This is an automated email from the ASF dual-hosted git repository.
namelchev pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ignite.git
The following commit(s) were added to refs/heads/master by this push:
new d5af66c5658 IGNITE-18819 Added cluster state change permission (#10558)
d5af66c5658 is described below
commit d5af66c565833ab232db2584f8c9b19793939792
Author: Vladimir Steshin <[email protected]>
AuthorDate: Sun Mar 5 16:38:00 2023 +0300
IGNITE-18819 Added cluster state change permission (#10558)
---
.../apache/ignite/jdbc/JdbcAuthorizationTest.java | 3 +-
.../cluster/GridClusterStateProcessor.java | 3 +
.../processors/rest/GridRestProcessor.java | 10 +-
.../ignite/plugin/security/SecurityPermission.java | 8 +
.../security/client/CommonSecurityCheckTest.java | 3 +-
.../cluster/ClusterStatePermissionTest.java | 339 +++++++++++++++++++++
.../security/impl/TestSecurityContext.java | 1 +
.../snapshot/SnapshotPermissionCheckTest.java | 4 +-
.../ignite/testsuites/SecurityTestSuite.java | 2 +
.../http/jetty/RestProcessorAuthorizationTest.java | 3 +-
10 files changed, 367 insertions(+), 9 deletions(-)
diff --git
a/modules/clients/src/test/java/org/apache/ignite/jdbc/JdbcAuthorizationTest.java
b/modules/clients/src/test/java/org/apache/ignite/jdbc/JdbcAuthorizationTest.java
index 4dfabf392bd..e986dd74d7e 100644
---
a/modules/clients/src/test/java/org/apache/ignite/jdbc/JdbcAuthorizationTest.java
+++
b/modules/clients/src/test/java/org/apache/ignite/jdbc/JdbcAuthorizationTest.java
@@ -38,6 +38,7 @@ import static java.sql.DriverManager.getConnection;
import static org.apache.ignite.cache.CacheMode.REPLICATED;
import static org.apache.ignite.cluster.ClusterState.ACTIVE;
import static org.apache.ignite.internal.util.IgniteUtils.resolveIgnitePath;
+import static
org.apache.ignite.plugin.security.SecurityPermission.ADMIN_CLUSTER_STATE;
import static
org.apache.ignite.plugin.security.SecurityPermission.CACHE_CREATE;
import static
org.apache.ignite.plugin.security.SecurityPermission.CACHE_DESTROY;
import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_PUT;
@@ -377,7 +378,7 @@ public class JdbcAuthorizationTest extends
AbstractSecurityTest {
private SecurityPermissionSet serverPermissions() {
return create()
.defaultAllowAll(false)
- .appendSystemPermissions(CACHE_CREATE, JOIN_AS_SERVER)
+ .appendSystemPermissions(CACHE_CREATE, JOIN_AS_SERVER,
ADMIN_CLUSTER_STATE)
.build();
}
diff --git
a/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
b/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
index 436be972272..14ac86ef782 100644
---
a/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
+++
b/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
@@ -94,6 +94,7 @@ import org.apache.ignite.lang.IgniteInClosure;
import org.apache.ignite.lang.IgniteProductVersion;
import org.apache.ignite.lang.IgniteUuid;
import org.apache.ignite.marshaller.jdk.JdkMarshaller;
+import org.apache.ignite.plugin.security.SecurityPermission;
import org.apache.ignite.spi.IgniteNodeValidationResult;
import org.apache.ignite.spi.discovery.DiscoveryDataBag;
import org.apache.ignite.spi.systemview.view.BaselineNodeAttributeView;
@@ -1106,6 +1107,8 @@ public class GridClusterStateProcessor extends
GridProcessorAdapter implements I
boolean forceChangeBaselineTopology,
boolean isAutoAdjust
) {
+ ctx.security().authorize(SecurityPermission.ADMIN_CLUSTER_STATE);
+
if (ctx.maintenanceRegistry().isMaintenanceMode()) {
return new GridFinishedFuture<>(
new IgniteCheckedException("Failed to " + prettyStr(state) + "
(node is in maintenance mode).")
