This is an automated email from the ASF dual-hosted git repository.
ivandasch pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ignite.git
The following commit(s) were added to refs/heads/master by this push:
new 9f4f7384dfa IGNITE-23563 Fix node fails while checking security
permission for activation during join (#11631)
9f4f7384dfa is described below
commit 9f4f7384dfa2e5db706116b6f7f3bf336c2cf7b3
Author: Ivan Daschinskiy <[email protected]>
AuthorDate: Thu Oct 31 10:32:09 2024 +0300
IGNITE-23563 Fix node fails while checking security permission for
activation during join (#11631)
---
.../cluster/GridClusterStateProcessor.java | 7 +-
...nJoinWithoutPermissionsWithPersistenceTest.java | 105 +++++++++++++++++++++
.../ignite/testsuites/SecurityTestSuite.java | 4 +-
.../zk/ZookeeperDiscoverySpiTestSuite4.java | 4 +-
4 files changed, 117 insertions(+), 3 deletions(-)
diff --git
a/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
b/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
index 1b55eedebd9..bf723d400fa 100644
---
a/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
+++
b/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
@@ -1109,7 +1109,12 @@ public class GridClusterStateProcessor extends
GridProcessorAdapter implements I
boolean forceChangeBaselineTopology,
boolean isAutoAdjust
) {
- ctx.security().authorize(SecurityPermission.ADMIN_CLUSTER_STATE);
+ try {
+ ctx.security().authorize(SecurityPermission.ADMIN_CLUSTER_STATE);
+ }
+ catch (org.apache.ignite.plugin.security.SecurityException secEx) {
+ return new GridFinishedFuture<>(secEx);
+ }
if (ctx.maintenanceRegistry().isMaintenanceMode()) {
return new GridFinishedFuture<>(
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/ActivationOnJoinWithoutPermissionsWithPersistenceTest.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/ActivationOnJoinWithoutPermissionsWithPersistenceTest.java
new file mode 100644
index 00000000000..c6dc2b41a62
--- /dev/null
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/ActivationOnJoinWithoutPermissionsWithPersistenceTest.java
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security.cluster;
+
+import org.apache.ignite.configuration.DataRegionConfiguration;
+import org.apache.ignite.configuration.DataStorageConfiguration;
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.failure.StopNodeFailureHandler;
+import org.apache.ignite.internal.processors.security.AbstractSecurityTest;
+import
org.apache.ignite.internal.processors.security.impl.TestSecurityPluginProvider;
+import org.apache.ignite.internal.util.typedef.F;
+import org.apache.ignite.internal.util.typedef.G;
+import org.apache.ignite.plugin.security.SecurityPermission;
+import org.junit.Test;
+
+import static org.apache.ignite.cluster.ClusterState.ACTIVE;
+import static org.apache.ignite.cluster.ClusterState.INACTIVE;
+import static
org.apache.ignite.plugin.security.SecurityPermission.ADMIN_CLUSTER_STATE;
+import static
org.apache.ignite.plugin.security.SecurityPermission.JOIN_AS_SERVER;
+import static
org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.create;
+
+/**
+ * Tests joining baseline node without permissions. It should join
successfully, but
+ * cluster must be left in INACTIVE state. {@link
org.apache.ignite.internal.processors.cluster.GridClusterStateProcessor#onLocalJoin}
+ * must not complete exceptionally.
+ */
+public class ActivationOnJoinWithoutPermissionsWithPersistenceTest extends
AbstractSecurityTest {
+ /** */
+ private static final int NUM_NODES = 3;
+
+ /** {@inheritDoc} */
+ @Override protected IgniteConfiguration getConfiguration(String
instanceName) throws Exception {
+ SecurityPermission[] srvPerms = F.asArray(ADMIN_CLUSTER_STATE);
+
+ return getConfiguration(instanceName, srvPerms);
+ }
+
+ /**
+ * @return Ignite configuration with given server and client permissions.
