ololo3000 commented on a change in pull request #9616:
URL: https://github.com/apache/ignite/pull/9616#discussion_r758667565
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/service/IgniteServiceProcessor.java
##########
@@ -1911,4 +1935,37 @@ private boolean enterBusy() {
private void leaveBusy() {
opsLock.readLock().unlock();
}
+
+ /**
+ * Checks {@link SecurityPermission#SERVICE_DEPLOY} for each service.
+ * This method must use {@link SecurityContext} from node attributes
because join not finished in time of validation.
+ * This mean SecurityProcessor doesn't know about joining node and can't
return it security context based on node id.
+ *
+ * @param node Node to check.
+ * @param svcs Statically configured services.
+ * @return {@code SecurityException} in case node permissions not enough.
+ * @see ValidationOnNodeJoinUtils
+ */
+ private SecurityException checkDeployPermissionDuringJoin(ClusterNode
node, ArrayList<ServiceInfo> svcs) {
+ SecurityContext secCtx;
+
+ try {
+ secCtx = nodeSecurityContext(marsh,
U.resolveClassLoader(ctx.config()), node);
+
+ assert secCtx != null;
+ }
+ catch (SecurityException err) {
+ return err;
+ }
+
+ try (OperationSecurityContext ignored =
ctx.security().withContext(secCtx)) {
+ for (ServiceInfo desc : svcs) {
+ SecurityException err = checkPermissions(desc.name(),
SERVICE_DEPLOY);
+
+ if (err != null)
+ return err;
+ }
+ }
Review comment:
New line is missed.
##########
File path:
modules/core/src/test/java/org/apache/ignite/internal/processors/security/service/ServiceStaticConfigTest.java
##########
@@ -0,0 +1,98 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security.service;
+
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicInteger;
+import org.apache.ignite.configuration.DataRegionConfiguration;
+import org.apache.ignite.configuration.DataStorageConfiguration;
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.internal.processors.security.AbstractSecurityTest;
+import org.apache.ignite.internal.util.typedef.G;
+import org.apache.ignite.services.Service;
+import org.apache.ignite.services.ServiceConfiguration;
+import org.junit.Test;
+
+/** */
+public class ServiceStaticConfigTest extends AbstractSecurityTest {
+ /** {@inheritDoc} */
+ @Override protected IgniteConfiguration getConfiguration(String
igniteInstanceName) throws Exception {
+ IgniteConfiguration cfg = super.getConfiguration(igniteInstanceName);
+
+ cfg.setAuthenticationEnabled(true);
+
+ cfg.setDataStorageConfiguration(new DataStorageConfiguration()
+ .setDefaultDataRegionConfiguration(new DataRegionConfiguration()
+ .setPersistenceEnabled(true)));
+
+ ServiceConfiguration srvcCfg = new ServiceConfiguration();
+
+ srvcCfg.setName("CounterService");
+ srvcCfg.setMaxPerNodeCount(1);
+ srvcCfg.setTotalCount(1);
+ srvcCfg.setService(new CounterServiceImpl());
+
+ cfg.setServiceConfiguration(srvcCfg);
+
+ return cfg;
+ }
+
+ /** */
+ @Test
+ public void testNodeStarted() throws Exception {
+ startGrid(0);
+ startGrid(1);
+
+ assertEquals(2, G.allGrids().size());
+ }
+
+ /** {@inheritDoc} */
+ @Override protected void beforeTest() throws Exception {
+ super.beforeTest();
+
+ cleanPersistenceDir();
+ }
+
+ /** */
+ public static class CounterServiceImpl implements Service {
+ /** Cntr. */
+ private final AtomicInteger cntr = new AtomicInteger();
+
+ /** Is started. */
+ volatile boolean isStarted;
+
+ /** {@inheritDoc} */
+ @Override public void init() throws Exception {
+ isStarted = true;
+ }
+
+ /** {@inheritDoc} */
+ @Override public void execute() throws Exception {
+ while (isStarted) {
Review comment:
Do we actually need this loop? It seems that it will be enough just to
change some flag and check it in the `testNodeStarted` test.
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/service/IgniteServiceProcessor.java
##########
@@ -1604,6 +1616,13 @@ public void onLocalJoin(DiscoveryEvent evt, DiscoCache
discoCache) {
// First node start, method
onGridDataReceived(DiscoveryDataBag.GridDiscoveryData) has not been called.
ArrayList<ServiceInfo> staticServicesInfo =
staticallyConfiguredServices(false);
+ if (ctx.security().enabled()) {
Review comment:
Security enabled check can be placed in the
`checkDeployPermissionDuringJoin` method.
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/service/IgniteServiceProcessor.java
##########
@@ -367,6 +371,27 @@ private void cancelDeployedServices() {
dataBag.addJoiningNodeData(SERVICE_PROC.ordinal(), new
ServiceProcessorJoinNodeDiscoveryData(staticServicesInfo));
}
+ /** {@inheritDoc} */
+ @Override public @Nullable IgniteNodeValidationResult validateNode(
+ ClusterNode node,
+ DiscoveryDataBag.JoiningNodeDiscoveryData data
+ ) {
+ if (data.joiningNodeData() == null)
+ return null;
+
+ if (!ctx.security().enabled())
+ return null;
+
+ ArrayList<ServiceInfo> svcs =
((ServiceProcessorJoinNodeDiscoveryData)data.joiningNodeData()).services();
Review comment:
`List` can be used here.
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/service/IgniteServiceProcessor.java
##########
@@ -367,6 +371,27 @@ private void cancelDeployedServices() {
dataBag.addJoiningNodeData(SERVICE_PROC.ordinal(), new
ServiceProcessorJoinNodeDiscoveryData(staticServicesInfo));
}
+ /** {@inheritDoc} */
+ @Override public @Nullable IgniteNodeValidationResult validateNode(
+ ClusterNode node,
+ DiscoveryDataBag.JoiningNodeDiscoveryData data
+ ) {
+ if (data.joiningNodeData() == null)
Review comment:
This and the next if statement can be merged into one.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
