ignite-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognen Duzlevski <ognen.duzlev...@gmail.com>
Subject Re: Securing Ignite
Date Thu, 30 Jul 2015 16:17:43 GMT
Aleksei, VPC is by default private, no? You can always have a separate
subnet within the VPC that you deploy all your on-demand Ignite nodes into,
together with your "always on" node - combined with some simple iptables
rules, this should be sufficient. You can expose the functionality of your
cluster via REST API where you can control access to the whole thing
(submitting jobs, asking for data etc.) via passwords, shared secrets,
public/private keys etc. The exposed REST point can be a separate machine
or set of machines running something like Scalatra (with/without Akka) that
is not in the same subnet but is allowed to connect to the Ignite subnet as
a client - you can make this node have a static IP (or you can have a
different subnet where this node is that is only allowed to connect to the
Ignite subnet) and only allow it to connect to your cluster...

On Thu, Jul 30, 2015 at 9:37 AM, Aleksei Valikov <aleksei.valikov@gmail.com>

> Hi,
> I'm considering Apache Ignite for a distributed computing application. I
> have a question about security.
> We'll have a central node which will run all the time (the application
> server) and a number of nodes which will join/leave the cluster in the
> runtime (we'll use AWS to add new computing resources on demand). I guess
> we'll need to use the static IP-based discovery for this scenario.
> As I read the configuration right now, any server in my VPC which knows
> the IP address of the central node will be able to connect to the Ignite
> cluster and accept tasks/jobs. This feels quite insecure - basically anyone
> in VPC would be able to get the data from the tasks/jobs.
> How could I make it secure?
> I've found the following post:
> http://smartkey.co.uk/development/securing-an-apache-ignite-cluster/
> This is a step into the right direction. However, whitelisting IPs is not
> an option in case of dynamic IP addresses (which we probably have in AWS).
> So I'd like to ask for advice on how to secure the Ignite cluster, for
> instance with some pre-shared secret. Is there any support for this OOTB?
> Many thanks and best wishes,
> Alexey

View raw message