Client Authentication and Authorization

latest-snapshot 5.14 5.13 5.12 5.11 5.10 5.9 5.8 5.7 5.6 5.5

Use the Hazelcast Platform Operator to configure Client Authentication and Client Authorization.

Simple Authentication

You can easily use Hazelcast Simple Authentication by making minimal changes in the original configuration.

For example:

security:
  enabled: true
  realms:
    - name: simpleRealm-clients
      authentication:
        simple:
          users:
          - secretName: user1-secret
            roles:
              - admin
          - secretName: user2-secret
            roles:
              - monitor
              - application
  client-authentication:
    realm: simpleRealm-clients
  client-permissions:
    all:
      principal: admin
      endpoints:
        - 127.0.0.1
    map:
      - name: playground
        actions:
          - all
      - name: accounts
        principal: monitor
        actions:
          - read
      - name: accounts
        principal: application
        endpoints:
          - 192.168.1.*
          - 192.168.2.*
        actions:
          - create
          - destroy
          - put
          - read
          - remove
          - lock

This can be converted as:

apiVersion: hazelcast.com/v1alpha1
kind: Hazelcast
metadata:
  name: hazelcast
spec:
    security:
        operatorClientSecretName: user1-secret
        realms:
          - name: simpleRealm-clients
            authentication:
              simple:
                users:
                - secretName: user1-secret
                  roles:
                    - admin
                - secretName: user2-secret
                  roles:
                    - monitor
                    - application
        clientAuthentication:
          realm: simpleRealm-clients
        clientPermissions:
          all:
            principal: admin
            endpoints:
              - 127.0.0.1
          permissions:
            map:
              - name: playground
                actions:
                  - all
              - name: accounts
                principal: monitor
                actions:
                  - read
              - name: accounts
                principal: application
                endpoints:
                  - 192.168.1.*
                  - 192.168.2.*
                actions:
                  - create
                  - destroy
                  - put
                  - read
                  - remove
                  - lock

Required Changes:

  • security.enabled should be removed.

  • convert kebab cases to camel cases:

    • client-authenticationclientAuthentication

    • client-permissionsclientPermissions

  • add permissions node to clientPermissions to wrap permissions other than all.

The operatorClientSecretName is a mandatory field required for the Operator to establish a connection with the Hazelcast cluster. The given user in the operatorClientSecretName field must have a role that has all the client permissions. Otherwise, the Operator will fail with a validation error.

Management Center Configuration

As the Management Center serves as a client of the Hazelcast cluster, it must be properly configured to connect to the cluster. The security.clientSecretName field in the hazelcastClusters section is utilized for this configuration.

Management Center Simple Authentication Example
apiVersion: hazelcast.com/v1alpha1
kind: ManagementCenter
metadata:
  name: managementcenter-sample
spec:
  repository: 'hazelcast/management-center'
  version: '5.6.0'
  hazelcastClusters:
    - address: hazelcast-sample
      name: dev
      security:
        clientSecretName: user1-secret
The given user in the clientSecretName field have a role that has all the client permissions.
lifebuoy

Help and support