I'll be giving a talk at JUDCon 2010 (Oct 7 and 8, Berlin) on how to configure JBoss clusters to run optimally in a cloud (EC2).
It would be cool to see some of you, we can discuss JGroups and other topics over a beer !
The agenda is here.
Cheers,
Wednesday, September 22, 2010
Friday, September 17, 2010
Cluster authorization with pattern matching
I've added a new plugin to AUTH which allows for pattern matching to determine who can join a cluster.
The idea is very simple: if a new node wants to join a cluster, we only admit the node into the cluster if it matches a certain pattern. For example, we could only admit nodes whose IP address starts with 192.168.* or 10.5.*. Or we could only admit nodes whose logical name is "groucho" or "marx".
Currently, the 2 things I match against are IP address and logical name, but of course any attribute of a message could be used to match against.
Let's take a look at an example.
This example uses the new plugin RegexMembership (derived from FixedMembership). Its match string (which takes any regular expression as value) says that any node whose logical name is "marx" or "groucho" will be able to join. Note that we set match_logical_name to true here.
Note that AUTH has to be placed somewhere below GMS (Group MemberShip) in the configuration.
This example is a bit more complex, but it essentially says that all nodes whose IP address starts with 192.168 are allowed to join the cluster. So 192.168.1.5 and 192.168.1.10:5546 would pass, while 10.1.4.5 would be rejected.
I have to admit, I'm not really an expert in regular expression, so I guess the above expression could be simplified. For example, I gave up trying to define that hosts starting either with 192.168 or 10.5 could join.
If you know how to do that, please send me the regular expression !
The idea is very simple: if a new node wants to join a cluster, we only admit the node into the cluster if it matches a certain pattern. For example, we could only admit nodes whose IP address starts with 192.168.* or 10.5.*. Or we could only admit nodes whose logical name is "groucho" or "marx".
Currently, the 2 things I match against are IP address and logical name, but of course any attribute of a message could be used to match against.
Let's take a look at an example.
<AUTH auth_class="org.jgroups.auth.RegexMembership" match_string="groucho | marx" match_ip_address="false" match_logical_name="true" />
This example uses the new plugin RegexMembership (derived from FixedMembership). Its match string (which takes any regular expression as value) says that any node whose logical name is "marx" or "groucho" will be able to join. Note that we set match_logical_name to true here.
Note that AUTH has to be placed somewhere below GMS (Group MemberShip) in the configuration.
<AUTH auth_class="org.jgroups.auth.RegexMembership" match_string= "192.168.[0-9]{1,3}\.[0-9]{1,3}(:.[0-9]{1,5})?" match_ip_address="true" match_logical_name="false" />
This example is a bit more complex, but it essentially says that all nodes whose IP address starts with 192.168 are allowed to join the cluster. So 192.168.1.5 and 192.168.1.10:5546 would pass, while 10.1.4.5 would be rejected.
I have to admit, I'm not really an expert in regular expression, so I guess the above expression could be simplified. For example, I gave up trying to define that hosts starting either with 192.168 or 10.5 could join.
If you know how to do that, please send me the regular expression !