ololo3000 commented on a change in pull request #8892:
URL: https://github.com/apache/ignite/pull/8892#discussion_r615737904
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
##########
@@ -971,6 +893,81 @@ private static boolean isNodeHoldsUsers(ClusterNode n) {
return !n.isClient() && !n.isDaemon();
}
+ /** {@inheritDoc} */
+ @Override public SecurityContext authenticateNode(ClusterNode node,
SecurityCredentials cred) throws IgniteCheckedException {
+ return new SecurityContextImpl(
+ node.id(),
+ node.attribute(ATTR_IGNITE_INSTANCE_NAME),
+ REMOTE_NODE,
+ new InetSocketAddress(F.first(node.addresses()), 0));
+ }
+
+ /** {@inheritDoc} */
+ @Override public SecuritySubject authenticatedSubject(UUID subjId) throws
IgniteCheckedException {
+ throw new UnsupportedOperationException();
+ }
+
+ /** {@inheritDoc} */
+ @Override public Collection<SecuritySubject> authenticatedSubjects()
throws IgniteCheckedException {
+ throw new UnsupportedOperationException();
+ }
+
+ /** {@inheritDoc} */
+ @Override public boolean isGlobalNodeAuthentication() {
+ return false;
+ }
+
+ /** {@inheritDoc} */
+ @Override public void authorize(String name, SecurityPermission perm,
SecurityContext securityCtx) throws SecurityException {
+ if (!userOps.contains(perm))
+ return;
+
+ SecuritySubject subj = ctx.security().securityContext().subject();
+
+ Object login = subj.login();
+
+ if (subj.type() == REMOTE_NODE) {
+ throw new SecurityException("User management operations initiated
on behalf of the Ignite node" +
+ " are not supported [igniteInstanceName=" + login + ']');
+ }
+
+ if (!DEFAULT_USER_NAME.equals(login) && !(ALTER_USER == perm &&
Objects.equals(login, name)))
+ throw new SecurityException("User management operations are not
allowed for user [curUser=" + login + ']');
+
+ if (DROP_USER == perm && DEFAULT_USER_NAME.equals(name))
+ throw new SecurityException("Default user cannot be removed.");
+ }
+
+ /** {@inheritDoc} */
+ @Override public void onSessionExpired(UUID subjId) {
+ // No-op.
+ }
+
+ /** {@inheritDoc} */
+ @Override public SecurityContext securityContext(UUID subjId) {
+ User user = users.get(subjId);
+
+ return user == null ? null : new SecurityContextImpl(subjId,
user.name(), REMOTE_CLIENT, null);
Review comment:
Fixed.
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
##########
@@ -677,8 +635,6 @@ private ClusterNode coordinator() {
U.warn(log, "Cannot find the server coordinator node. "
+ "Possible a client is started with
forceServerMode=true. " +
"Security warning: user authentication will be
disabled on the client.");
-
- isEnabled = false;
Review comment:
1. I have fixed comment.
2.
Mentioned by you problem is related only to client node with no server nodes
are alive.
So onAuthenticateRequestMessage or onNodeLeft can't be called - they are
require at leas one server node to be alive.
The problem appears during authentication method execution:
previously if no server node is found security was tuned off on client node
and all authentication or user operations were skipped but this client node
can't join the cluster with authentication enabled.
Now we can't turn off security so I propose to explicitly throw exception
during authentication if no server nodes are alive.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
