Akka Cluster security / membership control

akka-cluster

(Matt Howard) #1

Is there any way to programmatically control what nodes are able to join a cluster? For example if I have a cluster with nodes each representing a different company in some consortium… and we want to allow other companies to join the cluster relatively easily, but only if they have been pre-approved in some way (e.g. almost like adding a public key into authorized_keys to control ssh access).

I don’t think the cluster events allow for any kind of PreMemberJoined event where we could add some kind of a hook to allow or disallow the join to continue. Are any extension points where we could build additional logic into the cluster joining protocol?

My assumption is we’d need to build that all in after a member event - so joining the cluster would only be like making it into a waiting room… but then we’ll just need to be a bit more careful about using things like distributed subpub or distributed data, etc… But if there is a better option I’d love to know.


(Konrad `ktoso` Malawski) #2

The recommendation for making sure clusters are isolated from one another is by isolating them by networking tools. So that’d depend on what infra you’re running on. Pretty easy in any container based setup. Harder in bare metal.

Technically nodes will only join a cluster where their system name is equal; but I would not rely on this for correctness.