[ 
https://issues.apache.org/jira/browse/IGNITE-15966?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mikhail Petrov updated IGNITE-15966:
------------------------------------
    Description: 
Reproducer: 

{code:java}
/** */
public class UserDropTest extends GridCommonAbstractTest {
    /** {@inheritDoc} */
    @Override protected IgniteConfiguration getConfiguration(String 
igniteInstanceName) throws Exception {
        IgniteConfiguration cfg = super.getConfiguration(igniteInstanceName);

        cfg.setAuthenticationEnabled(true);

        cfg.setDataStorageConfiguration(new DataStorageConfiguration()
            .setDefaultDataRegionConfiguration(new DataRegionConfiguration()
                .setPersistenceEnabled(true)));

        return cfg;
    }

    /** */
    @Test
    public void test() throws Exception {
        startGrid(0);
        startGrid(1);

        grid(0).cluster().state(ClusterState.ACTIVE);

        grid(0).createCache(DEFAULT_CACHE_NAME);

        try (AutoCloseable ignored = 
withSecurityContextOnAllNodes(authenticate(grid(0), "ignite", "ignite"))) {
            grid(0).context().security().createUser("cli", "pwd".toCharArray());
        }

        IgniteClient client = Ignition.startClient(new 
ClientConfiguration().setAddresses("127.0.0.1:10800").setUserName("cli").setUserPassword("pwd"));

        ClientCache<Object, Object> cache = client.cache(DEFAULT_CACHE_NAME);

        try (AutoCloseable ignored = 
withSecurityContextOnAllNodes(authenticate(grid(0), "ignite", "ignite"))) {
            grid(0).context().security().dropUser("cli");
        }

        Map<Integer, Integer> entries = new HashMap<>();

        for (int i = 0; i < 10000; i++)
            entries.put(i, i);

        cache.putAll(entries);
    }

    /** {@inheritDoc} */
    @Override protected void beforeTest() throws Exception {
        super.beforeTest();

        cleanPersistenceDir();
    }
}

{code}

Exception:

{code:java}
[2021-11-22 
11:04:32,390][ERROR][sys-stripe-3-#92%ignite.UserDropTest1%][IgniteTestResources]
 Critical system error detected. Will be handled accordingly to configured 
handler [hnd=NoOpFailureHandler [super=AbstractFailureHandler 
[ignoredFailureTypes=UnmodifiableSet [SYSTEM_WORKER_BLOCKED, 
SYSTEM_CRITICAL_OPERATION_TIMEOUT]]], failureCtx=FailureContext 
[type=SYSTEM_WORKER_TERMINATION, err=java.lang.IllegalStateException: Failed to 
find security context for subject with given ID : 
0898b227-30d5-3afc-9394-d8e4889ece4a]]
java.lang.IllegalStateException: Failed to find security context for subject 
with given ID : 0898b227-30d5-3afc-9394-d8e4889ece4a
        at 
org.apache.ignite.internal.processors.security.IgniteSecurityProcessor.withContext(IgniteSecurityProcessor.java:167)
        at 
org.apache.ignite.internal.managers.communication.GridIoManager.invokeListener(GridIoManager.java:1906)
        at 
org.apache.ignite.internal.managers.communication.GridIoManager.processRegularMessage0(GridIoManager.java:1528)
        at 
org.apache.ignite.internal.managers.communication.GridIoManager.access$5300(GridIoManager.java:242)
        at 
org.apache.ignite.internal.managers.communication.GridIoManager$9.execute(GridIoManager.java:1421)
        at 
org.apache.ignite.internal.managers.communication.TraceRunnable.run(TraceRunnable.java:55)
        at 
org.apache.ignite.internal.util.StripedExecutor$Stripe.body(StripedExecutor.java:569)
        at 
org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:125)
        at java.lang.Thread.run(Thread.java:748)
{code}

The main problem is:

Implementation of authentication plugin ties security user with the subject ID 
that is propagated through cluster nodes.

