ololo3000 commented on a change in pull request #8892:
URL: https://github.com/apache/ignite/pull/8892#discussion_r615022831
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
##########
@@ -836,14 +792,11 @@ private void
onAuthenticateResponseMessage(UserAuthenticateResponseMessage msg)
* Local node joined to topology. Discovery cache is available but no
discovery custom message are received.
* Initial user set and initial user operation (received on join) are
processed here.
*/
- public void onLocalJoin() {
- if (coordinator() == null)
+ private void onLocalJoin() {
+ if (ctx.isDaemon() || ctx.clientDisconnected() || coordinator() ==
null)
Review comment:
Please, see changes related to GridDiscoveryManager#start. My motivation
to add this check:
It was called by GridDiscoveryManager previously and to keep
IgntieAuthenticationProcessor behavior intact I duplicated it.
It might be weird but It makes review easier. And it works exactly as before.
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
##########
@@ -1335,4 +1332,99 @@ private RefreshUsersStorageWorker(ArrayList<User> usrs) {
}
}
}
+
+ /** Represents {@link SecuritySubject} implementation. */
+ private static class SecuritySubjectImpl implements SecuritySubject {
+ /** */
+ private static final long serialVersionUID = 0L;
+
+ /** Security subject identifier. */
+ private final UUID id;
+
+ /** Security subject login. */
+ private final Object login;
+
+ /** Security subject type. */
+ private final SecuritySubjectType type;
+
+ /** Security subject address. */
+ private final InetSocketAddress addr;
+
+ /** */
+ public SecuritySubjectImpl(UUID id, Object login, SecuritySubjectType
type, InetSocketAddress addr) {
+ this.id = id;
+ this.login = login;
+ this.type = type;
+ this.addr = addr;
+ }
+
+ /** {@inheritDoc} */
+ @Override public UUID id() {
+ return id;
+ }
+
+ /** {@inheritDoc} */
+ @Override public Object login() {
+ return login;
+ }
+
+ /** {@inheritDoc} */
+ @Override public SecuritySubjectType type() {
+ return type;
+ }
+
+ /** {@inheritDoc} */
+ @Override public InetSocketAddress address() {
+ return addr;
+ }
+
+ /** {@inheritDoc} */
+ @Override public SecurityPermissionSet permissions() {
+ return null;
Review comment:
Permissions and permission checks provided by the SecurityContext are
orphaned (except one - check on node join
- but IgniteAuthenticationProcessor do not support node authentication).
All permission checks are performed through IgniteSecurity#authorize. Also
current Ignite Authentication Processor implementation do not implement any
kind of Ignite cache/task/etc operation authorization.
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
##########
@@ -314,15 +314,14 @@ public AuthorizationContext authenticate(String login,
String passwd) throws Ign
}
fut.get();
Review comment:
You are right. I have filed a ticket with the problem that shows that we
can hang forever - https://issues.apache.org/jira/browse/IGNITE-14301
But I think this problem is not related to the current ticket, lets leave it
as is.
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
##########
@@ -136,8 +160,8 @@
/** Node activate future. */
private final GridFutureAdapter<Void> activateFut = new
GridFutureAdapter<>();
- /** Validate error. */
- private String validateErr;
+ /** User management operations. */
+ EnumSet<SecurityPermission> userOps = EnumSet.of(CREATE_USER, DROP_USER,
ALTER_USER);
Review comment:
Thanks. Done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
