RE: Authentication

[Kurt Semba]

Hi Andrei,

thank you for the details.
Kurt

From: Andrei Aleksandrov 
Sent: Tuesday, September 17, 2019 10:50 AM
To: user@ignite.apache.org
Subject: Re: Authentication

External Email: Use caution in opening links or attachments.

Hi Kurt,

Yes, you can create new users via SQL as was mentioned here:

https://apacheignite-sql.readme.io/docs/create-user<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite-sql.readme.io%2Fdocs%2Fcreate-user=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136788183=hARdwcTRJQ3702kvmOl9ZYi5HUm2fH9NETvRoRSt7S4%3D=0>
https://apacheignite-sql.readme.io/docs/alter-user<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite-sql.readme.io%2Fdocs%2Falter-user=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136798178=ZJayo8DSvIm3UmEC1BFg4Vs6LQnPTZLS%2Fx5l9vlOhgk%3D=0>
https://apacheignite-sql.readme.io/docs/drop-user<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite-sql.readme.io%2Fdocs%2Fdrop-user=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136798178=9Q6I2hmKWS6egum1IMP1eCRzzr0KSFQdhJSk1G6CpRU%3D=0>

By default user "ignite" will be created. Password will be "ignite" too. 
Current SQL could be executed in Java via 
https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/cache/query/SqlFieldsQuery.html<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fignite.apache.org%2Freleases%2Flatest%2Fjavadoc%2Forg%2Fapache%2Fignite%2Fcache%2Fquery%2FSqlFieldsQuery.html=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136798178=W98ycq8xwX%2BTlkJfsl2B1CmbUEYeKLnypBjPsDqA660%3D=0>

To provide auth for:

1) JDBC: just add "user" and "password" parameters to jdbc connection string:

https://apacheignite-sql.readme.io/docs/jdbc-driver#section-parameters
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite-sql.readme.io%2Fdocs%2Fjdbc-driver%23section-parameters=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136808175=bdmgFDrSltt6ZMeYUeKUv3O6skEeMqc8VWIlVE8guWc%3D=0>
2)Thick java nodes: Implement your own plugin for security

I see the answer from Evgenii here about it:

https://stackoverflow.com/questions/46150920/custom-security-plugin-for-apache-ignite<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F46150920%2Fcustom-security-plugin-for-apache-ignite=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136808175=TJ8p%2BdRvJFTJUP3Q0zeImvPJiTXX8yq92uu6CG5VxQY%3D=0>

BR,
Andrei
9/16/2019 1:26 PM, Kurt Semba пишет:
Hi Andrei,

good to know – thank you.

So we need to distinguish between auth for

  1.  thin clients like JDBC clients and
  2.  thick clients (Java client that wants to join the cluster (as server or 
client))


I will look at GridSecurityProcessor for item 2 but in the meantime: I saw the 
CREATE command to create new SQL users on a freshly started cluster. How would 
you execute that using Java code? Would the app need to start the cluster, then 
use the Ignite JDBC driver to connect to the (PUBLIC) schema of that cluster, 
then run the CREATE SQL command and then exit?

Kurt

From: Andrei Aleksandrov 
<mailto:aealexsand...@gmail.com>
Sent: Monday, September 16, 2019 12:13 PM
To: user@ignite.apache.org<mailto:user@ignite.apache.org>
Subject: Re: Authentication

External Email: Use caution in opening links or attachments.

Hi,

I guess that here Ignite has some documentation gap. Advanced security out of 
the box will work only with thin connections like webconsole, ODBC/JDBC, etc.