+ */
+ private IgniteConfiguration getConfiguration(
+ String instanceName,
+ SecurityPermission[] srvPerms
+ ) throws Exception {
+ IgniteConfiguration cfg = super.getConfiguration(instanceName);
+
+ cfg.setConsistentId(instanceName);
+
+ TestSecurityPluginProvider secPlugin = new TestSecurityPluginProvider(
+ instanceName,
+ "",
+
create().defaultAllowAll(false).appendSystemPermissions(F.concat(srvPerms,
JOIN_AS_SERVER)).build(),
+ false,
+ EMPTY_SECURITY_DATA
+ );
+
+ cfg.setPluginProviders(secPlugin);
+
+ cfg.setFailureHandler(new StopNodeFailureHandler());
+
+ cfg.setDataStorageConfiguration(new DataStorageConfiguration()
+ .setDefaultDataRegionConfiguration(new
DataRegionConfiguration().setPersistenceEnabled(true)));
+
+ return cfg;
+ }
+
+ /** */
+ @Test
+ public void testNodeJoinWithoutPermissions() throws Exception {
+ // Start grids and activate them.
+ startGrids(NUM_NODES);
+
+ grid(0).cluster().state(ACTIVE);
+ assertEquals(ACTIVE, grid(0).cluster().state());
+
+ // Stop all of them and restart just the firsts.
+ G.stopAll(true);
+
+ startGrids(NUM_NODES - 1);
+
+ // Start the last one with empty permissions.
+ startGrid(getConfiguration(getTestIgniteInstanceName(NUM_NODES - 1),
EMPTY_PERMS));
+
+ // Check for state and topology.
+ waitForTopology(NUM_NODES);
+
+ assertEquals(INACTIVE, grid(0).cluster().state());
+ assertEquals(NUM_NODES, grid(0).cluster().forServers().nodes().size());
+ }
+}
diff --git
a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
index 64dc1d9e3a9..d7cf6a08796 100644
---
a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
+++
b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
@@ -39,6 +39,7 @@ import
org.apache.ignite.internal.processors.security.client.ThinClientPermissio
import
org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckTest;
import
org.apache.ignite.internal.processors.security.client.ThinClientSecurityContextOnRemoteNodeTest;
import
org.apache.ignite.internal.processors.security.client.ThinClientSslPermissionCheckTest;
+import
org.apache.ignite.internal.processors.security.cluster.ActivationOnJoinWithoutPermissionsWithPersistenceTest;
import
org.apache.ignite.internal.processors.security.cluster.ClusterNodeOperationPermissionTest;
import
org.apache.ignite.internal.processors.security.cluster.ClusterStatePermissionTest;
import
org.apache.ignite.internal.processors.security.cluster.NodeJoinPermissionsTest;
@@ -140,7 +141,8 @@ import org.junit.runners.Suite;
ServiceStaticConfigTest.class,
ClusterNodeOperationPermissionTest.class,
NodeSecurityContextPropagationTest.class,
- NodeJoinPermissionsTest.class
+ NodeJoinPermissionsTest.class,
+ ActivationOnJoinWithoutPermissionsWithPersistenceTest.class,
})
public class SecurityTestSuite {
/** */
diff --git
a/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/ZookeeperDiscoverySpiTestSuite4.java
b/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/ZookeeperDiscoverySpiTestSuite4.java
index 6a6d1f9a701..e364bc12182 100644
---
a/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/ZookeeperDiscoverySpiTestSuite4.java
+++
b/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/ZookeeperDiscoverySpiTestSuite4.java
@@ -27,6 +27,7 @@ import
org.apache.ignite.internal.processors.cache.distributed.replicated.GridCa
import
org.apache.ignite.internal.processors.cache.distributed.replicated.IgniteCacheReplicatedQuerySelfTest;
import
org.apache.ignite.internal.processors.metastorage.DistributedMetaStoragePersistentTest;
import
org.apache.ignite.internal.processors.metastorage.DistributedMetaStorageTest;
+import
org.apache.ignite.internal.processors.security.cluster.ActivationOnJoinWithoutPermissionsWithPersistenceTest;
import
org.apache.ignite.internal.processors.security.cluster.NodeJoinPermissionsTest;
import org.apache.ignite.spi.discovery.DiscoverySpiDataExchangeTest;
import org.junit.BeforeClass;
@@ -50,7 +51,8 @@ import org.junit.runners.Suite;
IgniteNodeValidationFailedEventTest.class,
DiscoverySpiDataExchangeTest.class,
CacheCreateDestroyEventSecurityContextTest.class,
- NodeJoinPermissionsTest.class
+ NodeJoinPermissionsTest.class,
+ ActivationOnJoinWithoutPermissionsWithPersistenceTest.class,
})
public class ZookeeperDiscoverySpiTestSuite4 {
/** */
