[jira] [Commented] (IGNITE-22844) control.sh --consistency repair permissions fixes

Fri, 09 Aug 2024 04:53:06 -0700 


    [ 
https://issues.apache.org/jira/browse/IGNITE-22844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17872325#comment-17872325
 ] 

Ignite TC Bot commented on IGNITE-22844:
----------------------------------------

{panel:title=Branch: [pull/11456/head] Base: [master] : No blockers 
found!|borderStyle=dashed|borderColor=#ccc|titleBGColor=#D6F7C1}{panel}
{panel:title=Branch: [pull/11456/head] Base: [master] : New Tests 
(540)|borderStyle=dashed|borderColor=#ccc|titleBGColor=#D6F7C1}
{color:#00008b}Control Utility 2{color} [[tests 
540|https://ci2.ignite.apache.org/viewLog.html?buildId=8021107]]
* {color:#013220}IgniteControlUtilityTestSuite2: 
GridCommandHandlerConsistencyTest.testRepairNonExistentCache[cmdHnd=jmx, 
strategy=LWW, explicitGrp=false, callByGrp=false, withSecurityEnabled=false] - 
PASSED{color}
* {color:#013220}IgniteControlUtilityTestSuite2: 
GridCommandHandlerConsistencyTest.testAtomicAndTxValueAndVersion[cmdHnd=jmx, 
strategy=LWW, explicitGrp=false, callByGrp=false, withSecurityEnabled=false] - 
PASSED{color}
* {color:#013220}IgniteControlUtilityTestSuite2: 
GridCommandHandlerConsistencyTest.testAtomicAndTxVersionOnly[cmdHnd=cli, 
strategy=CHECK_ONLY, explicitGrp=true, callByGrp=true, 
withSecurityEnabled=true] - PASSED{color}
* {color:#013220}IgniteControlUtilityTestSuite2: 
GridCommandHandlerConsistencyTest.testCacheFilter[cmdHnd=cli, 
strategy=CHECK_ONLY, explicitGrp=true, callByGrp=true, 
withSecurityEnabled=true] - PASSED{color}
* {color:#013220}IgniteControlUtilityTestSuite2: 
GridCommandHandlerConsistencyTest.testRepairNonExistentCache[cmdHnd=jmx, 
strategy=LWW, explicitGrp=true, callByGrp=false, withSecurityEnabled=false] - 
PASSED{color}
* {color:#013220}IgniteControlUtilityTestSuite2: 
GridCommandHandlerConsistencyTest.testAtomicAndTxValueAndVersion[cmdHnd=jmx, 
strategy=LWW, explicitGrp=true, callByGrp=false, withSecurityEnabled=false] - 
PASSED{color}
* {color:#013220}IgniteControlUtilityTestSuite2: 
GridCommandHandlerConsistencyTest.testAtomicAndTxVersionOnly[cmdHnd=jmx, 
strategy=LWW, explicitGrp=false, callByGrp=false, withSecurityEnabled=false] - 
PASSED{color}
* {color:#013220}IgniteControlUtilityTestSuite2: 
GridCommandHandlerConsistencyTest.testCacheFilter[cmdHnd=jmx, strategy=LWW, 
explicitGrp=false, callByGrp=false, withSecurityEnabled=false] - PASSED{color}
* {color:#013220}IgniteControlUtilityTestSuite2: 
GridCommandHandlerConsistencyTest.testRepairNonExistentCache[cmdHnd=jmx, 
strategy=LWW, explicitGrp=true, callByGrp=true, withSecurityEnabled=false] - 
PASSED{color}
* {color:#013220}IgniteControlUtilityTestSuite2: 
GridCommandHandlerConsistencyTest.testAtomicAndTxValueAndVersion[cmdHnd=jmx, 
strategy=LWW, explicitGrp=true, callByGrp=true, withSecurityEnabled=false] - 
PASSED{color}
* {color:#013220}IgniteControlUtilityTestSuite2: 
GridCommandHandlerConsistencyTest.testAtomicAndTxVersionOnly[cmdHnd=jmx, 
strategy=LWW, explicitGrp=true, callByGrp=false, withSecurityEnabled=false] - 
PASSED{color}
... and 529 new tests

{panel}
[TeamCity *--> Run :: All* 
Results|https://ci2.ignite.apache.org/viewLog.html?buildId=8021113&buildTypeId=IgniteTests24Java8_RunAll]

> control.sh --consistency repair permissions fixes
> -------------------------------------------------
>
>                 Key: IGNITE-22844
>                 URL: https://issues.apache.org/jira/browse/IGNITE-22844
>             Project: Ignite
>          Issue Type: Improvement
>            Reporter: Maksim Davydov
>            Assignee: Maksim Davydov
>            Priority: Minor
>              Labels: ise
>             Fix For: 2.17
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Currently 'Read Repair' task performed for the chosen partitions by 
> control.sh requires CACHE_READ and CACHE PUT permissions in addition to 
> ADMIN_OPS. Thus, to perform the comand `control.sh --consistency repair` the 
> one needs all 3 permissions.
> There is no point  to have additional CACHE_READ and CACHE_PUT permissions to 
> perform the operation, as they are useless for the task itself, and 
> introduces security risk, by allowing the user to manipulate the cache in 
> parallel.
> The solution would be to substitute user's security context with the context 
> of the cluster node that performs the command. The former is used for the 
> ADMIN_OPS permission check and the latter is used for cache. This will ease 
> the requirement for the users to perform `control.sh --consistency repair` 
> without introducing any additional security risk.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to