This is an automated email from the ASF dual-hosted git repository.
ptupitsyn pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/ignite-3.git
The following commit(s) were added to refs/heads/main by this push:
new 4b2a44e5ecb IGNITE-28104 Document security model (#7826)
4b2a44e5ecb is described below
commit 4b2a44e5ecb58a884e783dc82031ec3ce688415c
Author: IgGusev <[email protected]>
AuthorDate: Fri Mar 20 13:36:36 2026 +0200
IGNITE-28104 Document security model (#7826)
---
docs/docs/understand/architecture/security.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/docs/docs/understand/architecture/security.md
b/docs/docs/understand/architecture/security.md
index ee2e17fd22a..a98ad204f63 100644
--- a/docs/docs/understand/architecture/security.md
+++ b/docs/docs/understand/architecture/security.md
@@ -8,6 +8,12 @@ sidebar_position: 4
Apache Ignite 3 provides authentication and transport encryption to secure
cluster access. Security is disabled by default and must be explicitly enabled
in cluster configuration.
+## Security Model
+
+When it comes to Apache Ignite 3 security, it is very important to note that
by having access to any cluster node it is possible to perform malicious
actions on the cluster. There are no mechanisms that could provide protection
for the cluster in such scenarios.
+
+Therefore, all network ports for Ignite 3 server nodes should only be
available inside a protected subnetwork (the so-called demilitarized zone or
DMZ). Should those ports be exposed outside of DMZ, it is advised to control
access to them by using SSL certificates issued by a trusted Certification
Authority (please see the [SSL/TLS
configuration](/3.1.0/configure-and-operate/configuration/config-ssl-tls)
documentation for more information).
+
## Security Components
```mermaid
