[jira] [Updated] (IGNITE-13112) The current security context should be obtained using the IgniteSecurity interface only.

Thu, 15 Apr 2021 01:34:03 -0700 


     [ 
https://issues.apache.org/jira/browse/IGNITE-13112?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Stepachev Maksim updated IGNITE-13112:
--------------------------------------
    Reviewer: Stepachev Maksim

> The current security context should be obtained using the IgniteSecurity 
> interface only.
> ----------------------------------------------------------------------------------------
>
>                 Key: IGNITE-13112
>                 URL: https://issues.apache.org/jira/browse/IGNITE-13112
>             Project: Ignite
>          Issue Type: Bug
>          Components: cache, security
>    Affects Versions: 2.8.1
>            Reporter: Denis Garus
>            Assignee: Denis Garus
>            Priority: Major
>              Labels: iep-41
>          Time Spent: 4h 50m
>  Remaining Estimate: 0h
>
> For getting the current security context, we have to use the IgniteSecurity 
> interface only. 
>  We need to get rid of all other ways to transfer a security subject id.
> h4. Suggested implementation
> If Ignite Security (IS) is enabled, then executors, accessed through the 
> {{PoolProcessor}}, are wrapped to a security-aware implementation. 
> Security-aware implementation sets proper security context for tasks that the 
> executor performs.
> The field subject id was deleted from communication requests for cache and 
> compute operations; a remote node gets the subject id that initiates the 
> ignite operation from {{GridIoSecurityAwareMessage}}. {{IgniteSecurity}} uses 
> this id to set a proper security context during the execution of the request.
> Remove {{GridTaskThreadContextKey#TC_SUBJ_ID}}, 
> {{GridCacheContext#subjectIdPerCall}}; a consumer has to obtain a current 
> security subject id through {{IgniteSecurity}} or the set of 
> {{SecurityUtils}} methods.
> For all events that include the subject id field, are set the following rule. 
> If IS is enabled, this field must contain a subject id that initiates an 
> ignite operation, otherwise null.
> Implement {{SecurityAwareCustomMessageWrapper}} for discovery requests that 
> act as {{GridIoSecurityAwareMessage}} for communication requests. It allows 
> setting proper context during the discovery message execution.
> Implement {{SecurityAwareGridRestCommandHandler}} to allow 
> {{GridRestProcessor}} to execute all client requests with the proper security 
> context.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to