diff --git
a/modules/core/src/main/java/org/apache/ignite/internal/processors/rest/GridRestProcessor.java
b/modules/core/src/main/java/org/apache/ignite/internal/processors/rest/GridRestProcessor.java
index ab960fd47d1..94c4eae1a4b 100644
---
a/modules/core/src/main/java/org/apache/ignite/internal/processors/rest/GridRestProcessor.java
+++
b/modules/core/src/main/java/org/apache/ignite/internal/processors/rest/GridRestProcessor.java
@@ -916,14 +916,9 @@ public class GridRestProcessor extends
GridProcessorAdapter implements IgniteRes
break;
- case CLUSTER_ACTIVE:
- case CLUSTER_INACTIVE:
- case CLUSTER_ACTIVATE:
- case CLUSTER_DEACTIVATE:
case BASELINE_SET:
case BASELINE_ADD:
case BASELINE_REMOVE:
- case CLUSTER_SET_STATE:
perm = SecurityPermission.ADMIN_OPS;
break;
@@ -943,6 +938,11 @@ public class GridRestProcessor extends
GridProcessorAdapter implements IgniteRes
case NAME:
case LOG:
case CLUSTER_CURRENT_STATE:
+ case CLUSTER_ACTIVE:
+ case CLUSTER_INACTIVE:
+ case CLUSTER_ACTIVATE:
+ case CLUSTER_DEACTIVATE:
+ case CLUSTER_SET_STATE:
case CLUSTER_NAME:
case BASELINE_CURRENT_STATE:
case CLUSTER_STATE:
diff --git
a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java
b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java
index cbf896ff314..376dc81ec8a 100644
---
a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java
+++
b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java
@@ -17,6 +17,7 @@
package org.apache.ignite.plugin.security;
+import org.apache.ignite.cluster.ClusterState;
import org.jetbrains.annotations.Nullable;
/**
@@ -90,6 +91,13 @@ public enum SecurityPermission {
/** Administration operation with cluster snapshots (create, cancel,
check). */
ADMIN_SNAPSHOT,
+ /**
+ * Administration operation: changing cluster state.
+ *
+ * @see ClusterState
+ */
+ ADMIN_CLUSTER_STATE,
+
/** Permission to execute REFRESH STATISTICS command. */
REFRESH_STATISTICS,
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/CommonSecurityCheckTest.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/CommonSecurityCheckTest.java
index bce1075fadb..f6356b832a0 100644
---
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/CommonSecurityCheckTest.java
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/CommonSecurityCheckTest.java
@@ -44,6 +44,7 @@ import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;
import static
org.apache.ignite.internal.processors.security.impl.TestAdditionalSecurityProcessor.CLIENT;
+import static
org.apache.ignite.plugin.security.SecurityPermission.ADMIN_CLUSTER_STATE;
import static org.apache.ignite.plugin.security.SecurityPermission.ADMIN_OPS;
import static
org.apache.ignite.plugin.security.SecurityPermission.CACHE_CREATE;
import static
org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALL_PERMISSIONS;
@@ -72,7 +73,7 @@ public abstract class CommonSecurityCheckTest extends
AbstractSecurityTest {
protected TestSecurityData[] clientData() {
return new TestSecurityData[]{new TestSecurityData(CLIENT,
SecurityPermissionSetBuilder.create().defaultAllowAll(false)
- .appendSystemPermissions(ADMIN_OPS, CACHE_CREATE)
+ .appendSystemPermissions(ADMIN_OPS, CACHE_CREATE,
ADMIN_CLUSTER_STATE)
.build()
)};
}
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/ClusterStatePermissionTest.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/ClusterStatePermissionTest.java
new file mode 100644
index 00000000000..a5a9c2eef7e
--- /dev/null
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/ClusterStatePermissionTest.java
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security.cluster;
+
+import java.security.Permissions;
+import java.util.Collection;
+import java.util.function.Consumer;
+import org.apache.ignite.Ignite;
