After enabling authentication, able to login to SQLLine with passing the superuser i.e. ignite credentials. After logging I can see schemas like IGNITE, PUBLIC etc. Now, how I connect to any of the schema existing in the Ignite Cluster? Can I grant particular user to access the particular schema and does ignite super user has full access to any schemas?
Ignite does not have ACLs right now. Successful authentication means you are allowed to see and change everything.
GridGain, which is built on top of Ignite, has some advanced security, though.
Related
Authentication can be enabled on a Cassandra cluster using database roles. Recently, I landed into a situation where multiple roles were created for a Cassandra cluster running 3.11.x version, and I didn't have any easy way to figure out which role is actively used or not. Is there a way to get usage statistics of database roles in Cassandra 3.11.x versions?
Thanks.
No, that information is not stored locally.
The closest you can get to something like it is if you have audit logging enabled but it's a feature that was added in Apache Cassandra 4.0 (CASSANDRA-12151) so it's not available in 3.11. Cheers!
I have weblogic 12c clusters setup in 10 different destination. They are of the same setup and it act as a failover in same cases
I will like to make a tuning config change on the admin console such as change of datasource connection pool or change of thread pool size for performance.
Is there a way that I can automate 1 config change and applies to all different destination cluster admin console rather than manually access each admin console to make the config change.
Much appreciated
Thanks
I have a running Kubernetes cluster on Google Cloud Platform.
I want to deploy a postgres image to my cluster.
When selecting the image and my cluster, I get the error:
insufficient OAuth scope
I have been reading about it for a few hours now and couldn't get it to work.
I managed to set the scope of the vm to allow APIs:
Cloud API access scopes
Allow full access to all Cloud APIs
But from the GKE cluster details, I see that everything is disabled except the stackdriver.
Why is it so difficult to deploy an image or to change the scope?
How can I modify the cluster permissions without deleting and recreating it?
Easiest way is to delete and recreate the cluster because there is no direct way to modify the scopes of a cluster. However, there is a workaround. Create a new node pool with the correct scopes and make sure to delete any of the old node pools. The cluster scopes will change to reflect the new node pool.
More details found on this post
Summary
The main question is how does one secure the setting of of ACLs on Kafka. ACLs can be used to restrict who can consume / produce to topics, but how is the setting of ACLs restricted? E.g. some user on another network machine using kafka-acls.sh
Details
I am quite new to kafka and I've just setup up my first kafka 1.0.0 cluster and I am using the Kafka admin CLI(kafka-acls.sh) to grant acls for principals.
Here is problem I found: I can use this kafka-acls.sh on any other machine to manipulate my kafka cluster, without any permission required?! Is this an existing security issue?
My requirement is, as an admin, for my kafka topics I would grant read permission to the consumers. But if the consumer owners can use the kafka-acls.sh, they could add that permission by themselves.
I've tried these:
kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --cluster --operation Create --deny-principal User:*
kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --cluster --operation Alter--deny-principal User:*
Current ACLs for resource Cluster:kafka-cluster:
User:* has Deny permission for operations: Create from hosts: *
User:* has Deny permission for operations: Alter from hosts: *
I was hoping this can stop anyone to change ACLs on any topics; but I still can grant permission to any principal. I am expecting some settings in kafka properties file that can do the work. My properties settings regarding ACL are:
# Switch to enable topic deletion or not, default value is false
#delete.topic.enable=true
###To enable ZooKeeper authentication on brokers
zookeeper.set.acl=true
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:Admin
Any Ideas to restrict the admin CLI, guys?
Any advice would be appreciated.
ACLs are stored in Zookeeper so you need to run Zookeeper in secure mode with authenticated access (requires Apache Kafka 0.9 or higher).
https://cwiki.apache.org/confluence/display/KAFKA/KIP-38%3A+ZooKeeper+Authentication
This will allow you to restrict the ACL admin tools from working anywhere and by anyone since they include a zookeeper client which will have to be configured with valid admin credentials in order to connect and change Kafka ACLs stored in Zookeeper.
There is an example secure Kafka broker and Zookeeper setup explained in this blog post
https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/
In more recent versions of Apache Kafka there is also an API called AdminClient which allows apps to be written without direct Zookeeper dependency or connections. In 1.0.0 the AdminClient includes methods to create ACLs.
https://kafka.apache.org/10/javadoc/index.html?org/apache/kafka/clients/admin/AdminClient.html
However at the moment the CLI commands in /bin have not been rewritten to use this new API which is why they still connect directly to Zookeeper.
For some performance issue, i need to process one kind of request in a dedicated node. For example, I need to process all request like http://hostname/report* on node1. So, I added a rule in load balancer to redirect http://hostname/report* to http://node1name/report*. But node1 ask me to login again. And I was logged in http://hostname/ already. How can I directly access without login again?
As #JoseK mentioned, it looks like you don't have session replication and failover configured between the servers. You will need all of your application servers to be inside the same WebLogic cluster and you will also have to pick their secondary session replication node to be the destination for in-memory replication. You can dictate this by assigning the dedicated node to a specific machine, which is then selected as the secondary replication target for all cluster members.
Also, for session replication to work, all objects within your session have to be/implement serializable.