This is an automated email from the ASF dual-hosted git repository.
mpetrov pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ignite.git
The following commit(s) were added to refs/heads/master by this push:
new 226b0ab8181 IGNITE-15322 Stop internal compute task public access
permissions to be checked if executed via Private API. (#10607)
226b0ab8181 is described below
commit 226b0ab81810411eb093178a4bf63f5f07cfbd6a
Author: Mikhail Petrov <[email protected]>
AuthorDate: Mon Mar 27 17:58:35 2023 +0300
IGNITE-15322 Stop internal compute task public access permissions to be
checked if executed via Private API. (#10607)
---
.../org/apache/ignite/common/ComputeTaskPermissionsTest.java | 7 +++++++
.../ignite/internal/processors/task/GridTaskWorker.java | 12 +++++++-----
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git
a/modules/clients/src/test/java/org/apache/ignite/common/ComputeTaskPermissionsTest.java
b/modules/clients/src/test/java/org/apache/ignite/common/ComputeTaskPermissionsTest.java
index f130913f2d7..817536347d0 100644
---
a/modules/clients/src/test/java/org/apache/ignite/common/ComputeTaskPermissionsTest.java
+++
b/modules/clients/src/test/java/org/apache/ignite/common/ComputeTaskPermissionsTest.java
@@ -271,6 +271,13 @@ public class ComputeTaskPermissionsTest extends
AbstractSecurityTest {
try (IgniteClient cli = startClient("no-permissions-login-0")) {
assertFailed(() ->
cli.compute().executeAsync2(PublicAccessSystemTask.class.getName(),
null).get());
}
+
+ // Internal tasks with public access permissions explicitly specified
still can be executed via Private API
+ // without permission checks.
+ assertCompleted(
+ () ->
grid(0).context().task().execute(PublicAccessSystemTask.class,
null).get(getTestTimeout()),
+ SRV_NODES_CNT
+ );
}
/** */
diff --git
a/modules/core/src/main/java/org/apache/ignite/internal/processors/task/GridTaskWorker.java
b/modules/core/src/main/java/org/apache/ignite/internal/processors/task/GridTaskWorker.java
index 94805dcbcbf..dcabdc34e66 100644
---
a/modules/core/src/main/java/org/apache/ignite/internal/processors/task/GridTaskWorker.java
+++
b/modules/core/src/main/java/org/apache/ignite/internal/processors/task/GridTaskWorker.java
@@ -1777,12 +1777,14 @@ public class GridTaskWorker<T, R> extends GridWorker
implements GridTimeoutObjec
}
else if (executable instanceof PlatformSecurityAwareJob)
ctx.security().authorize(((PlatformSecurityAwareJob)executable).name(),
TASK_EXECUTE);
- else if (executable instanceof PublicAccessJob)
- authorizeAll(ctx.security(),
((PublicAccessJob)executable).requiredPermissions());
else if (opts.isPublicRequest()) {
- // We do not allow to execute internal tasks via public API for
security reasons.
- throw new SecurityException("Access to Ignite Internal tasks is
restricted" +
- " [task=" + task.getClass().getName() + ", job=" +
job.getClass() + "]");
+ if (executable instanceof PublicAccessJob)
+ authorizeAll(ctx.security(),
((PublicAccessJob)executable).requiredPermissions());
+ else {
+ // We do not allow to execute internal tasks via public API
for security reasons.
+ throw new SecurityException("Access to Ignite Internal tasks
is restricted" +
+ " [task=" + task.getClass().getName() + ", job=" +
job.getClass() + "]");
+ }
}
}
