This is a prerelease version.

View latest

Client authentication and authorization

latest-snapshot 5.16 5.15 5.14 5.13 5.12 5.11 5.10 5.9 5.8 5.7

You can use Operator to configure client authentication and client authorization.

Simple authentication

You can enable Hazelcast simple authentication with minimal changes to the original configuration.

To enable simple authentication:

  • Remove security.enabled.

  • Convert kebab case to camel case:

    • client-authenticationclientAuthentication

    • client-permissionsclientPermissions

  • Add a permissions node to clientPermissions to wrap permissions other than all.

For example:

apiVersion: hazelcast.com/v1alpha1
kind: Hazelcast
metadata:
  name: hazelcast
spec:
    security:
        operatorClientSecretName: user1-secret
        realms:
          - name: simpleRealm-clients
            authentication:
              simple:
                users:
                - secretName: user1-secret
                  roles:
                    - admin
                - secretName: user2-secret
                  roles:
                    - monitor
                    - application
        clientAuthentication:
          realm: simpleRealm-clients
        clientPermissions:
          all:
            principal: admin
            endpoints:
              - 127.0.0.1
          permissions:
            map:
              - name: playground
                actions:
                  - all
              - name: accounts
                principal: monitor
                actions:
                  - read
              - name: accounts
                principal: application
                endpoints:
                  - 192.168.1.*
                  - 192.168.2.*
                actions:
                  - create
                  - destroy
                  - put
                  - read
                  - remove
                  - lock
operatorClientSecretName is a mandatory field required for Operator to establish a connection with the Hazelcast cluster. The given user in the operatorClientSecretName field must have a role that has all the client permissions. Otherwise, Operator will fail with a validation error.

Configure Management Center

Because Management Center serves as a client of the Hazelcast cluster, it must be properly configured to connect to the cluster. The security.clientSecretName field in the hazelcastClusters section is used for this configuration.

Management Center Simple Authentication Example
apiVersion: hazelcast.com/v1alpha1
kind: ManagementCenter
metadata:
  name: managementcenter-sample
spec:
  repository: 'hazelcast/management-center'
  version: '5.9.0'
  hazelcastClusters:
    - address: hazelcast-sample
      name: dev
      security:
        clientSecretName: user1-secret
The given user in the ClientSecretName field must have a role that has all the client permissions. Otherwise, Operator will fail with a validation error.

Help and support