PakhomovAlexander commented on code in PR #2962:
URL: https://github.com/apache/ignite-3/pull/2962#discussion_r1431445328
##########
modules/client-handler/src/main/java/org/apache/ignite/client/handler/ClientInboundMessageHandler.java:
##########
@@ -849,4 +857,60 @@ private NotificationSender notificationSender(long
requestId) {
// This is fine, because the client registers a listener before
sending the request.
return (writer, err) -> sendNotification(requestId, writer, err);
}
+
+ @Override
+ public CompletableFuture<Boolean> notify(AuthenticationEventParameters
parameters, @Nullable Throwable exception) {
+ if (shouldCloseConnection(parameters)) {
+ LOG.warn("Closing connection due to authentication event
[connectionId=" + connectionId + ", remoteAddress="
+ + channelHandlerContext.channel().remoteAddress() + ",
event=" + parameters.type() + ']');
+ closeConnection();
+ }
+ return falseCompletedFuture();
+ }
+
+ private boolean shouldCloseConnection(AuthenticationEventParameters
parameters) {
+ readWriteLock.readLock().lock();
Review Comment:
I think it is better to get the lock in `currentUserAffected` method then
`AUTHENTICATION_ENABELED` and `default` won't hold the lock they are not needed
in.
##########
modules/runner/src/integrationTest/java/org/apache/ignite/internal/runner/app/client/ItThinClientAuthenticationTest.java:
##########
@@ -0,0 +1,174 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.runner.app.client;
+
+import static
org.apache.ignite.internal.configuration.hocon.HoconConverter.hoconSource;
+import static
org.apache.ignite.internal.testframework.matchers.CompletableFutureExceptionMatcher.willThrowWithCauseOrSuppressed;
+import static
org.apache.ignite.internal.testframework.matchers.CompletableFutureMatcher.willCompleteSuccessfully;
+import static org.awaitility.Awaitility.await;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+import com.typesafe.config.ConfigFactory;
+import java.util.concurrent.CompletableFuture;
+import org.apache.ignite.client.BasicAuthenticator;
+import org.apache.ignite.client.IgniteClient;
+import org.apache.ignite.internal.app.IgniteImpl;
+import org.apache.ignite.internal.configuration.ConfigurationRegistry;
+import
org.apache.ignite.internal.security.authentication.basic.BasicAuthenticationProviderChange;
+import org.apache.ignite.internal.security.configuration.SecurityConfiguration;
+import org.apache.ignite.internal.util.IgniteUtils;
+import org.apache.ignite.security.exception.InvalidCredentialsException;
+import org.apache.ignite.sql.Session;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+/**
+ * Thin client authentication test.
+ */
+public class ItThinClientAuthenticationTest extends ItAbstractThinClientTest {
+ private static final String USERNAME = "admin";
+
+ private static final String PASSWORD = "password";
+
+ /** Client. */
+ private IgniteClient clientWithAuth;
+
+ private SecurityConfiguration securityConfiguration;
+
+ private final BasicAuthenticator basicAuthenticator =
BasicAuthenticator.builder()
+ .username(USERNAME)
+ .password(PASSWORD)
+ .build();
+
+ @BeforeEach
+ void setUp() {
+ securityConfiguration =
clusterConfigurationRegistry().getConfiguration(SecurityConfiguration.KEY);
+
+ CompletableFuture<Void> enableAuthentication =
securityConfiguration.change(change -> {
+ change.changeEnabled(true);
+ change.changeAuthentication()
+ .changeProviders()
+ .update("default", provider -> {
+
provider.convert(BasicAuthenticationProviderChange.class)
+ .changeUsers()
+ .createOrUpdate(USERNAME, user ->
user.changePassword(PASSWORD));
+ });
+ });
+
+ assertThat(enableAuthentication, willCompleteSuccessfully());
+
+ clientWithAuth = IgniteClient.builder()
+ .authenticator(basicAuthenticator)
+ .reconnectThrottlingRetries(0)
+ .addresses(getClientAddresses().toArray(new String[0]))
+ .build();
+
+ await().untilAsserted(() -> checkConnection(clientWithAuth));
+ }
+
+ @AfterEach
+ void tearDown() throws Exception {
+ IgniteUtils.closeAll(clientWithAuth);
+ }
+
+ @Test
+ void connectionIsClosedIfAuthenticationEnabled() {
+ await().until(() -> checkConnection(client()),
willThrowWithCauseOrSuppressed(InvalidCredentialsException.class));
Review Comment:
Can you add a case when you change the configuration (add one more provider
or user) and the connection is still be opened.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