+import org.apache.ignite.IgniteCluster;
+import org.apache.ignite.IgniteException;
+import org.apache.ignite.client.ClientAuthorizationException;
+import org.apache.ignite.client.ClientCluster;
+import org.apache.ignite.client.Config;
+import org.apache.ignite.client.IgniteClient;
+import org.apache.ignite.cluster.ClusterState;
+import org.apache.ignite.configuration.ClientConfiguration;
+import org.apache.ignite.configuration.ConnectorConfiguration;
+import org.apache.ignite.configuration.DataRegionConfiguration;
+import org.apache.ignite.configuration.DataStorageConfiguration;
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.internal.client.GridClient;
+import org.apache.ignite.internal.client.GridClientConfiguration;
+import org.apache.ignite.internal.client.GridClientException;
+import org.apache.ignite.internal.client.GridClientFactory;
+import org.apache.ignite.internal.processors.rest.GridRestCommand;
+import org.apache.ignite.internal.processors.security.AbstractSecurityTest;
+import org.apache.ignite.internal.processors.security.impl.TestSecurityData;
+import
org.apache.ignite.internal.processors.security.impl.TestSecurityPluginProvider;
+import org.apache.ignite.internal.util.typedef.F;
+import org.apache.ignite.internal.util.typedef.G;
+import org.apache.ignite.plugin.security.SecurityCredentials;
+import org.apache.ignite.plugin.security.SecurityCredentialsBasicProvider;
+import org.apache.ignite.plugin.security.SecurityException;
+import org.apache.ignite.plugin.security.SecurityPermission;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import static org.apache.ignite.cluster.ClusterState.ACTIVE;
+import static org.apache.ignite.cluster.ClusterState.ACTIVE_READ_ONLY;
+import static org.apache.ignite.cluster.ClusterState.INACTIVE;
+import static org.apache.ignite.internal.util.lang.GridFunc.asList;
+import static
org.apache.ignite.plugin.security.SecurityPermission.ADMIN_CLUSTER_STATE;
+import static
org.apache.ignite.plugin.security.SecurityPermission.JOIN_AS_SERVER;
+import static
org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.create;
+import static
org.apache.ignite.testframework.GridTestUtils.assertThrowsAnyCause;
+import static org.apache.ignite.testframework.GridTestUtils.cartesianProduct;
+
+/**
+ * Tests permissions of cluster state change.
+ */
+@RunWith(Parameterized.class)
+public class ClusterStatePermissionTest extends AbstractSecurityTest {
+ /** */
+ private static final SecurityPermission[] EMPTY_PERMS = new
SecurityPermission[0];
+
+ /** */
+ private SecurityPermission[] permissions = EMPTY_PERMS;
+
+ /** The initiator parameter. */
+ @Parameterized.Parameter
+ public Initiator initiator;
+
+ /** Persistence flag parameter. */
+ @Parameterized.Parameter(1)
+ public boolean persistence;
+
+ /** @return Test parameters. */
+ @Parameterized.Parameters(name = "initiator={0}, persistence={1}")
+ public static Collection<?> parameters() {
+ return cartesianProduct(asList(Initiator.values()), asList(false,
true));
+ }
+
+ /** {@inheritDoc} */
+ @Override protected void afterTest() throws Exception {
+ super.afterTest();
+
+ stopAllGrids();
+ }
+
+ /** {@inheritDoc} */
+ @Override protected IgniteConfiguration getConfiguration(String
instanceName) throws Exception {
+ SecurityPermission[] srvPerms = initiator == Initiator.SERVER ||
initiator == Initiator.CLIENT ? permissions :
+ EMPTY_PERMS;
+
+ // Apply the permissions on client side if they are not for server
side.
+ SecurityPermission[] clientPerms = F.isEmpty(srvPerms) ? permissions :
EMPTY_PERMS;
+
+ return getConfiguration(instanceName, srvPerms, clientPerms);
+ }
+
+ /**
+ * @return Ignite configuration with given server and client permissions.