To get cluster node authentication you should add GridSecurityProcessor 
implementation:

https://apacheignite.readme.io/docs/advanced-security#section-enable-authentication<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite.readme.io%2Fdocs%2Fadvanced-security%23section-enable-authentication=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136818167=4y5bH3wgqOqDxZ%2FTrswsSU1hL8dM9j5aWcDj2WzRbXY%3D=0>

I created ticket on documentation:

https://issues.apache.org/jira/browse/IGNITE-12170<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FIGNITE-12170=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136818167=ANJ8pSNUNTTtZcvDNP83

Re: Authentication

[Andrei Aleksandrov]

Hi Kurt,

Yes, you can create new users via SQL as was mentioned here:

https://apacheignite-sql.readme.io/docs/create-user
https://apacheignite-sql.readme.io/docs/alter-user
https://apacheignite-sql.readme.io/docs/drop-user

By default user "ignite" will be created. Password will be "ignite" too. 
Current SQL could be executed in Java via 
https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/cache/query/SqlFieldsQuery.html


To provide auth for:

1) JDBC: just add "user" and "password" parameters to jdbc connection 
string:


https://apacheignite-sql.readme.io/docs/jdbc-driver#section-parameters

2)Thick java nodes: Implement your own plugin for security

I see the answer from Evgenii here about it:

https://stackoverflow.com/questions/46150920/custom-security-plugin-for-apache-ignite

BR,
Andrei

9/16/2019 1:26 PM, Kurt Semba пишет:


Hi Andrei,

good to know – thank you.

So we need to distinguish between auth for

 1. thin clients like JDBC clients and
 2. thick clients (Java client that wants to join the cluster (as
server or client))

I will look at GridSecurityProcessorfor item 2 but in the meantime: I 
saw the CREATE command to create new SQL users on a freshly started 
cluster. How would you execute that using Java code? Would the app 
need to start the cluster, then use the Ignite JDBC driver to connect 
to the (PUBLIC) schema of that cluster, then run the CREATE SQL 
command and then exit?


Kurt

*From:*Andrei Aleksandrov 
*Sent:* Monday, September 16, 2019 12:13 PM
*To:* user@ignite.apache.org
*Subject:* Re: Authentication

*External Email:*Use caution in opening links or attachments.

Hi,

I guess that here Ignite has some documentation gap. Advanced security 
out of the box will work only with thin connections like webconsole, 
ODBC/JDBC, etc.


To get cluster node authentication you should add 
GridSecurityProcessor implementation:


https://apacheignite.readme.io/docs/advanced-security#section-enable-authentication 
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite.readme.io%2Fdocs%2Fadvanced-security%23section-enable-authentication=02%7C01%7Cksemba%40extremenetworks.com%7C596f2dd5794c4f2ac42008d73a8e6e93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637042255736541107=JvE0yIHv2EDyVKKfGPZYe7XFe1cR797GnxGkrR8SSeY%3D=0>


I created ticket on documentation:

https://issues.apache.org/jira/browse/IGNITE-12170 
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FIGNITE-12170=02%7C01%7Cksemba%40extremenetworks.com%7C596f2dd5794c4f2ac42008d73a8e6e93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637042255736551100=okrAhi7i44OewjWQxYQqUdECIEqpFxBPBA%2F13%2F%2FvMBI%3D=0>


BR,
Andrei

9/16/2019 10:43 AM, Kurt Semba пишет:

Hi all,

I used the web-console to auto-generate some code and then
extended the ServerNodeCodeStartup.java class according to the
documentation to enable authentication (which requires to enable
persistence) like this:

publicstaticvoidmain(String[] args) throwsException {

IgniteConfigurationcfg =
ServerConfigurationFactory.createConfiguration();

// Ignite persistence configuration.

DataStorageConfigurationstorageCfg = newDataStorageConfiguration();

// Enabling the persistence.

storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);

// Applying settings.

cfg.setDataStorageConfiguration(storageCfg);

// Enable authentication

cfg.setAuthenticationEnabled(true);

Igniteignite = Ignition.start(cfg);

// Activate the cluster.

// This is required only if the cluster is still inactive.

ignite.cluster().active(true);

// Get all server nodes that are already up and running.

