Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.
Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests:
1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports.
2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs.
For mariabackup SSTs, there is some information about how to configure TLS here:
For rsync SSTs, there is some information about how to configure TLS here:
For ISTs, there is some information about how to configure TLS here:
Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to allowlist the addresses that are allowed to make SST/IST requests.
How could this be implemented?
Introduced a new variable called wsrep_allowlist to store Galera node IPs in the cluster. If the joiner node IP is not in the wsrep_allowlist, the Galera cluster will not allow the joiner node to join the cluster. This will help prevent unauthorized access to the cluster
The most intuitive method would probably be to treat wsrep_cluster_address as a allowlist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users.