Chapter 2. Data Grid release information

Data Grid Server provides a flexible, durable, and highly scalable data store for the Java Virtual Machine (JVM).

Default authorization

Data Grid Server configuration now enables authorization to restrict user access based on a set of default roles and permissions.

For example, users need to be assigned the admin role for permission to perform administrative operations on Data Grid clusters. When users without sufficient permission attempt to manipulate server resources, the following message is logged:

The user is not allowed to access the server resource: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [myusername]' lacks 'ADMIN' permission

The user is not allowed to access the server resource: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [myusername]' lacks 'ADMIN' permission

The following shows the default Data Grid Server configuration with authorization enabled:

<cache-container name="default" statistics="true">
  <transport cluster="${infinispan.cluster.name:cluster}"
             stack="${infinispan.cluster.stack:tcp}"
             node-name="${infinispan.node.name:}"/>
  <security>
    <authorization/> 
  </security>
</cache-container>

<cache-container name="default" statistics="true">
  <transport cluster="${infinispan.cluster.name:cluster}"
             stack="${infinispan.cluster.stack:tcp}"
             node-name="${infinispan.node.name:}"/>
  <security>
    <authorization/> 

  </security>
</cache-container>

Credential stores for added security

To protect sensitive text strings, such as passwords, you can now add them to a credential keystore instead of directly in Data Grid Server configuration.

Use the credentials command with the Data Grid CLI to set things up.

Audit logging

Audit logs let you track changes to your Data Grid clusters so you know when changes occur and which users make them.

Use the org.infinispan.AUDIT logging category to enable audit logging and configure how configuration events and administrative operations are recorded.

Endpoint IP filtering

You can now configure IP address filtering rules for Data Grid Server endpoints to accept or reject connections, as in the following example:

<endpoints socket-binding="default" security-realm="default">
  <ip-filter>
    <accept from="192.168.0.0/16"/> 
    <accept from="10.0.0.0/8"/> 
    <reject from="/0"/> 
  </ip-filter>
  ...
</endpoints>

<endpoints socket-binding="default" security-realm="default">
  <ip-filter>
    <accept from="192.168.0.0/16"/> 

    <accept from="10.0.0.0/8"/> 

    <reject from="/0"/> 

  </ip-filter>
  ...
</endpoints>

Use the server connector ipfilter command with the Data Grid CLI to inspect and modify IP filter rules.

Truststore for client cert validation

Data Grid Server now lets you add client trust stores to the server-identities configuration if you want to enforce mutual SSL/TLS certificate validation between servers and clients.

<security-realm name="default">
   <server-identities>
      <ssl>
         <keystore path="server.pfx"
                   keystore-password="password" alias="server"/>
         <truststore path="trust.pfx" 
                     relative-to="infinispan.server.config.path"
                     password="secret"/>
      </ssl>
   </server-identities>
   <truststore-realm/> 
</security-realm>

<security-realm name="default">
   <server-identities>
      <ssl>
         <keystore path="server.pfx"
                   keystore-password="password" alias="server"/>
         <truststore path="trust.pfx" 

                     relative-to="infinispan.server.config.path"
                     password="secret"/>
      </ssl>
   </server-identities>
   <truststore-realm/> 

</security-realm>

Security realm identity caching

Data Grid Server now caches identities for security realms to improve performance.

You can configure the identity cache for security realms with the cache-max-size and cache-lifespan attributes, as in the following example that shows the default values:

<security-realm name=" cache-max-size="256" 
                       cache-lifespan="-1"> 
  ...
</security-realm>

<security-realm name=" cache-max-size="256" 

                       cache-lifespan="-1"> 

  ...
</security-realm>

Implicit connectors for single-port endpoints

You no longer need to define Hot Rod and REST connectors in Data Grid Server configuration when using a single port for endpoints.

For example, as of Data Grid 8.2, the following endpoints configuration implicitly uses default Hot Rod and REST connectors:

<endpoints socket-binding="default" security-realm="default"/>

<endpoints socket-binding="default" security-realm="default"/>

The following endpoints configuration, by contrast, explicitly includes Hot Rod and REST connectors:

<endpoints socket-binding="default" security-realm="default">
    <hotrod-connector name="hotrod"/>
    <rest-connector name="rest"/>
</endpoints>

<endpoints socket-binding="default" security-realm="default">
    <hotrod-connector name="hotrod"/>
    <rest-connector name="rest"/>
</endpoints>

Metrics endpoint aligned with previous versions

For compatibility between versions, Data Grid Server now exports all metrics that were available from Data Grid 7.3 and later.

Data Grid Console provides a graphical user interface for monitoring and maintaining remote Data Grid clusters.

User experience improvements

With Data Grid 8.2, the console offers several user experience and usability enhancements.

Role-based access control

Data Grid Console applies security authorization configuration and restricts user access based on their assigned roles and permissions.

Counter management

Data Grid Console improves management of counters in this release, letting you delete and filter counters.

The Data Grid Command Line Interface (CLI) lets you perform administrative operations on remote Data Grid clusters.

Backing up and restoring Data Grid clusters

The CLI provides a backup command that can create archives of Data Grid resources that include cached entries, cache configurations, Protobuf schemas, and server scripts. You can then restore Data Grid clusters from backup archives after a restart or migration.

Performance test tool

The benchmark command lets you run performance tests against caches with the CLI.

Assigning user roles and permissions

The CLI extends the user command with a roles subcommand that lets you view, grant, and deny user roles. You can now dynamically update user role assignments to control authorization settings and restrict access to Data Grid clusters and caches.

Cross-site replication operations

As of this release, the CLI lets you perform additional cross-site replication operations with the site command.

site name Returns the name of the local site.

site view Returns a list of names for all sites that can back up to each other.

site state-transfer-mode Configures cross-site state transfer to occur manually or automatically.

Credential keystore management

The CLI includes a credentials command that manages credential keystores for Data Grid Server.

Native CLI

Data Grid 8.2 adds a native CLI that you can run on Linux, macOS, or Windows and use as an oc client plugin.

Cross-site replication lets you back up Data Grid clusters across multiple geographic regions.

Automatic state transfer operations

When issues occur and backup locations go offline, you must manually perform cross-site state transfer operations with the CLI or via JMX or REST.

However, when using the asynchronous backup strategy, Data Grid can now automatically perform cross-site state transfer operations after resolving conflicts. When it detects that a backup location has come back online, and the network connection is stable, Data Grid initiates bi-directional state transfer between backup locations. For example, Data Grid simultaneously transfers state from LON to NYC and NYC to LON.

SPI for custom conflict resolution

Data Grid provides an SPI that lets you customize conflict resolution for asynchronous Active/Active backup configurations.

The XSiteMergePolicy enum provides the following options for conflict resolution:

You can specify the conflict resolution policy, including a custom implementation, with the merge-policy attribute, for example:

<distributed-cache name="eu-customers">
   <backups merge-policy="org.mycompany.MyCustomXSiteEntryMergePolicy">
      <backup site="LON" strategy="ASYNC"/>
   </backups>
</distributed-cache>

<distributed-cache name="eu-customers">
   <backups merge-policy="org.mycompany.MyCustomXSiteEntryMergePolicy">
      <backup site="LON" strategy="ASYNC"/>
   </backups>
</distributed-cache>

Ability to verify cross-site views from CLI and REST

You can now verify cross-site view through the CLI or REST API.

For the CLI, invoke the site view command to retrieve a list of names for all sites that backup to each other.

From the REST API, invoke the following GET request:

GET /rest/v2/cache-managers/{cacheManagerName}

GET /rest/v2/cache-managers/{cacheManagerName}

Data Grid responds with the list of backup locations in JSON format, as follows:

"sites_view": [
    "LON",
    "NYC"
]

"sites_view": [
    "LON",
    "NYC"
]

Hot Rod is a custom binary TCP protocol that provides high-performance data access to client applications in different programming languages.

Improved near cache performance

Data Grid Server now includes bloom filters that optimize performance for write operations by reducing the total number of invalidation messages.

Enable bloom filters for near caches with the nearCacheUseBloomFilter()` method.

New Hot Rod client configuration properties

As of Data Grid 8.2, the Hot Rod client configuration API provides the following configuration properties:

The Data Grid Query API lets you index caches and search values using relational or full-text queries with in the Ickle query language.

Data Grid 8.2 brings you a significantly improved query implementation that is now based on Hibernate Search 6, which brings support for Apache Lucene 8 indexing capabilities. This release offers the following query enhancements:

For complete documentation on indexing and querying, see Querying Values in Caches.

The Data Grid REST API lets you interact with remote clusters and caches over HTTP.

Streaming keys and entries

The Data Grid REST API now lets you retrieve all keys or entries in caches in JSON format. Invoke GET requests as follows:

GET /rest/v2/caches/{cacheName}?action=keys

GET /rest/v2/caches/{cacheName}?action=keys

GET /rest/v2/caches/{cacheName}?action=entries

GET /rest/v2/caches/{cacheName}?action=entries

Working with the access control list cache

Data Grid 8.2 includes an access control list (ACL) cache that stores user role mappings. You can interact with the ACL cache via the REST API.

GET /rest/v2/security/user/acl

GET /rest/v2/security/user/acl

POST /rest/v2/security/cache?action=flush

POST /rest/v2/security/cache?action=flush

Retrieving query and index statistics

Obtain information about queries and indexes in caches with GET requests.

GET /v2/caches/{cacheName}/search/stats

GET /v2/caches/{cacheName}/search/stats

Cache configuration

The Data Grid REST API now provides improved responses when retrieving cache configuration to make it easier to compare and validate cache configuration on remote clusters with cache configuration in your local project.

Data Grid includes a ProtoStream API in addition to other marshaller implementations that allow you to transmit custom Java objects across the network and to persistent storage.

ProtoStream

Data Grid 8.2 upgrades the ProtoStream API to 4.4.1.Final.

Deserialization allow list

In keeping with Red Hat’s commitment to using inclusive language the term "white list" has been changed to "allow list" for configuring serialization of your Java classes.

<cache-container>
   <serialization>
      <white-list>
         <class>org.infinispan.test.data.Person</class>
         <regex>org.infinispan.test.data.*</regex>
       </white-list>
   </serialization>
</cache-container>

<cache-container>
   <serialization>
      <white-list>
         <class>org.infinispan.test.data.Person</class>
         <regex>org.infinispan.test.data.*</regex>
       </white-list>
   </serialization>
</cache-container>

<cache-container>
   <serialization>
      <allow-list>
         <class>org.infinispan.test.data.Person</class>
         <regex>org.infinispan.test.data.*</regex>
       </allow-list>
   </serialization>
</cache-container>

<cache-container>
   <serialization>
      <allow-list>
         <class>org.infinispan.test.data.Person</class>
         <regex>org.infinispan.test.data.*</regex>
       </allow-list>
   </serialization>
</cache-container>

Creating SerializationContextInitializer implementations

Data Grid now provides an @AutoProtoSchemaBuilder annotation that generates an implementation of a class or interface that extends SerializationContextInitializer. This provides a more efficient and reliable mechanism to create Protobuf schema and marshallers when storing custom Java objects in Data Grid caches.

@ProtoAdaptor for marshalling of external classes

Data Grid adds support for the @ProtoAdaptor annotation that you can add to adaptor classes for any external, third-party Java object classes.

Use collections and arrays directly as values

As of Data Grid 8.2 you can use values of type ArrayList, LinkedList, HashSet, LinkedHashSet, TreeSet as well as simple type arrays such as String[] or int[] with the ProtoStream API.

In previous versions of Data Grid it is not possible to use collections and arrays directly as values without additional mappers. Any put(…​ <ArrayList>) calls result the following exception:

IllegalArgumentException: No marshaller registered for Java type java.util.ArrayList

IllegalArgumentException: No marshaller registered for Java type java.util.ArrayList

Kyro and Protostuff marshallers deprecated

The Kyro and Protostuf marshallers are now deprecated. See the Deprecations and removals article in the Red Hat Knowledgebase for more details.

Data Grid offers schema-based configuration options for caches as well as for customizing underlying mechanisms such as security and cluster transport.

Authorization: user roles and permissions

Data Grid 8.2 has improved role-based access control (RBAC) functionality that secures access to Data Grid installations as well as caches.

To enable authorization for Cache Manager access, add the authorization element to the cache-container as in the following example:

<cache-container name="default" statistics="true">
  <security>
    <authorization/>
  </security>
</cache-container>

<cache-container name="default" statistics="true">
  <security>
    <authorization/>
  </security>
</cache-container>

To enable authorization for caches, add the authorization element as follows:

<distributed-cache name="myCache" mode="SYNC">
  <security>
    <authorization/>
  </security>
</distributed-cache>

<distributed-cache name="myCache" mode="SYNC">
  <security>
    <authorization/>
  </security>
</distributed-cache>

This role mapper uses a persistent replicated cache to dynamically store principal-to-role mappings for the default roles and permissions.

The MONITOR permission allows access to JMX statistics and the metrics endpoint.

For more information about authorization, see the following in the Security Guide:

Data Grid cache configuration fragments

As of Data Grid 8.2, you no longer need to include infinispan and cache-container elements in your cache configuration.

To create caches you need to provide only the *-cache elements.

For example, to create a distributed cache that uses synchronous mode you can use the following configuration:

<distributed-cache name="myCache" mode="SYNC" />

<distributed-cache name="myCache" mode="SYNC" />

To create a replicated cache that uses Protobuf encoding for entries you can use the following configuration:

<replicated-cache name="books">
  <encoding media-type="application/x-protostream"/>
</replicated-cache>

<replicated-cache name="books">
  <encoding media-type="application/x-protostream"/>
</replicated-cache>

JGroups INSERT_BEFORE attribute

You can now use the INSERT_BEFORE value to customize JGroups cluster transport with the stack.combine inheritance attribute, for example:

<ASYM_ENCRYPT asym_keylength="2048"
              asym_algorithm="RSA"
              change_key_on_coord_leave = "false"
              change_key_on_leave = "false"
              use_external_key_exchange = "true"
              stack.combine="INSERT_BEFORE" 
              stack.position="pbcast.NAKACK2"/>

<ASYM_ENCRYPT asym_keylength="2048"
              asym_algorithm="RSA"
              change_key_on_coord_leave = "false"
              change_key_on_leave = "false"
              use_external_key_exchange = "true"
              stack.combine="INSERT_BEFORE" 

              stack.position="pbcast.NAKACK2"/>

JGroups default stacks

Data Grid 8.2 changes the configuration for re-transmission requests for the UNICAST3 and NAKACK2 protocols in the default JGroups stacks.

In some cases, such as when a long Garbage Collection (GC) pause takes place, nodes cannot process JGroups messages from other nodes in the cluster. When those nodes become available again, they request the sending nodes to re-transmit the JGroups messages using XMIT requests.

To improve performance and avoid issues with cluster transport issues from failed re-transmission requests, the following changes apply:

Cache health

Data Grid includes a new FAILED status. As of this version, available health status for caches is as follows:

JDBC string-based cache stores

JDBC string-based cache stores now creates a _META table in addition to the data table used to store cache entries. The _META table hold metadata that ensures any existing database content is compatible with the current Data Grid version and configuration.

Data Grid provides Spring Cache and Spring Session implementations.

As of Data Grid 8.2, your Spring applications can use the ProtoStream marshaller to encode and decode Java objects into Protocol Buffers (Protobuf) format.

For more information, see the Spring Boot Starter

This release includes several enhancements to Data Grid Server.

The background-validation and validate-on-acquisition attributes are included in the connection pool properties. The Data Grid Command Line Interface (CLI) includes a server datasource command that lets you list and test data source connections.

For more information, see:

You can configure the TLS versions that Data Grid Server uses if you want to allow TLS 1.3 only. For more information, see Configuring TLS versions and cipher suites.

Data Grid Console no longer displays the Entries tab for caches or lets you create entries for caches that do not configure any encoding.

Data Grid recommends configuring cache encoding with the application/x-protostream media type if you want to create or modify entries through the console. For more information, see Cache Encoding and Marshalling.

The Hot Rod Node.JS client now supports DIGEST-MD5 and SCRAM authentication mechanisms in addition to PLAIN.

Learn how to configure different SASL authentication mechanisms and get usage examples in the Hot Rod Node.JS Client Guide.

Notable documentation improvements and revisions in this release:

Data Grid 8.2.2 fixes CVE-2021-44228, which is a security vulnerability in the Apache Log4j logging library. Data Grid includes the affected log4j-core library as part of the Data Grid Server distribution as well as in the Data Grid Server image for Red Hat OpenShift deployments.

Red Hat recommends you upgrade to 8.2.2 as soon as possible. If you cannot upgrade, Red Hat recommends that you follow the steps to mitigate this vulnerability in the RHSB-2021-009 Log4Shell - Remote Code Execution security bulletin.

Red Hat also recommends that you:

For more information about how this vulnerability affects Data Grid, see Is Red Hat Data Grid 7.x/8.x impacted by CVE-2021-44228 or CVE-2021-4104? in the Red Hat Knowledgebase.

Data Grid sends touch commands that coordinate timeout values for maximum idle, max-idle, expiration across clusters. You can configure Data Grid to send touch commands synchronously or asynchronously using the touch attribute in your expiration configuration. See the Data Grid configuration schema reference for more information.

Data Grid 8.2.3 fixes the following Common Vulnerabilities and Exposures (CVEs) in the Apache Log4j logging library:

Data Grid includes the affected Log4j libraries as part of the Data Grid Server distribution as well as in the Data Grid Server image for Red Hat OpenShift deployments.

Red Hat recommends you upgrade to 8.2.3 as soon as possible. If you cannot upgrade, Red Hat recommends that you follow the mitigation steps that are included in the security advisory page for each of the Log4j vulnerabilities mentioned above.

Red Hat also recommends that you: