Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CN-1421]: introduce client simple authentication doc #260

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions docs/modules/ROOT/examples/management-center-simple-auth.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: hazelcast.com/v1alpha1
kind: ManagementCenter
metadata:
name: managementcenter-sample
spec:
repository: 'hazelcast/management-center'
version: '{page-latest-supported-mc}'
hazelcastClusters:
- address: hazelcast-sample
name: dev
security:
clientSecretName: user1-secret
2 changes: 2 additions & 0 deletions docs/modules/ROOT/nav.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@
* Security
** xref:tls.adoc[Configure TLS]
** xref:authorization.adoc[Authorization Methods to Access Cloud Storage]
** Configuring Client Authentication
*** xref:client-auth.adoc[Simple Authentication]

* Compute
** xref:user-code-deployment.adoc[User Code Deployment]
Expand Down
129 changes: 129 additions & 0 deletions docs/modules/ROOT/pages/client-simple-auth.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
= Client Authentication and Authorization

Use the Hazelcast Platform Operator to configure xref:hazelcast:security:authentication-overview.adoc[Client Authentication] and xref:hazelcast:security:client-authorization.adoc[Client Authorization].

== Simple Authentication

You can easily use xref:hazelcast:security:simple-authentication.adoc[Hazelcast Simple Authentication] by making minimal changes in the original configuration.

For example:

[source,yaml]
----
security:
enabled: true
realms:
- name: simpleRealm-clients
authentication:
simple:
users:
- secretName: user1-secret
roles:
- admin
- secretName: user2-secret
roles:
- monitor
- application
client-authentication:
realm: simpleRealm-clients
client-permissions:
all:
principal: admin
endpoints:
- 127.0.0.1
map:
- name: playground
actions:
- all
- name: accounts
principal: monitor
actions:
- read
- name: accounts
principal: application
endpoints:
- 192.168.1.*
- 192.168.2.*
actions:
- create
- destroy
- put
- read
- remove
- lock
----

This can be converted as:

[source,yaml]
----
kutluhanmetin marked this conversation as resolved.
Show resolved Hide resolved
apiVersion: hazelcast.com/v1alpha1
kind: Hazelcast
metadata:
name: hazelcast
spec:
security:
operatorClientSecretName: user1-secret
realms:
- name: simpleRealm-clients
authentication:
simple:
users:
- secretName: user1-secret
roles:
- admin
- secretName: user2-secret
roles:
- monitor
- application
clientAuthentication:
realm: simpleRealm-clients
clientPermissions:
all:
principal: admin
endpoints:
- 127.0.0.1
permissions:
map:
- name: playground
actions:
- all
- name: accounts
principal: monitor
actions:
- read
- name: accounts
principal: application
endpoints:
- 192.168.1.*
- 192.168.2.*
actions:
- create
- destroy
- put
- read
- remove
- lock
----

Required Changes:

* `security.enabled` should be removed.
* convert kebab cases to camel cases:
** `client-authentication` -> `clientAuthentication`
** `client-permissions` -> `clientPermissions`
* add `permissions` node to `clientPermissions` to wrap permissions other than `all`.

NOTE: The `operatorClientSecretName` is a mandatory field required for the Operator to establish a connection with the Hazelcast cluster. The given user in the `operatorClientSecretName` field must have a role that has all the client permissions. Otherwise, the Operator will fail with a validation error.

=== Management Center Configuration

As the Management Center serves as a client of the Hazelcast cluster, it must be properly configured to connect to the cluster. The `security.clientSecretName` field in the `hazelcastClusters` section is utilized for this configuration.

.Management Center Simple Authentication Example
[source,yaml,subs="attributes+"]
----
include::ROOT:example$/management-center-simple-auth.yaml[]
----

NOTE: The given user in the `clientSecretName` field have a role that has all the client permissions.
82 changes: 7 additions & 75 deletions docs/modules/ROOT/pages/custom-config.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -13,31 +13,10 @@ To use the Custom Config as a method of configuring the Hazelcast cluster, you n
ConfigMap::
+
--
[source,yaml]
```
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-config-cm
data:
hazelcast: |-
security:
enabled: true
realms:
- name: simpleRealm
authentication:
simple:
users:
- username: operator
password: 'op-pass'
roles:
- root
client-authentication:
realm: simpleRealm
client-permissions:
all:
principal: root
```
[source,shell]
----
kubectl create configmap custom-config-cm --from-file=<path-to-file>
----

The name of the `ConfigMap` should be set to the Hazelcast CR's `customConfigCmName` field.

Expand All @@ -56,15 +35,9 @@ spec:
Secret::
+
--
[source,yaml]
[source,shell]
```
apiVersion: v1
kind: Secret
metadata:
name: custom-config-secret
data:
hazelcast: c2VjdXJpdHk6CiAgZW5hYmxlZDogdHJ1ZQogIHJlYWxtczoKICAtIG5hbWU6IHNpbXBsZVJlYWxtCiAgICBhdXRoZW50aWNhdGlvbjoKICAgICAgc2ltcGxlOgogICAgICAgIHVzZXJzOgogICAgICAgIC0gdXNlcm5hbWU6IG9wZXJhdG9yCiAgICAgICAgICBwYXNzd29yZDogJ29wLXBhc3MnCiAgICAgICAgICByb2xlczoKICAgICAgICAgIC0gcm9vdAogIGNsaWVudC1hdXRoZW50aWNhdGlvbjoKICAgIHJlYWxtOiBzaW1wbGVSZWFsbQogIGNsaWVudC1wZXJtaXNzaW9uczoKICAgIGFsbDoKICAgICAgcHJpbmNpcGFsOiByb290Cgo=

kubectl create secret generic custom-config-secret --from-file=<path-to-file>
```

The name of the `Secret` should be set to the Hazelcast CR's `customConfigSecretName` field.
Expand All @@ -86,47 +59,6 @@ spec:

The Custom Config is not designed as an alternative to the Hazelcast CR configuration, and it is not recommended to use it as the main source of the configuration. That said, Custom Config can and should be used together with the Hazelcast CR configuration.

[source,yaml]
```
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-config-cm
data:
hazelcast: |-
security:
enabled: false
realms:
- name: simpleRealm
authentication:
simple:
users:
- username: dev
password: 'secret'
roles:
- root
```

[source,yaml]
hasancelik marked this conversation as resolved.
Show resolved Hide resolved
```
apiVersion: hazelcast.com/v1alpha1
kind: Hazelcast
metadata:
name: hazelcast
spec:
customConfigCmName: custom-config-cm
userCodeDeployment:
bucketConfig:
secretName: br-secret-gcp
bucketURI: "gs://operator-custom-class/executorService"
executorServices:
- name: service1
durableExecutorServices:
- name: service2
scheduledExecutorServices:
- name: service3
```

The configuration from the Hazelcast CR and the Custom Config will be merged into one structure that will be used as the Hazelcast member configuration.
If the same feature is configured with Custom Config `ConfigMap` and in the Hazelcast CR, the configuration from the Hazelcast CR will take precedence and will override the one from the Custom Config.

Expand Down Expand Up @@ -154,4 +86,4 @@ The Hazelcast Platform Operator communicates with the Hazelcast cluster, requiri

=== Security configuration

When configuring `security` with enabled `client-authentication`, you must provide a user with `all` permissions and a simple authentication method. The client and the operator will use this user to connect to and manage the cluster.
The security configuration is not accessible through custom configuration. To configure security use `Security` section of the Hazelcast CR.
kutluhanmetin marked this conversation as resolved.
Show resolved Hide resolved
Loading