Improve TLS authn snippets; Describe skip-* login options in authenti…

…cation-overview
hazelcast · Aug 26, 2024 · e85bc40 · e85bc40
1 parent c2b3eb9
commit e85bc40
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 8 deletions.
diff --git a/docs/modules/security/pages/authentication-overview.adoc b/docs/modules/security/pages/authentication-overview.adoc
@@ -9,10 +9,12 @@ Hazelcast supports several authentication types which can be configured for memb
 * xref:ldap-authentication.adoc[LDAP] - LDAP server is used to verify credentials and load roles,
 * xref:kerberos-authentication.adoc[Kerberos] - service tickets are used for authentication,
 * xref:tls-authentication.adoc[TLS] - information from client-side TLS certificates (when TLS mutual authentication is enabled) are used for role assignment,
-* xref:simple-authentication.adoc[custom JAAS login module] implementations can be also used if the Hazelcast provided authentication mechanisms don't fully cover users needs.
+* xref:jaas-authentication.adoc[custom JAAS login modules] can be also used if other Hazelcast provided authentication mechanisms don't fully cover users needs.
 
 During the authentication roles can be also assigned to the connecting clients and they are later used for the <<Authorization>>.
 
+== Security Realms
+
 Named security configurations called Security Realms are used to map an authentication mechanism to a Hazelcast protocol (client or member).
 Security realms allow defining security configuration independently on the module which consumes it.
 
@@ -80,6 +82,35 @@ include::ROOT:example$/security/EnablingSecurity.java[tag=authn]
 ----
 ====
 
+Besides authentication, Security Realms can contain also xref:identity-configuration.adoc[Identity] and a access-control-service configurations.
+
+
+== Common Authentication Options
+
+All Hazelcast provided authentication types support beside the specific ones also the following configuration parameters.
+
+[cols="1,1,3"]
+.Common Configuration Options
+|===
+| Option Name
+| Default Value
+| Description
+
+| `skip-role`
+| `false`
+| When set to `true`, the authentication mechanism won't assign roles during the authentication. It'll only verify the credentials.
+
+| `skip-identity`
+| `false`
+| When set to `true`, the authentication mechanism won't use the remote party name after the authentication.
+
+| `skip-endpoint`
+| `false`
+| When set to `true`, the authentication mechanism won't use the remote party IP address name after the authentication.
+
+|===
+
+These are advanced configuration options and usually you don't need to touch them.
 
 == Identity
 

diff --git a/docs/modules/security/pages/tls-authentication.adoc b/docs/modules/security/pages/tls-authentication.adoc
@@ -21,19 +21,55 @@ XML::
 
 [source,xml]
 ----
-include::ROOT:example$/hazelcast-authentication-types.xml[tag=tls]
+<hazelcast>
+    <network>
+        <ssl enabled="true">
+            <properties>
+                <property name="mutualAuthentication">REQUIRED</property>
+                <property name="keyStore">/opt/hazelcast-keystore.p12</property>
+                <property name="keyStorePassword">secret.123</property>
+                <property name="trustStore">/opt/hazelcast-truststore.p12</property>
+                <property name="trustStorePassword">changeit</property>
+            </properties>
+        </ssl>
+    </network>
+    <security enabled="true">
+        <realms>
+            <realm name="tlsRealm">
+                <authentication>
+                    <tls roleAttribute="cn" />
+                </authentication>
+            </realm>
+        </realms>
+        <client-authentication realm="tlsRealm"/>
+    </security>
+</hazelcast>
 ----
 --
 
 YAML::
 +
 [source,yaml]
 ----
-realms:
-  name: tlsRealm
-    authentication:
-      tls:
-        roleAttribute: cn
+hazelcast:
+  network:
+    ssl:
+      enabled: true
+      properties:
+        mutualAuthentication: REQUIRED
+        keyStore: /opt/hazelcast-keystore.p12
+        keyStorePassword: secret.123
+        trustStore: /opt/hazelcast-truststore.p12
+        trustStorePassword: changeit
+  security:
+    enabled: true
+    realms:
+      - name: tlsRealm
+        authentication:
+          tls:
+            roleAttribute: cn
+    client-authentication:
+      realm: tlsRealm
 ----
 ====
 
@@ -53,4 +89,3 @@ then the `"admin"` role name is assigned to the client.
 | Name of an attribute in client certificate's distinguished name (DN), where the attribute value is used as a Role name.
 
 |===
-