Collection nodes = ignite.cluster().forServers().nodes();

// Set the baseline topology that is represented by these nodes.

ignite.cluster().setBaselineTopology(nodes);

}

But when I run this, the output shows “authentication=off” and I
can also connect a client without providing any user+pass…

/[…]/

/[08:57:13] Security status [authentication=off, tls/ssl=off]/

/[…] /

/[08:57:16] Ignite node started OK (id=1f668071, instance
name=ImportedCluster6)/

/[08:57:16] Topology snapshot [ver=1, locNode=1f668071, servers=1,
clients=0, state=INACTIVE, CPUs=4, offheap=2.3GB, heap=2.6GB]/

/[08:57:16]   ^-- Baseline [id=0, size=1, online=1, offline=0]/

/[08:57:16]   ^-- All baseline nodes are online, will start
auto-activation/

/[08:57:16] Ignite node stopped in the middle of checkpoint. Will
restore memory state and finish checkpoint on node start./

/[08:57:16] Both Ignite native persistence and CacheStore are
configured for cache 'NsdevicesCache'. This configuration does not
guarantee strict consistency between CacheStore and Ignite data
storage upon restarts. Co

RE: Authentication

[Kurt Semba]

Hi Andrei,

good to know – thank you.

So we need to distinguish between auth for

  1.  thin clients like JDBC clients and
  2.  thick clients (Java client that wants to join the cluster (as server or 
client))


I will look at GridSecurityProcessor for item 2 but in the meantime: I saw the 
CREATE command to create new SQL users on a freshly started cluster. How would 
you execute that using Java code? Would the app need to start the cluster, then 
use the Ignite JDBC driver to connect to the (PUBLIC) schema of that cluster, 
then run the CREATE SQL command and then exit?

Kurt

From: Andrei Aleksandrov 
Sent: Monday, September 16, 2019 12:13 PM
To: user@ignite.apache.org
Subject: Re: Authentication

External Email: Use caution in opening links or attachments.

Hi,

I guess that here Ignite has some documentation gap. Advanced security out of 
the box will work only with thin connections like webconsole, ODBC/JDBC, etc.

To get cluster node authentication you should add GridSecurityProcessor 
implementation:

https://apacheignite.readme.io/docs/advanced-security#section-enable-authentication<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite.readme.io%2Fdocs%2Fadvanced-security%23section-enable-authentication=02%7C01%7Cksemba%40extremenetworks.com%7C596f2dd5794c4f2ac42008d73a8e6e93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637042255736541107=JvE0yIHv2EDyVKKfGPZYe7XFe1cR797GnxGkrR8SSeY%3D=0>

I created ticket on documentation:

https://issues.apache.org/jira/browse/IGNITE-12170<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FIGNITE-12170=02%7C01%7Cksemba%40extremenetworks.com%7C596f2dd5794c4f2ac42008d73a8e6e93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637042255736551100=okrAhi7i44OewjWQxYQqUdECIEqpFxBPBA%2F13%2F%2FvMBI%3D=0>

BR,
Andrei
9/16/2019 10:43 AM, Kurt Semba пишет:
Hi all,

I used the web-console to auto-generate some code and then extended the 
ServerNodeCodeStartup.java class according to the documentation to enable 
authentication (which requires to enable persistence) like this:

public static void main(String[] args) throws Exception {
IgniteConfiguration cfg = 
ServerConfigurationFactory.createConfiguration();

// Ignite persistence configuration.
DataStorageConfiguration storageCfg = new DataStorageConfiguration();

// Enabling the persistence.

storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);

// Applying settings.
cfg.setDataStorageConfiguration(storageCfg);

// Enable authentication
cfg.setAuthenticationEnabled(true);

Ignite ignite = Ignition.start(cfg);

// Activate the cluster.
// This is required only if the cluster is still inactive.
ignite.cluster().active(true);

// Get all server nodes that are already up and running.
Collection nodes = ignite.cluster().forServers().nodes();

// Set the baseline topology that is represented by these nodes.
ignite.cluster().setBaselineTopology(nodes);
}


But when I run this, the output shows “authentication=off” and I can also 
connect a client without providing any user+pass…

[…]
[08:57:13] Security status [authentication=off, tls/ssl=off]
[…]
[08:57:16] Ignite node started OK (id=1f668071, instance name=ImportedCluster6)
[08:57:16] Topology snapshot [ver=1, locNode=1f668071, servers=1, clients=0, 
state=INACTIVE, CPUs=4, offheap=2.3GB, heap=2.6GB]
[08:57:16]   ^-- Baseline [id=0, size=1, online=1, offline=0]
[08:57:16]   ^-- All baseline nodes are online, will start auto-activation
[08:57:16] Ignite node stopped in the middle of checkpoint. Will restore memory 
state and finish checkpoint on node start.
[08:57:16] Both Ignite native persistence and CacheStore are configured for 
cache 'NsdevicesCache'. This configuration does not guarantee strict 
consistency between CacheStore and Ignite data storage upon restarts. Consult 
documentation for more details.

Any idea what I’m doing wrong?

I will also look into enabling TLS but wanted to start with user+pass auth.

Thanks
Kurt

Re: Authentication

[Andrei Aleksandrov]

Hi,

I guess that here Ignite has some documentation gap. Advanced security 
out of the box will work only with thin connections like webconsole, 
ODBC/JDBC, etc.


To get cluster node authentication you should add GridSecurityProcessor 
implementation:


https://apacheignite.readme.io/docs/advanced-security#section-enable-authentication

I created ticket on documentation:

https://issues.apache.org/jira/browse/IGNITE-12170

BR,
Andrei

9/16/2019 10:43 AM, Kurt Semba пишет:


Hi all,

I used the web-console to auto-generate some code and then extended 
the ServerNodeCodeStartup.java class according to the documentation to 
enable authentication (which requires to enable persistence) like this:


publicstaticvoidmain(String[] args) throwsException {

IgniteConfigurationcfg = ServerConfigurationFactory.createConfiguration();

// Ignite persistence configuration.

DataStorageConfigurationstorageCfg = newDataStorageConfiguration();

// Enabling the persistence.

storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);

// Applying settings.

cfg.setDataStorageConfiguration(storageCfg);

// Enable authentication

cfg.setAuthenticationEnabled(true);

Igniteignite = Ignition.start(cfg);

// Activate the cluster.

// This is required only if the cluster is still inactive.

ignite.cluster().active(true);

// Get all server nodes that are already up and running.

Collection nodes = ignite.cluster().forServers().nodes();

// Set the baseline topology that is represented by these nodes.

ignite.cluster().setBaselineTopology(nodes);

}

But when I run this, the output shows “authentication=off” and I can 
also connect a client without providing any user+pass…


/[…]/

/[08:57:13] Security status [authentication=off, tls/ssl=off]/

/[…] /

/[08:57:16] Ignite node started OK (id=1f668071, instance 
name=ImportedCluster6)/


/[08:57:16] Topology snapshot [ver=1, locNode=1f668071, servers=1, 
clients=0, state=INACTIVE, CPUs=4, offheap=2.3GB, heap=2.6GB]/


/[08:57:16]   ^-- Baseline [id=0, size=1, online=1, offline=0]/

/[08:57:16]   ^-- All baseline nodes are online, will start 
auto-activation/


/[08:57:16] Ignite node stopped in the middle of checkpoint. Will 
restore memory state and finish checkpoint on node start./


/[08:57:16] Both Ignite native persistence and CacheStore are 
configured for cache 'NsdevicesCache'. This configuration does not 
guarantee strict consistency between CacheStore and Ignite data 
storage upon restarts. Consult documentation for more details./


Any idea what I’m doing wrong?

I will also look into enabling TLS but wanted to start with user+pass 
auth.


Thanks

Kurt

Re: Authentication for Apache Ignite 2.5

[aealexsandrov]

Hi,

1)According to advanced security that provided by default:

https://apacheignite.readme.io/docs/advanced-security

It will provide the possibility to create/drop/alter the users. Also, it
provides the only simple authentification with the password.

Note that it required the persistence and .

Could you please provide step by step case when you enable the security,
enable persistence and create the user using
https://apacheignite-sql.readme.io/docs/create-user and it doesn't work?

2)According to GridSecurityProcessor interface

You can take a look at the next thread. There you can see some problems that
you can face.

http://apache-ignite-users.70518.x6.nabble.com/Custom-GridSecurityProcessor-plugin-question-td4942.html

About hooking and the SecurityCredentialsProvider and SecurityCredentials.
In your example you see how it could be done:

There is no simple way to do it but you can try to extend
IgniteConfiguration like next:


public class SecurityIgniteConfiguration extends IgniteConfiguration { 
private SecurityCredentialsProvider securityCredentialsProvider;

public SecurityCredentialsProvider getSecurityCredentialsProvider() {
return securityCredentialsProvider;
}

public void setSecurityCredentialsProvider(
SecurityCredentialsProvider securityCredentialsProvider) {
this.securityCredentialsProvider = securityCredentialsProvider;
}
}

After that in your security processor do next:

securityCred = ((SecurityIgniteConfiguration)
ctx.config()).getSecurityCredentialsProvider();

BR,
Andrei







--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: Authentication

[franck102]

Hi all,

I am reviving this thread because as far as I can tell the initial question
was not answered, and I am hitting the same problem:
"* when a node starts up it needs to fetch the local password and store it
in it's own configuration "

... and I can't figure out how to do that?? The only place where the TCP SPI
reads credentials from when creating its join request is from the
org.apache.ignite.security.cred, which as mentioned cannot be set because
the key name is reserved??

Franck



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: Authentication

[Andrey Mashenkov]

Hi,

It looks like you need to implement *DiscoverySpiNodeAuthenticator*.
You can use *ClusterNode *attribute to authenticate node inside '
*DiscoverySpiNodeAuthenticator.authenticateNode()'* method.

You can find in source code how *IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS
*attribute passed to *DiscoverySpiNodeAuthenticator.authenticateNode()* as
*SecurityCredentials*.

On Mon, Mar 6, 2017 at 3:25 PM, conor  wrote:

> Hi, I'm trying to implement authentication for an ignite cluster.  I've
> read
> the blog post mentioned in other posts here but it's incomplete and also
> quite old so I was hoping for some guidance. (blog post:
> http://smartkey.co.uk/development/securing-an-apache-ignite-cluster/)
>
> The authentication mechanism I'm intending to use is to check for a common
> password shared by nodes.  So when a node starts up by itself, it obtains
> the shared password from the local system using a library call.  So I need
> to do two things.
>  * when a node starts up it needs to fetch the local password and store it
> in it's own configuration
>  * when a node joins the cluster other nodes need to compare the provided
> password with the one they have locally
>
> So I tried setting the credentials locally as follows:
>
> TcpDiscoverySpi spi = new TcpDiscoverySpi();
> SecurityCredentials securityCredentials = new
> SecurityCredentials(getModuleName(), passwordService.getPassword());
> Map nodeAttributes = new HashMap<>();
> nodeAttributes.put("org.apache.ignite.security.cred",
> securityCredentials);
> IgniteProductVersion igniteProductVersion = new
> IgniteProductVersion();
> spi.setNodeAttributes(nodeAttributes, igniteProductVersion);
>
> However I run into an issue here because when setNodeAttributes is called
> on
> TcpDiscoverySpi I get a NullPointerException.  The exception is thrown in
> line 963 which is shown below.
>
> 959@Override public void setNodeAttributes(Map attrs,
> IgniteProductVersion ver) {
> 960assert locNodeAttrs == null;
> 961assert locNodeVer == null;
> 962
> 963if (log.isDebugEnabled()) {
> 964log.debug("Node attributes to set: " + attrs);
> 965log.debug("Node version to set: " + ver);
> 966}
> 967
> 968locNodeAttrs = attrs;
> 969locNodeVer = ver;
> 970}
>
> The instance of IgniteLogger named 'log' is null when this method is
> called.
> This seems like a bug to me but if it's not, am I doing something wrong?
> Is
> there another way I should be fetching and setting this property on my
> local
> node?
>
>
>
>
> --
> View this message in context: http://apache-ignite-users.
> 70518.x6.nabble.com/Authentication-tp11037.html
> Sent from the Apache Ignite Users mailing list archive at Nabble.com.
>



-- 
Best regards,
Andrey V. Mashenkov