ololo3000 commented on a change in pull request #9616:
URL: https://github.com/apache/ignite/pull/9616#discussion_r758969562
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/processors/service/IgniteServiceProcessor.java
##########
@@ -1911,4 +1932,37 @@ private boolean enterBusy() {
private void leaveBusy() {
opsLock.readLock().unlock();
}
+
+ /**
+ * Checks {@link SecurityPermission#SERVICE_DEPLOY} for each service.
+ * This method must use {@link SecurityContext} from node attributes
because join not finished in time of validation.
+ * This mean SecurityProcessor doesn't know about joining node and can't
return it security context based on node id.
+ *
+ * @param node Node to check.
+ * @param svcs Statically configured services.
+ * @return {@code SecurityException} in case node permissions not enough.
+ * @see ValidationOnNodeJoinUtils
+ */
+ private SecurityException checkDeployPermissionDuringJoin(ClusterNode
node, List<ServiceInfo> svcs) {
+ SecurityContext secCtx;
+
+ try {
+ secCtx = nodeSecurityContext(marsh,
U.resolveClassLoader(ctx.config()), node);
+
+ assert secCtx != null;
+ }
+ catch (SecurityException err) {
+ return err;
+ }
+
+ try (OperationSecurityContext ignored =
ctx.security().withContext(secCtx)) {
+ for (ServiceInfo desc : svcs) {
+ SecurityException err = checkPermissions(desc.name(),
SERVICE_DEPLOY);
+
+ if (err != null)
+ return err;
+ }
+ }
+ return null;
Review comment:
New line is missed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