+ */
+ private IgniteConfiguration getConfiguration(
+ String instanceName,
+ SecurityPermission[] srvPerms,
+ SecurityPermission[] cliPerms
+ ) throws Exception {
+ IgniteConfiguration cfg = super.getConfiguration(instanceName);
+
+ TestSecurityPluginProvider secPlugin = new TestSecurityPluginProvider(
+ instanceName,
+ "",
+
create().defaultAllowAll(false).appendSystemPermissions(F.concat(srvPerms,
JOIN_AS_SERVER)).build(),
+ false,
+ new TestSecurityData(
+ "client",
+ "",
+
create().defaultAllowAll(false).appendSystemPermissions(cliPerms).build(),
+ new Permissions()
+ )
+ );
+
+ cfg.setPluginProviders(secPlugin);
+
+ cfg.setClusterStateOnStart(INACTIVE);
+
+ cfg.setConnectorConfiguration(new ConnectorConfiguration());
+
+ if (!cfg.isClientMode()) {
+ cfg.setDataStorageConfiguration(new DataStorageConfiguration()
+ .setDefaultDataRegionConfiguration(new
DataRegionConfiguration().setPersistenceEnabled(persistence)));
+ }
+
+ return cfg;
+ }
+
+ /**
+ * Tests that all state changes are allowed with the permission.
+ */
+ @Test
+ public void testActivationDeactivationAllowed() throws Exception {
+ permissions = F.asArray(ADMIN_CLUSTER_STATE);
+
+ doTestChangeState(
+ F.asArray(ACTIVE_READ_ONLY, INACTIVE, ACTIVE_READ_ONLY, ACTIVE,
INACTIVE, ACTIVE, ACTIVE_READ_ONLY),
+ true
+ );
+ }
+
+ /**
+ * Tests that the activation is not allowed without the permission.
+ */
+ @Test
+ public void testActivationNotAllowed() throws Exception {
+ doTestChangeState(F.asArray(ACTIVE), false);
+ }
+
+ /**
+ * Tests that the deactivation is not allowed without the permission.
+ */
+ @Test
+ public void testDeactivationNotAllowed() throws Exception {
+ startAllAllowedNode();
+
+ doTestChangeState(F.asArray(INACTIVE), false);
+ }
+
+ /**
+ * Tests that same-state change is not allowed without the permission.
+ */
+ @Test
+ public void testSameStateNotAllowedWithoutPermission() throws Exception {
+ startAllAllowedNode();
+
+ doTestChangeState(F.asArray(ACTIVE), false);
+ }
+
+ /**
+ * Starts single server node, activates the cluster.
+ */
+ private void startAllAllowedNode() throws Exception {
+ Ignite ig = startGrid(getConfiguration(getTestIgniteInstanceName(0),
F.asArray(ADMIN_CLUSTER_STATE),
+ EMPTY_PERMS));
+
+ ig.cluster().state(ACTIVE);
+ }
+
+ /**
+ * Tries to change state and ensures that a proper error raises if
required.
+ *
+ * @param states Cluster states to try to set to one by one.
+ * @param allowed {@code True}, if the state changes must be allowed.
{@code False} otherwise.
+ */
+ private void doTestChangeState(ClusterState[] states, boolean allowed)
throws Exception {
+ assert states != null && states.length > 0;
+
+ Ignite ig = startGrid(G.allGrids().size());
+
+ startGrid(G.allGrids().size());
+
+ Consumer<ClusterState> action = initiatorAction(ig);
+
+ for (int i = 0; i < states.length; ++i) {
+ ClusterState stateTo = states[i];
+
+ if (allowed) {
+ action.accept(stateTo);
+
+ assertEquals(stateTo, ig.cluster().state());
+ }
+ else
+ ensureThrows(action, stateTo);
+ }
+ }
+
+ /**
+ * Ensures that a proper error occurs on cluster change state action.
