This is an automated email from the ASF dual-hosted git repository.
ptupitsyn pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/ignite-3.git
The following commit(s) were added to refs/heads/main by this push:
new d0300ee9f0d IGNITE-24655 Add cluster security recommendations (#5309)
d0300ee9f0d is described below
commit d0300ee9f0d67bb1c4994f2e1b30a51d92a2d636
Author: IgGusev <[email protected]>
AuthorDate: Fri Feb 28 18:22:45 2025 +0200
IGNITE-24655 Add cluster security recommendations (#5309)
---
docs/_data/toc.yaml | 14 ++++++++++
docs/_docs/administrators-guide/security.adoc | 37 +++++++++++++++++++++++++++
2 files changed, 51 insertions(+)
diff --git a/docs/_data/toc.yaml b/docs/_data/toc.yaml
index 9efe730a3ae..e30bc397e23 100644
--- a/docs/_data/toc.yaml
+++ b/docs/_data/toc.yaml
@@ -54,6 +54,8 @@
items:
- title: Introduction
url: developers-guide/sql/calcite-based-sql-engine
+ - title: SQL API
+ url: developers-guide/sql/sql-api
- title: JDBC Driver
url: developers-guide/sql/jdbc-driver
- title: System Views
@@ -105,6 +107,18 @@
url: administrators-guide/config/storage/volatile
- title: Table Configuration
url: administrators-guide/config/storage/table-configuration
+ - title: Cluster Lifecycle
+ url: administrators-guide/lifecycle
+ - title: Distribution Zones
+ url: administrators-guide/distribution-zones
+ - title: Storage Profiles and Engines
+ url: administrators-guide/storage
+ - title: Data Partitioning
+ url: administrators-guide/data-partitions
+ - title: Data Colocation
+ url: administrators-guide/colocation
+ - title: Cluster Security
+ url: administrators-guide/security
- title: Security and Authentication
url: administrators-guide/security/ssl-tls
items:
diff --git a/docs/_docs/administrators-guide/security.adoc
b/docs/_docs/administrators-guide/security.adoc
new file mode 100644
index 00000000000..6adbd88c2b9
--- /dev/null
+++ b/docs/_docs/administrators-guide/security.adoc
@@ -0,0 +1,37 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+= Cluster Security
+
+== User Security
+
+By default, all users can perform any updates on the cluster, or
link:developers-guide/code-deployment/code-deployment[upload arbitrary code to
the cluster] and perform remote code execution with
link:developers-guide/compute/compute[distributed computing]. To improve
security, we recommend configuring
link:administrators-guide/security/permissions#user-permissions-and-roles[user
roles] and
link:administrators-guide/security/authentication#user-authorization[enabling
authorization] on th [...]
+
+== Communication
+
+By default, nodes use plain-text communication that is vulnerable to malicious
actions. Ignite 3 separates communications between cluster nodes and
communication with clients.
+
+== Node to Node Communication
+
+Communication between nodes usually happens within the same data center. We
recommend the following to improve the security of your cluster:
+
+- Enable SSL for cluster communication with the `ignite.network.ssl`
link:administrators-guide/config/node-config#network-configuration[node
configuration].
+- Run the cluster in a trusted and isolated network.
+
+== Node to Client Communication
+
+Client to server communication may be over internet or otherwise untrusted
network. Only the client port (10800 by default) is typically exposed outside
of the cluster. To securely interact with your clients:
+
+- Enable SSL for client communication with the `ignite.clientConnector.ssl`
link:[node configuration].
+- Enable link:administrators-guide/security/authentication[authentication] on
the cluster.
\ No newline at end of file
