Advanced Security
Securing an Ignite cluster.
This is a legacy Apache Ignite documentation
The new documentation is hosted here: https://ignite.apache.org/docs/latest/
Authentication
You can secure your Ignite cluster by enabling authentication on the server and providing user credentials on clients. Currently, authentication is supported only when Ignite persistence is enabled. This requirement may be relaxed in future releases.
This authentication mechanism only applies to thin clients/JDBC/ODBC connections.
Enable Authentication
To enable authentication on the server, set the authenticationEnabled
property of IgniteConfiguration
to true
in your Spring XML config file, or via code, like so:
<bean id="ignite.cfg" class="org.apache.ignite.configuration.IgniteConfiguration">
<!-- Enabling Apache Ignite Persistent Store. -->
<property name="dataStorageConfiguration">
<bean class="org.apache.ignite.configuration.DataStorageConfiguration">
<property name="defaultDataRegionConfiguration">
<bean class="org.apache.ignite.configuration.DataRegionConfiguration">
<property name="persistenceEnabled" value="true"/>
</bean>
</property>
</bean>
</property>
<!-- Enabling authentication. -->
<property name="authenticationEnabled" value="true"/>
<!-- Other Ignite configurations. -->
...
</bean>
// Apache Ignite node configuration.
IgniteConfiguration cfg = new IgniteConfiguration();
// Ignite persistence configuration.
DataStorageConfiguration storageCfg = new DataStorageConfiguration();
// Enabling the persistence.
storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);
// Applying settings.
cfg.setDataStorageConfiguration(storageCfg);
// Enable authentication
cfg.setAuthenticationEnabled(true);
// Other configurations
...
Provide User Credentials
When authentication is enabled, Ignite creates the superuser account under the name ignite and password ignite on the first cluster startup. Presently, you can't rename the superuser account nor grant its privileges to any other account. However, you can CREATE, ALTER, and DROP a user, using DDL commands supported by Ignite. Note, that a new user can only be created using a superuser account.
Authorization
Apache Ignite does not provide authorization features out-of-the-box. However, for such advanced level security features, you can implement the GridSecurityProcessor
interface as part of a custom plugin or choose to use a 3rd party implementation such as this one.
Updated over 3 years ago