+ */
+ private void ensureThrows(Consumer<ClusterState> action, ClusterState
stateTo) {
+ Class<? extends Throwable> cause = SecurityException.class;
+ String errMsg = "Authorization failed [perm=" + ADMIN_CLUSTER_STATE;
+
+ if (Initiator.THIN_CLIENT == initiator) {
+ cause = ClientAuthorizationException.class;
+ errMsg = "User is not authorized to perform this operation";
+ }
+ else if (Initiator.REMOTE_CONTROL == initiator)
+ cause = GridClientException.class;
+
+ assertThrowsAnyCause(
+ null,
+ () -> {
+ action.accept(stateTo);
+
+ return null;
+ },
+ cause,
+ errMsg
+ );
+ }
+
+ /**
+ * @return Change state operation depending on {@link #initiator}.
+ */
+ private Consumer<ClusterState> initiatorAction(Ignite srv) throws
Exception {
+ switch (initiator) {
+ case SERVER:
+ return (state) -> srv.cluster().state(state);
+
+ case CLIENT:
+ return (state) -> {
+ try {
+
startClientGrid(G.allGrids().size()).cluster().state(state);
+ }
+ catch (Exception e) {
+ throw new IgniteException("Unable to start client
grid.", e);
+ }
+ };
+
+ case THIN_CLIENT: {
+ return new Consumer<ClusterState>() {
+ @Override public void accept(ClusterState state) {
+ try (IgniteClient client = G.startClient(new
ClientConfiguration().setAddresses(Config.SERVER)
+ .setUserName("client").setUserPassword(""))) {
+ client.cluster().state(state);
+ }
+ }
+ };
+ }
+
+ case REMOTE_CONTROL: {
+ GridClientConfiguration cfg = new GridClientConfiguration();
+
+ cfg.setServers(asList("127.0.0.1:11211"));
+
+ cfg.setSecurityCredentialsProvider(
+ new SecurityCredentialsBasicProvider(new
SecurityCredentials("client", "")));
+
+ return new Consumer<ClusterState>() {
+ @Override public void accept(ClusterState state) {
+ try (GridClient gridClient =
GridClientFactory.start(cfg)) {
+ assert gridClient.connected();
+
+ gridClient.state().state(state, true);
+ }
+ catch (GridClientException e) {
+ throw new IgniteException(e.getMessage(), e);
+ }
+ }
+ };
+ }
+
+ default:
+ throw new IllegalArgumentException("Unsupported operation
initiator: " + initiator);
+ }
+ }
+
+ /**
+ * Initiator type of the cluster state change.
+ */
+ private enum Initiator {
+ /**
+ * Server node for Java API call the or the JMX call.
+ *
+ * @see IgniteCluster#state(ClusterState)
+ */
+ SERVER,
+
+ /**
+ * Client node for Java API call the or the JMX call.
+ *
+ * @see IgniteCluster#state(ClusterState)
+ * @see IgniteConfiguration#isClientMode()
+ */
+ CLIENT,
+
+ /**
+ * Call from the thin client.
+ *
+ * @see ClientCluster#state(ClusterState)
+ */
+ THIN_CLIENT,
+
+ /**
+ * Call from a remote control like control.sh of the REST API.
