[jira] [Commented] (IGNITE-12049) Allow custom authenticators to use SSL certificates
[
https://issues.apache.org/jira/browse/IGNITE-12049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16998179#comment-16998179
]
Ryabov Dmitrii commented on IGNITE-12049:
-
[~ascherbakov], I made the changes:
GridClient - {{GridClientConfiguration}} received parameter {{Map userAttrs}}. Attributes are passed in the {{GridClientMessage}}.
IgniteClient - {{ClientConfiguration}} received parameter {{Map
userAttrs}}. Attributes are passed through {{TcpClientChannel}}.
JDBC - {{ConnectionProperties}} received parameter {{userAttributes}}, which
should be filled with {{factory>}} name. Attributes are
passed through {{BinaryWriter}} as other message.
ODBC - TODO. I'd like to make it in a separate ticket.
Can you take a look?
> Allow custom authenticators to use SSL certificates
> ---
>
> Key: IGNITE-12049
> URL: https://issues.apache.org/jira/browse/IGNITE-12049
> Project: Ignite
> Issue Type: Improvement
>Reporter: Ryabov Dmitrii
>Assignee: Ryabov Dmitrii
>Priority: Minor
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Add SSL certificates to AuthenticationContext, so, authenticators can make
> additional checks based on SSL certificates.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (IGNITE-12049) Allow custom authenticators to use SSL certificates
[ https://issues.apache.org/jira/browse/IGNITE-12049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16986102#comment-16986102 ] Alexei Scherbakov commented on IGNITE-12049: [~SomeFire] Sounds good. Attributes for jdbc/odbc can be passed as base64 encoded strings to driver, the factory is also fine. > Allow custom authenticators to use SSL certificates > --- > > Key: IGNITE-12049 > URL: https://issues.apache.org/jira/browse/IGNITE-12049 > Project: Ignite > Issue Type: Improvement >Reporter: Ryabov Dmitrii >Assignee: Ryabov Dmitrii >Priority: Minor > Time Spent: 1.5h > Remaining Estimate: 0h > > Add SSL certificates to AuthenticationContext, so, authenticators can make > additional checks based on SSL certificates. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (IGNITE-12049) Allow custom authenticators to use SSL certificates
[ https://issues.apache.org/jira/browse/IGNITE-12049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16986090#comment-16986090 ] Ryabov Dmitrii commented on IGNITE-12049: - [~ascherbakov], I thought about this task and agree that passing certificates to node attributes is enough. For a common client, attributes can be configured in `ClientConfiguration`. For JDBC/ODBC, attributes can't be passed directly to the driver, so, I propose to pass a factory class name and create attributes inside the factory. Is it ok for you? > Allow custom authenticators to use SSL certificates > --- > > Key: IGNITE-12049 > URL: https://issues.apache.org/jira/browse/IGNITE-12049 > Project: Ignite > Issue Type: Improvement >Reporter: Ryabov Dmitrii >Assignee: Ryabov Dmitrii >Priority: Minor > Time Spent: 1.5h > Remaining Estimate: 0h > > Add SSL certificates to AuthenticationContext, so, authenticators can make > additional checks based on SSL certificates. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (IGNITE-12049) Allow custom authenticators to use SSL certificates
[
https://issues.apache.org/jira/browse/IGNITE-12049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16977552#comment-16977552
]
Ryabov Dmitrii commented on IGNITE-12049:
-
{quote}
User can put any value to node attributes
{quote}
Yes, user can put any certificate, but we can't get SSL certificate outside of
`ServerImpl`. User can get it inside custom SSL factory, but I don't see the
way to correlate certificate with connecting node, when several nodes
connecting simultaneously.
3. Agree, I'll do it.
> Allow custom authenticators to use SSL certificates
> ---
>
> Key: IGNITE-12049
> URL: https://issues.apache.org/jira/browse/IGNITE-12049
> Project: Ignite
> Issue Type: Improvement
>Reporter: Ryabov Dmitrii
>Assignee: Ryabov Dmitrii
>Priority: Minor
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Add SSL certificates to AuthenticationContext, so, authenticators can make
> additional checks based on SSL certificates.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (IGNITE-12049) Allow custom authenticators to use SSL certificates
[ https://issues.apache.org/jira/browse/IGNITE-12049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976630#comment-16976630 ] Alexei Scherbakov commented on IGNITE-12049: [~SomeFire] 1. User can put any value to node attributes, any number of certificates, etc. I still do not see the importance of proposed change, because this can be done right now for normal clients by passing certificate(s) to node attributes. Besides, thin clients do not have node attributes at all, and putting only a certificate to the map looks hacky. 3. TestSslSecurityProcessor does nothing besides checking certificate existence. I think providing a more realistic example with description should be useful for anyone who might wish to use the feature and make it more valuable for community. > Allow custom authenticators to use SSL certificates > --- > > Key: IGNITE-12049 > URL: https://issues.apache.org/jira/browse/IGNITE-12049 > Project: Ignite > Issue Type: Improvement >Reporter: Ryabov Dmitrii >Assignee: Ryabov Dmitrii >Priority: Minor > Time Spent: 1.5h > Remaining Estimate: 0h > > Add SSL certificates to AuthenticationContext, so, authenticators can make > additional checks based on SSL certificates. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (IGNITE-12049) Allow custom authenticators to use SSL certificates
[
https://issues.apache.org/jira/browse/IGNITE-12049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976604#comment-16976604
]
Ryabov Dmitrii commented on IGNITE-12049:
-
[~ascherbakov], thank you for review.
