-
1. Re: origin of cache events in infinispan
nadirx Sep 15, 2014 3:56 AM (in response to mdhawan)The node which originates the event creates the event object and populates the field using its local address [1]. This object is then "externalized" and sent to the other nodes. A receiving node will node validate the fact that an incoming ClusterEvent's origin field matches the source of the JGroups message. Why do you need to be certain this information has not been tampered with ? If you need to trust the other nodes in your cluster, use the JGroups SASL and ENCRYPT protocols.
[1]infinispan/ClusterEvent.java at master · infinispan/infinispan · GitHub
-
2. Re: origin of cache events in infinispan
mdhawan Sep 15, 2014 4:33 AM (in response to nadirx)Hi Tristan,
Thanks for the reply. Just wanted to confirm your observation --- "A receiving node will node validate ..." => "A receiving node will NOT validate ...". Is this right ? I just wanted to understand if message authentication is done as untrusted (or malicious) nodes may try to masquerade as other nodes in the cluster.
Also, if we use the SASL and ENCRYPT protocols, then will Infinispan export the true origin of the event to other nodes ?
Regards,
mohan
-
3. Re: origin of cache events in infinispan
nadirx Sep 15, 2014 4:36 AM (in response to mdhawan)Sorry, I did mean "NOT".
When using SASL and ENCRYPT, no additional validation is done at the Infinispan level, however you can be certain that no malicious/untrusted nodes can join your cluster and/or sniff the packets.