering.sh [port] [MC IP]
echo usage: enable-client-filtering.sh [port] [MC IP] [clustername]
echo ""
echo "Defaults to MC running on $defIP:$defPort and cluster: $defCluster"
exit
fi
if [[ "$argC" -eq "3" ]]
then
port=$1
ip=$2
cluster=$3
fi
if [[ "$argC" -eq "2" ]]
then
port=$1
ip=$2
cluster=$defCluster
fi
if [[ "$argC" -eq "1" ]]
then
port=$1
ip=$defIP
cluster=$defCluster
fi
if [[ "$argC" -eq "0" ]]
then
port=$defPort
ip=$defIP
cluster=$defCluster
fi
echo "Enabling Client Filtering on MC running on $ip:$port for cluster $cluster"
echo ""
set -x
curl --location --request POST "${ip}:${port}/rest/clusters/${cluster}/clientfiltering/deploy" \
--header 'Content-Type: application/json' \
--data-raw '{
"status": "ENABLED",
"type": "DENYLIST"
}'#!/bin/bash
# Parameters: port cluster
defPort=8081
defCluster="hazelcast-b"
defIP="localhost"
argC=$#
help="False"
if [[ "$argC" -gt "3" ]]
then
help="True"
fi
if [[ "$argC" == "1" ]] && [[ "$1" == "--help" ]]
then
help="True"
fi
if [[ "$help" == "True" ]]
then
echo Disables Client Filtering on the chosen cluster via Management Center
echo ""
echo usage: disable-client-filtering.sh
echo usage: disable-client-filtering.sh [port]
echo usage: disable-client-filtering.sh [port] [MC IP]
echo usage: disable-client-filtering.sh [port] [MC IP] [clustername]
echo ""
echo "Defaults to MC running on $defIP:$defPort and cluster: $defCluster"
exit
fi
if [[ "$argC" -eq "3" ]]
then
port=$1
ip=$2
cluster=$3
fi
if [[ "$argC" -eq "2" ]]
then
port=$1
ip=$2
cluster=$defCluster
fi
if [[ "$argC" -eq "1" ]]
then
port=$1
ip=$defIP
cluster=$defCluster
fi
if [[ "$argC" -eq "0" ]]
then
port=$defPort
ip=$defIP
cluster=$defCluster
fi
echo "Disabling Client Filtering on MC running on $ip:$port for cluster $cluster"
echo ""
set -x
curl --location --request POST "${ip}:${port}/rest/clusters/${cluster}/clientfiltering/deploy" \
--header 'Content-Type: application/json' \
--data-raw '{
"status": "DISABLED",
"type": "DENYLIST"
}'