-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add RBAC support for MC executed actions #18264
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM in general, left only a few minors. Also, the Spring config needs to be updated/tested as well.
.../java/com/hazelcast/client/impl/protocol/task/management/CheckWanConsistencyMessageTask.java
Outdated
Show resolved
Hide resolved
...rc/main/java/com/hazelcast/client/impl/protocol/task/management/GetCPMembersMessageTask.java
Outdated
Show resolved
Hide resolved
.../java/com/hazelcast/client/impl/protocol/task/management/GetTimedMemberStateMessageTask.java
Outdated
Show resolved
Hide resolved
...ain/java/com/hazelcast/client/impl/protocol/task/management/ResetCPSubsystemMessageTask.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ReadMetricsMessageTask
is also used by MC and needs a permission.
AFAICT this PR doesn't change the default behavior, i.e. Management Center will be able to execute all operations on a target cluster with default configuration. Can you please confirm this is the case?
Since we didn't have these permissions before, we had added scripting enabled to Management Center config before. Do you think it's still needed? If not, maybe we can mark it as deprecated and remove it in 5.0. WDYT?
...c/main/java/com/hazelcast/client/impl/protocol/task/management/ApplyMCConfigMessageTask.java
Outdated
Show resolved
Hide resolved
...rc/main/java/com/hazelcast/client/impl/protocol/task/management/GetCPMembersMessageTask.java
Outdated
Show resolved
Hide resolved
.../java/com/hazelcast/client/impl/protocol/task/management/GetTimedMemberStateMessageTask.java
Outdated
Show resolved
Hide resolved
...c/main/java/com/hazelcast/client/impl/protocol/task/management/MatchMCConfigMessageTask.java
Outdated
Show resolved
Hide resolved
Will you send a PR to the docs as well? I think we should link to that section from the Management Center docs. |
@blazember & @emre-aydin Thank you for your reviews and valuable comments. I'll go through them and fix (or comment back). |
The Spring configuration was added too (I somehow missed it completely in the first iteration - someone is getting old here :) )
Required permission was added to the
The behavior is only changed for cases where the security is enabled (i.e. Hazelcast Enterprise only) and the client used by the MC doesn't have the
I don't think we can simply remove the protection as the real implementation is on the member protocol level (
I'll sync with @Serdaro to decide how to cover it in the 4.2 documentation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for addressing all the comments!
Sorry for missing this in the first review, but is the new config reported via the ConfigXmlGenerator
or do you also need to add it there as well?
(I think there should be some checklist or so for checking all the places that needs to be updated for a new config - too easy to miss something).
The The config checklist lives in the GH wiki: https://github.com/hazelcast/hazelcast/wiki/Checklist-for-Hazelcast-config-changes |
@AyberkSorgun can you please create an MC Jira task for how MC behaves when when it does not have sufficient permissions on the IMDG size. We should show a helpful message which explains what configuration options should be added to the members. |
This PR adds a new permission type for management MessageTasks.
Newly the client used in Management Center will need to have either the
all-permission
granted or the new permission typemanagement-permission
. E.g.This change can affect Hazelcast Enterprise users with security enabled but without the management client having the
all-permission
granted. In such a case ManagementCenter operations on the cluster will fail with theAccessControlException
thrown.