If some node receives operation initiated by the deleted user, it fails to 
obtain its security context via subject id and hangs with mentioned above 
exception.


  was:
Reproducer: 

{code:java}
/** */
public class UserDropTest extends GridCommonAbstractTest {
    /** {@inheritDoc} */
    @Override protected IgniteConfiguration getConfiguration(String 
igniteInstanceName) throws Exception {
        IgniteConfiguration cfg = super.getConfiguration(igniteInstanceName);

        cfg.setAuthenticationEnabled(true);

        cfg.setDataStorageConfiguration(new DataStorageConfiguration()
            .setDefaultDataRegionConfiguration(new DataRegionConfiguration()
                .setPersistenceEnabled(true)));

        return cfg;
    }

    /** */
    @Test
    public void test() throws Exception {
        startGrid(0);
        startGrid(1);

        grid(0).cluster().state(ClusterState.ACTIVE);

        grid(0).createCache(DEFAULT_CACHE_NAME);

        try (AutoCloseable ignored = 
withSecurityContextOnAllNodes(authenticate(grid(0), "ignite", "ignite"))) {
            grid(0).context().security().createUser("cli", "pwd".toCharArray());
        }

        IgniteClient client = Ignition.startClient(new 
ClientConfiguration().setAddresses("127.0.0.1:10800").setUserName("cli").setUserPassword("pwd"));

        ClientCache<Object, Object> cache = client.cache(DEFAULT_CACHE_NAME);

        try (AutoCloseable ignored = 
withSecurityContextOnAllNodes(authenticate(grid(0), "ignite", "ignite"))) {
            grid(0).context().security().dropUser("cli");
        }

        Map<Integer, Integer> entries = new HashMap<>();

        for (int i = 0; i < 10000; i++)
            entries.put(i, i);

        cache.putAll(entries);
    }

    /** {@inheritDoc} */
    @Override protected void beforeTest() throws Exception {
        super.beforeTest();

        cleanPersistenceDir();
    }
}

{code}

Exception:

{code:java}
[2021-11-22 
11:04:32,390][ERROR][sys-stripe-3-#92%ignite.UserDropTest1%][IgniteTestResources]
 Critical system error detected. Will be handled accordingly to configured 
handler [hnd=NoOpFailureHandler [super=AbstractFailureHandler 
[ignoredFailureTypes=UnmodifiableSet [SYSTEM_WORKER_BLOCKED, 
SYSTEM_CRITICAL_OPERATION_TIMEOUT]]], failureCtx=FailureContext 
[type=SYSTEM_WORKER_TERMINATION, err=java.lang.IllegalStateException: Failed to 
find security context for subject with given ID : 
0898b227-30d5-3afc-9394-d8e4889ece4a]]
java.lang.IllegalStateException: Failed to find security context for subject 
with given ID : 0898b227-30d5-3afc-9394-d8e4889ece4a
        at 
org.apache.ignite.internal.processors.security.IgniteSecurityProcessor.withContext(IgniteSecurityProcessor.java:167)
        at 
org.apache.ignite.internal.managers.communication.GridIoManager.invokeListener(GridIoManager.java:1906)
        at 
org.apache.ignite.internal.managers.communication.GridIoManager.processRegularMessage0(GridIoManager.java:1528)
        at 
org.apache.ignite.internal.managers.communication.GridIoManager.access$5300(GridIoManager.java:242)
        at 
org.apache.ignite.internal.managers.communication.GridIoManager$9.execute(GridIoManager.java:1421)
        at 
org.apache.ignite.internal.managers.communication.TraceRunnable.run(TraceRunnable.java:55)
        at 
org.apache.ignite.internal.util.StripedExecutor$Stripe.body(StripedExecutor.java:569)
        at 
org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:125)
        at java.lang.Thread.run(Thread.java:748)
{code}

The main problem is:

Implementation of authentication plugin ties security user with the subject ID 
that is propagated through cluster nodes.

If some node receives operation initiated by the deleted user, it fails to 
obtain its security context via subject id and hangs with mentioned above 
exception.

Here we are faced with a security implementation problem - we have no mechanism 
to determine that a security subject is no longer needed and can be safely 
removed and at the same time we  throw unrecoverable exception in case security 
subject is not found that kills system worker and hangs node.