{quote}1. For "normal" cluster nodes attributes are already available using
ClusterNode.attributes and user can just set any attribute and use it in custom
authenticator without any changes in core by implementing [1].
Do I understand correctly the fix is only relevant for thin clients
authenticated using [2] and not having associated local attributes ?
Shouldn't we instead provide the ability for thin clients to have attributes
and avoid changing IgniteConfiguration ?
{quote}
The problem is that user can use different certificates for node-to-node
connection and put inside attributes. For "normal" cluster nodes we put
certificates from SSL connection into attributes. For thin clients we do the
same.
For local authentication we don't need certificates because there is no
node-to-node connection.
{quote}2. Why the new attribute is not available during authentication for
jdbc/odbc client types ?
{quote}
I missed it. Work in progress.
{quote}3. Can you create an example of using custom authenticator with
certificates ?
{quote}
I made tests in SslCertificatesCheckTest. Tests use TestSslSecurityProcessor,
which checks certificates during authentication.
> Allow custom authenticators to use SSL certificates
> ---
>
> Key: IGNITE-12049
> URL: https://issues.apache.org/jira/browse/IGNITE-12049
> Project: Ignite
> Issue Type: Improvement
>Reporter: Ryabov Dmitrii
>Assignee: Ryabov Dmitrii
>Priority: Minor
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Add SSL certificates to AuthenticationContext, so, authenticators can make
> additional checks based on SSL certificates.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (IGNITE-12049) Allow custom authenticators to use SSL certificates
[ https://issues.apache.org/jira/browse/IGNITE-12049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16967400#comment-16967400 ] Alexei Scherbakov commented on IGNITE-12049: [~SomeFire] I left comments on PR, please address them. Some general questions: 1. For "normal" cluster nodes attributes are already available using ClusterNode.attributes and user can just set any attribute and use it in custom authenticator without any changes in core by implementing [1]. Do I understand correctly the fix is only relevant for thin clients authenticated using [2] and not having associated local attributes ? Shouldn't we instead provide the ability for thin clients to have attributes and avoid changing IgniteConfiguration ? 2. Why the new attribute is not available during authentication for jdbc/odbc client types ? 3. Can you create an example of using custom authenticator with certificates ? [1] org.apache.ignite.internal.processors.security.GridSecurityProcessor#authenticateNode [2] org.apache.ignite.internal.processors.security.GridSecurityProcessor#authenticate > Allow custom authenticators to use SSL certificates > --- > > Key: IGNITE-12049 > URL: https://issues.apache.org/jira/browse/IGNITE-12049 > Project: Ignite > Issue Type: Improvement >Reporter: Ryabov Dmitrii >Assignee: Ryabov Dmitrii >Priority: Minor > Time Spent: 1h 10m > Remaining Estimate: 0h > > Add SSL certificates to AuthenticationContext, so, authenticators can make > additional checks based on SSL certificates. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (IGNITE-12049) Allow custom authenticators to use SSL certificates
[ https://issues.apache.org/jira/browse/IGNITE-12049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16964748#comment-16964748 ] Ivan Rakov commented on IGNITE-12049: - [~ascherbakov], can you please review? > Allow custom authenticators to use SSL certificates > --- > > Key: IGNITE-12049 > URL: https://issues.apache.org/jira/browse/IGNITE-12049 > Project: Ignite > Issue Type: Improvement >Reporter: Ryabov Dmitrii >Assignee: Ryabov Dmitrii >Priority: Minor > Time Spent: 50m > Remaining Estimate: 0h > > Add SSL certificates to AuthenticationContext, so, authenticators can make > additional checks based on SSL certificates. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (IGNITE-12049) Allow custom authenticators to use SSL certificates
[
https://issues.apache.org/jira/browse/IGNITE-12049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16961906#comment-16961906
]
Ignite TC Bot commented on IGNITE-12049:
{panel:title=Branch: [pull/6796/head] Base: [master] : No blockers
found!|borderStyle=dashed|borderColor=#ccc|titleBGColor=#D6F7C1}{panel}
[TeamCity *--> Run :: All*
Results|https://ci.ignite.apache.org/viewLog.html?buildId=4729735&buildTypeId=IgniteTests24Java8_RunAll]
> Allow custom authenticators to use SSL certificates
> ---
>
> Key: IGNITE-12049
> URL: https://issues.apache.org/jira/browse/IGNITE-12049
> Project: Ignite
> Issue Type: Improvement
>Reporter: Ryabov Dmitrii
>Assignee: Ryabov Dmitrii
>Priority: Minor
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Add SSL certificates to AuthenticationContext, so, authenticators can make
> additional checks based on SSL certificates.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