+ *
+ * @see GridClient
+ * @see GridRestCommand#CLUSTER_SET_STATE
+ */
+ REMOTE_CONTROL
+ }
+}
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
index b17a5972b84..8c6e1af81d4 100644
---
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
@@ -69,6 +69,7 @@ public class TestSecurityContext implements SecurityContext,
Serializable {
case ADMIN_QUERY:
case ADMIN_OPS:
case ADMIN_SNAPSHOT:
+ case ADMIN_CLUSTER_STATE:
case JOIN_AS_SERVER:
case ADMIN_KILL:
return systemOperationAllowed(perm);
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/snapshot/SnapshotPermissionCheckTest.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/snapshot/SnapshotPermissionCheckTest.java
index 8c1e3feaff2..dec4f8b281f 100644
---
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/snapshot/SnapshotPermissionCheckTest.java
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/snapshot/SnapshotPermissionCheckTest.java
@@ -35,6 +35,7 @@ import
org.apache.ignite.configuration.DataStorageConfiguration;
import org.apache.ignite.configuration.IgniteConfiguration;
import org.apache.ignite.internal.processors.security.AbstractSecurityTest;
import
org.apache.ignite.internal.processors.security.AbstractTestSecurityPluginProvider;
+import org.apache.ignite.internal.util.typedef.F;
import org.apache.ignite.plugin.security.SecurityException;
import org.apache.ignite.plugin.security.SecurityPermission;
import org.apache.ignite.plugin.security.SecurityPermissionSet;
@@ -44,6 +45,7 @@ import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;
import static java.lang.String.format;
+import static
org.apache.ignite.plugin.security.SecurityPermission.ADMIN_CLUSTER_STATE;
import static
org.apache.ignite.plugin.security.SecurityPermission.ADMIN_SNAPSHOT;
import static
org.apache.ignite.plugin.security.SecurityPermission.CACHE_CREATE;
import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_PUT;
@@ -131,7 +133,7 @@ public class SnapshotPermissionCheckTest extends
AbstractSecurityTest {
return SecurityPermissionSetBuilder.create()
.defaultAllowAll(false)
.appendCachePermissions(DEFAULT_CACHE_NAME, CACHE_CREATE,
CACHE_PUT)
- .appendSystemPermissions(perms)
+ .appendSystemPermissions(F.concat(perms, ADMIN_CLUSTER_STATE))
.build();
}
diff --git
a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
index d52018d9302..32e62d67ce9 100644
---
a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
+++
b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
@@ -38,6 +38,7 @@ import
org.apache.ignite.internal.processors.security.client.ThinClientPermissio
import
org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckTest;
import
org.apache.ignite.internal.processors.security.client.ThinClientSecurityContextOnRemoteNodeTest;
import
org.apache.ignite.internal.processors.security.client.ThinClientSslPermissionCheckTest;
+import
org.apache.ignite.internal.processors.security.cluster.ClusterStatePermissionTest;
import
org.apache.ignite.internal.processors.security.compute.ComputePermissionCheckTest;
import
org.apache.ignite.internal.processors.security.compute.closure.ComputeTaskCancelRemoteSecurityContextCheckTest;
import
org.apache.ignite.internal.processors.security.compute.closure.ComputeTaskRemoteSecurityContextCheckTest;
@@ -89,6 +90,7 @@ import org.junit.runners.Suite;
IgniteClientContainSubjectAddressTest.class,
ClientReconnectTest.class,
SnapshotPermissionCheckTest.class,
+ ClusterStatePermissionTest.class,
DistributedClosureRemoteSecurityContextCheckTest.class,
ComputeTaskRemoteSecurityContextCheckTest.class,
diff --git
a/modules/rest-http/src/test/java/org/apache/ignite/internal/processors/rest/protocols/http/jetty/RestProcessorAuthorizationTest.java
b/modules/rest-http/src/test/java/org/apache/ignite/internal/processors/rest/protocols/http/jetty/RestProcessorAuthorizationTest.java
index cd2300b9eef..a7f5ac47b82 100644
---
a/modules/rest-http/src/test/java/org/apache/ignite/internal/processors/rest/protocols/http/jetty/RestProcessorAuthorizationTest.java
+++
b/modules/rest-http/src/test/java/org/apache/ignite/internal/processors/rest/protocols/http/jetty/RestProcessorAuthorizationTest.java
@@ -81,7 +81,8 @@ public class RestProcessorAuthorizationTest extends
CommonSecurityCheckTest {
SecurityPermission perm,
SecurityContext securityCtx
) throws SecurityException {
- authorizationCtxList.add(F.t(name, perm, securityCtx));
+ if (perm.name().startsWith("CACHE_"))
+ authorizationCtxList.add(F.t(name, perm,
securityCtx));
super.authorize(name, perm, securityCtx);
}