> [Security] Operation can hang with authentication enabled after user drop 
> operation
> -----------------------------------------------------------------------------------
>
>                 Key: IGNITE-15966
>                 URL: https://issues.apache.org/jira/browse/IGNITE-15966
>             Project: Ignite
>          Issue Type: Bug
>            Reporter: Mikhail Petrov
>            Priority: Blocker
>              Labels: ise
>             Fix For: 2.12
>
>
> Reproducer: 
> {code:java}
> /** */
> public class UserDropTest extends GridCommonAbstractTest {
>     /** {@inheritDoc} */
>     @Override protected IgniteConfiguration getConfiguration(String 
> igniteInstanceName) throws Exception {
>         IgniteConfiguration cfg = super.getConfiguration(igniteInstanceName);
>         cfg.setAuthenticationEnabled(true);
>         cfg.setDataStorageConfiguration(new DataStorageConfiguration()
>             .setDefaultDataRegionConfiguration(new DataRegionConfiguration()
>                 .setPersistenceEnabled(true)));
>         return cfg;
>     }
>     /** */
>     @Test
>     public void test() throws Exception {
>         startGrid(0);
>         startGrid(1);
>         grid(0).cluster().state(ClusterState.ACTIVE);
>         grid(0).createCache(DEFAULT_CACHE_NAME);
>         try (AutoCloseable ignored = 
> withSecurityContextOnAllNodes(authenticate(grid(0), "ignite", "ignite"))) {
>             grid(0).context().security().createUser("cli", 
> "pwd".toCharArray());
>         }
>         IgniteClient client = Ignition.startClient(new 
> ClientConfiguration().setAddresses("127.0.0.1:10800").setUserName("cli").setUserPassword("pwd"));
>         ClientCache<Object, Object> cache = client.cache(DEFAULT_CACHE_NAME);
>         try (AutoCloseable ignored = 
> withSecurityContextOnAllNodes(authenticate(grid(0), "ignite", "ignite"))) {
>             grid(0).context().security().dropUser("cli");
>         }
>         Map<Integer, Integer> entries = new HashMap<>();
>         for (int i = 0; i < 10000; i++)
>             entries.put(i, i);
>         cache.putAll(entries);
>     }
>     /** {@inheritDoc} */
>     @Override protected void beforeTest() throws Exception {
>         super.beforeTest();
>         cleanPersistenceDir();
>     }
> }
> {code}
> Exception:
> {code:java}
> [2021-11-22 
> 11:04:32,390][ERROR][sys-stripe-3-#92%ignite.UserDropTest1%][IgniteTestResources]
>  Critical system error detected. Will be handled accordingly to configured 
> handler [hnd=NoOpFailureHandler [super=AbstractFailureHandler 
> [ignoredFailureTypes=UnmodifiableSet [SYSTEM_WORKER_BLOCKED, 
> SYSTEM_CRITICAL_OPERATION_TIMEOUT]]], failureCtx=FailureContext 
> [type=SYSTEM_WORKER_TERMINATION, err=java.lang.IllegalStateException: Failed 
> to find security context for subject with given ID : 
> 0898b227-30d5-3afc-9394-d8e4889ece4a]]
> java.lang.IllegalStateException: Failed to find security context for subject 
> with given ID : 0898b227-30d5-3afc-9394-d8e4889ece4a
>       at 
> org.apache.ignite.internal.processors.security.IgniteSecurityProcessor.withContext(IgniteSecurityProcessor.java:167)
>       at 
> org.apache.ignite.internal.managers.communication.GridIoManager.invokeListener(GridIoManager.java:1906)
>       at 
> org.apache.ignite.internal.managers.communication.GridIoManager.processRegularMessage0(GridIoManager.java:1528)
>       at 
> org.apache.ignite.internal.managers.communication.GridIoManager.access$5300(GridIoManager.java:242)
>       at 
> org.apache.ignite.internal.managers.communication.GridIoManager$9.execute(GridIoManager.java:1421)
>       at 
> org.apache.ignite.internal.managers.communication.TraceRunnable.run(TraceRunnable.java:55)
>       at 
> org.apache.ignite.internal.util.StripedExecutor$Stripe.body(StripedExecutor.java:569)
>       at 
> org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:125)
>       at java.lang.Thread.run(Thread.java:748)
> {code}
> The main problem is:
> Implementation of authentication plugin ties security user with the subject 
> ID that is propagated through cluster nodes.
> If some node receives operation initiated by the deleted user, it fails to 
> obtain its security context via subject id and hangs with mentioned above 
> exception.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to