timoninmaxim commented on a change in pull request #8892:
URL: https://github.com/apache/ignite/pull/8892#discussion_r615562747
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
##########
@@ -971,6 +893,81 @@ private static boolean isNodeHoldsUsers(ClusterNode n) {
return !n.isClient() && !n.isDaemon();
}
+ /** {@inheritDoc} */
+ @Override public SecurityContext authenticateNode(ClusterNode node,
SecurityCredentials cred) throws IgniteCheckedException {
+ return new SecurityContextImpl(
+ node.id(),
+ node.attribute(ATTR_IGNITE_INSTANCE_NAME),
+ REMOTE_NODE,
+ new InetSocketAddress(F.first(node.addresses()), 0));
+ }
+
+ /** {@inheritDoc} */
+ @Override public SecuritySubject authenticatedSubject(UUID subjId) throws
IgniteCheckedException {
+ throw new UnsupportedOperationException();
+ }
+
+ /** {@inheritDoc} */
+ @Override public Collection<SecuritySubject> authenticatedSubjects()
throws IgniteCheckedException {
+ throw new UnsupportedOperationException();
+ }
+
+ /** {@inheritDoc} */
+ @Override public boolean isGlobalNodeAuthentication() {
+ return false;
+ }
+
+ /** {@inheritDoc} */
+ @Override public void authorize(String name, SecurityPermission perm,
SecurityContext securityCtx) throws SecurityException {
+ if (!userOps.contains(perm))
+ return;
+
+ SecuritySubject subj = ctx.security().securityContext().subject();
+
+ Object login = subj.login();
+
+ if (subj.type() == REMOTE_NODE) {
+ throw new SecurityException("User management operations initiated
on behalf of the Ignite node" +
+ " are not supported [igniteInstanceName=" + login + ']');
+ }
+
+ if (!DEFAULT_USER_NAME.equals(login) && !(ALTER_USER == perm &&
Objects.equals(login, name)))
+ throw new SecurityException("User management operations are not
allowed for user [curUser=" + login + ']');
+
+ if (DROP_USER == perm && DEFAULT_USER_NAME.equals(name))
+ throw new SecurityException("Default user cannot be removed.");
+ }
+
+ /** {@inheritDoc} */
+ @Override public void onSessionExpired(UUID subjId) {
+ // No-op.
+ }
+
+ /** {@inheritDoc} */
+ @Override public SecurityContext securityContext(UUID subjId) {
+ User user = users.get(subjId);
+
+ return user == null ? null : new SecurityContextImpl(subjId,
user.name(), REMOTE_CLIENT, null);
+ }
+
+ /**
+ * Gets the user with the specified ID and login. It is necessary to check
the login to make sure that there was
+ * no collision when calculating the user ID.
+ */
+ private User findUser(UUID subjId, String login) {
+ User user = users.get(subjId);
Review comment:
I'm OK with that there is the ticket 14301 for discovering that.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
