Clarify that external connectors should use some other means to prote…

…ct access [HZ-2991] (#863) * Clarify that external connectors should use some other means to protect access * Clarify permissions for file * Update docs/modules/pipelines/pages/job-security.adoc Co-authored-by: Josef Cacek <[email protected]> * Update docs/modules/security/pages/native-client-security.adoc Co-authored-by: Josef Cacek <[email protected]> --------- Co-authored-by: Josef Cacek <[email protected]>
hazelcast · Oct 2, 2023 · bde6f5e · bde6f5e
1 parent 7f1fcd9
commit bde6f5e
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 53 deletions.
diff --git a/docs/modules/pipelines/pages/job-security.adoc b/docs/modules/pipelines/pages/job-security.adoc
@@ -231,7 +231,13 @@ securityConfig.addClientPermissionConfig(
 --
 ====
 
-NOTE: If you use the data structure connectors such as the map connector, you must also have certain permissions on those data structures. For example, to read from map sources, you must add the `create` and `read` permissions for those maps. If you use the map connector to write to map sinks, you must add the `create` and `put` permissions for those maps.
+NOTE: Only connectors that access information local to the member implement permissions - namely the file and socket connector.
+If you use the data structure connectors such as the map connector, you must also have certain permissions on those data structures.
+For example, to read from map sources, you must add the `create` and `read` permissions for those maps.
+If you use the map connector to write to map sinks, you must add the `create` and `put` permissions for those maps.
+
+WARNING: To protect external systems from being reached by external connectors (JDBC, Mongo, S3, ...), use other means than Hazelcast client permissions.
+Traditionally, this is done by enabling authentication on the external system and/or setting up firewall rules.
 
 == Related Resources
 

diff --git a/docs/modules/security/pages/native-client-security.adoc b/docs/modules/security/pages/native-client-security.adoc
@@ -1282,8 +1282,6 @@ You can give permissions to the following xref:integrate:connectors.adoc[connect
 
 - File
 - Socket
-- JMS
-- JDBC
 
 Actions:
 
@@ -1299,6 +1297,7 @@ XML::
 .File Connector
 
 ```xml
+<!-- It is currently only possible to give access to a whole directory, not to a single file. -->
 <connector-permission name="file:directory_name">
     <actions>
         <action>...</action>
@@ -1316,31 +1315,6 @@ XML::
 </connector-permission>
 ```
 
-.JMS Connector
-
-If the connector is not configured with an
-explicit connection url, it requires a
-permission with the name `jms:*`
-```xml
-<connector-permission name="jms:destination_name">
-    <actions>
-        <action>...</action>
-    </actions>
-</connector-permission>
-```
-
-.JDBC Connector
-
-If the connector is not configured with an
-explicit connection url, it requires a
-permission with the name `jdbc:*`
-```xml
-<connector-permission name="jdbc:connection_url">
-    <actions>
-        <action>...</action>
-    </actions>
-</connector-permission>
-```
 --
 
 YAML::
@@ -1366,34 +1340,11 @@ connector:
       - ..
 ----
 
-.JMS Connector
-
-If the connector is not configured with an
-explicit connection url, it requires a
-permission with the name `jms:*`
-[source,yaml]
-----
-connector:
-  - name: "jms:destination_name"
-    actions:
-      - ..
-----
-
-.JDBC Connector
-
-If the connector is not configured with an
-explicit connection url, it requires a
-permission with the name `jdbc:*`
-[source,yaml]
-----
-connector:
-  - name: "jdbc:connection_url"
-    actions:
-      - ..
-----
 --
 ====
 
+WARNING: To protect external systems from being reached by external connectors (JDBC, Mongo, S3, ...), use other means than Hazelcast client permissions.
+Traditionally, this is done by enabling authentication on the external system and/or setting up firewall rules.
 === SQL Permission
 
 You can give clients permission to use the following xref:sql:sql-statements.adoc[SQL statements]: