GridGain 8.8.9 Release Notes
New Features
Ability to Disable Client SSL/TLS Certificate Validation
Historically, Thick Clients were required to provide client certificates if SSL/TLS was enabled in the cluster. This made SSL/TLS configuration significantly harder.
Starting this version, the cluster can be configured to not require client certificates validation.
To do this, set the needClientAuth=false
property in the SslContextFactory
configuration.
This mode must be used together with forceClientToServerConnections=true
to make sure that thick clients never accept connections.
By default, thick clients are still required to provide SSL/TLS certifiicates. This behavior is kept for compatibility.
Note that Thin Clients already are not required to provide SSL/TLS certificates.
The following configuration can be used if thick client certificate validation is not needed:
Server:
<bean class="org.apache.ignite.configuration.IgniteConfiguration">
<property name="sslContextFactory">
<bean class="org.apache.ignite.ssl.SslContextFactory">
<property name="keyStoreFilePath" value="keystore.jks"/>
<property name="keyStorePassword" value="keystorepwd"/>
<property name="trustStoreFilePath" value="truststore.jks"/>
<property name="trustStorePassword" value="truststorepwd"/>
<!-- This property turns off client certificate validation -->
<property name="needClientAuth" value="false"/>
</bean>
</property>
</bean>
Client:
<bean class="org.apache.ignite.configuration.IgniteConfiguration">
<property name="sslContextFactory">
<!-- If client certificate validation is turned off on the server, server certificate is issued by a trusted CA,
and forceClientToServerConnections is enabled then no additional configuration is required. -->
<bean class="org.apache.ignite.ssl.SslContextFactory"/>
<!-- If server certificate is self-signed, you may still need to provide a trust store. -->
<!-- <bean class="org.apache.ignite.ssl.SslContextFactory">
<property name="trustStoreFilePath" value="truststore.jks"/>
<property name="trustStorePassword" value="truststorepwd"/>
</bean> -->
</property>
<property name="forceClientToServerConnections" value="true"/>
</bean>
Affinity Fields in Binary Objects are Supported in C++ Thin Clients
С++ thin clients now also support affinity fields for binary objects. Here is how you can use them:
IgniteClient client = IgniteClient::Start();
compute::ComputeClient compute = ignite.GetCompute();
std::string echoValue = "Task returns this value";
std::string res = compute.ExecuteJavaTask<std::string>("my.company.MyEchoTask", echoValue);
assert(res == echoValue);
Known Issues
GridGain May Crash when Using OpenJDK 11
In some rare environments, GridGain servers may crash with a SocketTimeoutException
exception when running on OpenJDK 11. Consider using OpenJDK 8 or a different JDK provider instead.
Here is an example of the exception that can occur:
Exception in thread "main" java.net.SocketTimeoutException: Accept timed out at java.base/java.net.PlainSocketImpl.socketAccept(Native Method) at java.base/java.net.AbstractPlainSocketImpl.accept(AbstractPlainSocketImpl.java:458) at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:565) at java.base/java.net.ServerSocket.accept(ServerSocket.java:533) at Example.main(Example.java:6)
You can track the status of this issue in openJDK issue tracker.
Improvements and Fixed Issues
Community Edition Changes
Issue ID | Category | Description |
---|---|---|
GG-33784 |
GridGain Integrations |
Upgraded Jackson from 2.11.0 to 2.11.4 version to fix a vulnerability. |
GG-33705 |
Cluster Storage Engine |
Index page metrics are now calculated correctly. |
GG-33400 |
Platforms & Thin Clients |
CPP: Added support for Affinity Fields. Define the void BinaryType<T>::GetAffinityFieldName(std::string&) static method to provide it. |
GG-33349 |
Cluster Storage Engine |
Fixed OutOfBoundsException during write-behind flusher lookup. |
Enterprise Edition Changes
Issue ID | Category | Description |
---|---|---|
GG-33858 |
Cluster Communication |
It is now possible to disable client SSL certificate validation for thick clients and management tools. |
GG-33616 |
Cluster Security |
Added a property (IGNITE_CHECK_SENDER_NODE_SUBJECT), which enables an additional security check for subject id on client nodes. |
GG-33615 |
Cluster Security |
System cache operations are forbidden for client nodes by default when the IGNITE_SECURITY_FOR_SYS_CACHE_ENABLED property is enabled. |
GG-33534 |
Cluster Security |
Client nodes cannot authorize another local client anymore. |
Ultimate Edition Changes
Issue ID | Category | Description |
---|---|---|
GG-33827 |
Cluster Data Snapshots and Recovery |
Fixed potential snapshot corruption for the statically configured caches. |
GG-33417 |
Cluster Snapshot Utility |
Added a new --excluded_caches parameter for create, check, and restore operations. This parameter and the --caches parameter for these operations now support cache groups. |
Installation and Upgrade Information
See the Rolling Upgrades page for information about how to perform automated upgrades and for details about version compatibility.
Below is a list of versions that are compatible with the current version. You can rolling-upgrade from any of those. Compatibility with other versions is not guaranteed. If you are on a version that is not listed, contact GridGain for information on upgrade options.
8.7.2-p15
, 8.7.3
, 8.7.4
, 8.7.5
, 8.7.5-p1
, 8.7.6
, 8.7.6-p1
, 8.7.7
, 8.7.8
, 8.7.9
, 8.7.10
, 8.7.11
, 8.7.12
, 8.7.13
, 8.7.14
, 8.7.15
, 8.7.16
, 8.7.17
, 8.7.18
, 8.7.19
, 8.7.19-p1
, 8.7.20
, 8.7.21
, 8.7.22
, 8.7.23
, 8.7.24
, 8.7.25
, 8.7.26
, 8.7.26-p1
, 8.7.27
, 8.7.27-p1
, 8.7.28
, 8.7.29
, 8.7.29-p1
, 8.7.30
, 8.7.31
, 8.7.32
, 8.7.33
, 8.7.33-p2
, 8.7.34
, 8.7.35
, 8.7.36
, 8.7.37
, 8.7.38
, 8.8.1
, 8.8.2
, 8.8.3
, 8.8.4
, 8.8.5
, 8.8.6
, 8.8.7
Known Limitations
Jetty Configuration Incompatibility in GridGain 8.7.21 and Later
If you are upgrading from version 8.7.20 or earlier, consider an incompatibility issue related to Jetty configuration introduced in GridGain 8.7.21.
Your setup may be affected if:
-
You use the
ignite-rest-http
module (e.g. to connect to GridGain Web Console) -
You have a custom Jetty configuration that enables SSL for REST
-
Your Jetty configuration uses the
org.eclipse.jetty.util.ssl.SslContextFactory
class -
The keystore specified in the Jetty configuration contains both the CA certificate and the private certificate
In this case, after starting a new version, an exception is thrown with an error message similar to the following:
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class
org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server
or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
To workaround this issue, alter the Jetty configuration to use org.eclipse.jetty.util.ssl.SslContextFactory$Server
or org.eclipse.jetty.util.ssl.SslContextFactory$Client
.
See the configuration example at the Client Certificate Authentication page.
Default rebalanceThreadPoolSize
in GridGain 8.7.26 and Later
In GridGain 8.7.26, the default value of the property IgniteConfiguration.rebalanceThreadPoolSize
changed from 1
to min(4, number of CPU / 4)
.
It may cause a compatibility issue under the following conditions:
-
When a Rolling Upgrade is performed
-
The upgrade is performed from 8.5.7 version (or earlier) to 8.5.x or from 8.7.3 (or earlier) to 8.7.x
-
The server nodes have at least 8 CPU cores
-
The nodes configuration does not have the property
IgniteConfiguration.rebalanceThreadPoolSize
, so the default value is used
In this case, an exception is thrown with an error message similar to the following:
сlass org.apache.ignite.IgniteException: Rebalance configuration mismatch (fix configuration or set -DIGNITE_SKIP_CONFIGURATION_CONSISTENCY_CHECK=true system property).
Different values of such parameter may lead to rebalance process instability and hanging. [rmtNodeId=5fc58fb7-209d-489a-8034-0127a81abed6, locRebalanceThreadPoolSize = 4, rmtRebalanceThreadPoolSize = 1]
To workaround this issue, change the configuration of the server nodes to rebalanceThreadPoolSize=1
so that it matches
the previous default configuration. For example:
<bean class="org.apache.ignite.configuration.IgniteConfiguration">
<property name="rebalanceThreadPoolSize" value="1"/>
<!-- The rest of the configuration goes here -->
</bean>
Jetty Doesn’t Accept Incorrect Configuration in GridGain 8.7.31 and Later
In GridGain 8.7.31 Jetty was upgraded to 9.4.33. Starting that version, Jetty has more strict validation of the provided configuration files. Before that version, an incorrectly spelled property in the configuration file had no effect. Starting this version, errors in the configuration will lead to an error on start.
Your setup may be affected if:
-
You use the
ignite-rest-http
module (e.g. to connect to GridGain Web Console) -
You have a custom Jetty configuration for REST
-
The custom configuration has errors in it
You will need to fix the custom Jetty configuration before upgrading.
ignite.sh
No Longer Enables Remote JMX by Default in GridGain 8.7.31 and Later
Starting from 8.7.31 version, GridGain no longer attempts to automatically enable the remote JMX. Default settings are known to cause issues if customized (for example, secure the connection). Also, in most cases, remote JMX is not required since many tools use local JMX connections (not using TCP).
Your setup may be affected if:
-
You start GridGain nodes via
ignite.sh
script -
You connect to GridGain nodes' JMX interface remotely over TCP using the default configuration
To continue using remote JMX, you need to manually specify the required JMX settings. Please see the example below. Note that you don’t need remote JMX if you use a local connection, such as connecting JConsole to a GridGain process on the same host.
export JVM_OPTS="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=33333 \
-Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
bin/ignite.sh
We Value Your Feedback
Your comments and suggestions are always welcome. You can reach us here: https://gridgain.freshdesk.com/support/login or docs@gridgain.com
Please visit the documentation for more information.
© 2024 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.