IGNITE-8221: Security for thin clients.
Project: http://git-wip-us.apache.org/repos/asf/ignite/repo Commit: http://git-wip-us.apache.org/repos/asf/ignite/commit/5a292763 Tree: http://git-wip-us.apache.org/repos/asf/ignite/tree/5a292763 Diff: http://git-wip-us.apache.org/repos/asf/ignite/diff/5a292763 Branch: refs/heads/ignite-7708 Commit: 5a29276355c4eb8966e5825883e1232ee2a80509 Parents: 747e6c5 Author: Alexey Kukushkin <alexeykukush...@yahoo.com> Authored: Wed Apr 11 16:29:07 2018 +0300 Committer: devozerov <voze...@gridgain.com> Committed: Wed Apr 11 16:38:12 2018 +0300 ---------------------------------------------------------------------- .../apache/ignite/IgniteSystemProperties.java | 6 +++ .../client/ClientAuthenticationException.java | 2 +- .../client/ClientAuthorizationException.java | 46 ++++++++++++++++++++ .../internal/client/thin/ClientChannel.java | 3 +- .../internal/client/thin/TcpClientChannel.java | 39 ++++++++--------- .../IgniteAuthenticationProcessor.java | 5 ++- .../processors/cache/GridCacheProcessor.java | 32 ++++++++++++++ .../processors/cache/GridCacheUtils.java | 5 +++ .../client/ClientConnectionContext.java | 45 ++++++++++++++++++- .../platform/client/ClientRequest.java | 29 ++++++++++++ .../platform/client/ClientStatus.java | 3 ++ .../cache/ClientCacheClearKeyRequest.java | 3 ++ .../cache/ClientCacheClearKeysRequest.java | 3 ++ .../client/cache/ClientCacheClearRequest.java | 3 ++ .../cache/ClientCacheContainsKeyRequest.java | 3 ++ .../cache/ClientCacheContainsKeysRequest.java | 3 ++ ...ientCacheCreateWithConfigurationRequest.java | 6 ++- .../cache/ClientCacheCreateWithNameRequest.java | 3 ++ .../client/cache/ClientCacheDestroyRequest.java | 3 ++ .../client/cache/ClientCacheGetAllRequest.java | 3 ++ .../ClientCacheGetAndPutIfAbsentRequest.java | 3 ++ .../cache/ClientCacheGetAndPutRequest.java | 3 ++ .../cache/ClientCacheGetAndRemoveRequest.java | 3 ++ .../cache/ClientCacheGetAndReplaceRequest.java | 3 ++ ...acheGetOrCreateWithConfigurationRequest.java | 6 ++- .../ClientCacheGetOrCreateWithNameRequest.java | 3 ++ .../client/cache/ClientCacheGetRequest.java | 3 ++ .../client/cache/ClientCacheGetSizeRequest.java | 3 ++ .../client/cache/ClientCachePutAllRequest.java | 3 ++ .../cache/ClientCachePutIfAbsentRequest.java | 3 ++ .../client/cache/ClientCachePutRequest.java | 3 ++ .../cache/ClientCacheRemoveAllRequest.java | 3 ++ .../cache/ClientCacheRemoveIfEqualsRequest.java | 3 ++ .../cache/ClientCacheRemoveKeyRequest.java | 3 ++ .../cache/ClientCacheRemoveKeysRequest.java | 3 ++ .../ClientCacheReplaceIfEqualsRequest.java | 3 ++ .../client/cache/ClientCacheReplaceRequest.java | 3 ++ .../client/cache/ClientCacheRequest.java | 32 ++++++++++++++ .../cache/ClientCacheScanQueryRequest.java | 3 ++ .../cache/ClientCacheSqlFieldsQueryRequest.java | 1 + .../cache/ClientCacheSqlQueryRequest.java | 1 + .../plugin/security/AuthenticationContext.java | 40 +++++++++++++++++ .../plugin/security/SecurityPermission.java | 11 ++++- .../ignite/spi/discovery/tcp/ServerImpl.java | 12 ++++- 44 files changed, 371 insertions(+), 28 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/IgniteSystemProperties.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/IgniteSystemProperties.java b/modules/core/src/main/java/org/apache/ignite/IgniteSystemProperties.java index 04eb425..662338c 100644 --- a/modules/core/src/main/java/org/apache/ignite/IgniteSystemProperties.java +++ b/modules/core/src/main/java/org/apache/ignite/IgniteSystemProperties.java @@ -835,6 +835,12 @@ public final class IgniteSystemProperties { public static final String IGNITE_WAL_FSYNC_WITH_DEDICATED_WORKER = "IGNITE_WAL_FSYNC_WITH_DEDICATED_WORKER"; /** + * When set to {@code true}, on-heap cache cannot be enabled - see + * {@link CacheConfiguration#setOnheapCacheEnabled(boolean)}. + * Default is {@code false}. + */ + public static final String IGNITE_DISABLE_ONHEAP_CACHE = "IGNITE_DISABLE_ONHEAP_CACHE"; + /** * When set to {@code false}, loaded pages implementation is switched to previous version of implementation, * FullPageIdTable. {@code True} value enables 'Robin Hood hashing: backward shift deletion'. * Default is {@code true}. http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/client/ClientAuthenticationException.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/client/ClientAuthenticationException.java b/modules/core/src/main/java/org/apache/ignite/client/ClientAuthenticationException.java index dc39c7a..0c24db8 100644 --- a/modules/core/src/main/java/org/apache/ignite/client/ClientAuthenticationException.java +++ b/modules/core/src/main/java/org/apache/ignite/client/ClientAuthenticationException.java @@ -18,7 +18,7 @@ package org.apache.ignite.client; /** - * Indicates Ignite server the client is connected to closed the connection and no longer available. + * Indicates user name or password is invalid. */ public class ClientAuthenticationException extends ClientException { /** Serial version uid. */ http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/client/ClientAuthorizationException.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/client/ClientAuthorizationException.java b/modules/core/src/main/java/org/apache/ignite/client/ClientAuthorizationException.java new file mode 100644 index 0000000..cacede6 --- /dev/null +++ b/modules/core/src/main/java/org/apache/ignite/client/ClientAuthorizationException.java @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ignite.client; + +/** + * Indicates user has no permission to perform operation. + */ +public class ClientAuthorizationException extends ClientException { + /** Serial version uid. */ + private static final long serialVersionUID = 0L; + + /** Message. */ + private static final String MSG = "User is not authorized to perform this operation"; + + /** + * Default constructor. + */ + public ClientAuthorizationException() { + super(MSG); + } + + /** + * Constructs a new exception with the specified cause and a detail + * message of <tt>(cause==null ? null : cause.toString())</tt>. + * + * @param cause the cause. + */ + public ClientAuthorizationException(Throwable cause) { + super(MSG, cause); + } +} http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/client/thin/ClientChannel.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/client/thin/ClientChannel.java b/modules/core/src/main/java/org/apache/ignite/internal/client/thin/ClientChannel.java index 71502a4..eb62c80 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/client/thin/ClientChannel.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/client/thin/ClientChannel.java @@ -22,6 +22,7 @@ import java.util.function.Function; import org.apache.ignite.internal.binary.streams.BinaryInputStream; import org.apache.ignite.internal.binary.streams.BinaryOutputStream; import org.apache.ignite.client.ClientConnectionException; +import org.apache.ignite.client.ClientAuthorizationException; /** * Processing thin client requests and responses. @@ -41,5 +42,5 @@ interface ClientChannel extends AutoCloseable { * @return Received operation payload or {@code null} if response has no payload. */ public <T> T receive(ClientOperation op, long reqId, Function<BinaryInputStream, T> payloadReader) - throws ClientConnectionException; + throws ClientConnectionException, ClientAuthorizationException; } http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/client/thin/TcpClientChannel.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/client/thin/TcpClientChannel.java b/modules/core/src/main/java/org/apache/ignite/internal/client/thin/TcpClientChannel.java index 404793a..8e8294f 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/client/thin/TcpClientChannel.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/client/thin/TcpClientChannel.java @@ -50,6 +50,7 @@ import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import org.apache.ignite.client.ClientAuthenticationException; +import org.apache.ignite.client.ClientAuthorizationException; import org.apache.ignite.client.ClientConnectionException; import org.apache.ignite.client.SslMode; import org.apache.ignite.client.SslProtocol; @@ -62,6 +63,7 @@ import org.apache.ignite.internal.binary.streams.BinaryHeapOutputStream; import org.apache.ignite.internal.binary.streams.BinaryInputStream; import org.apache.ignite.internal.binary.streams.BinaryOffheapOutputStream; import org.apache.ignite.internal.binary.streams.BinaryOutputStream; +import org.apache.ignite.internal.processors.platform.client.ClientStatus; /** * Implements {@link ClientChannel} over TCP. @@ -138,7 +140,8 @@ class TcpClientChannel implements ClientChannel { /** {@inheritDoc} */ public <T> T receive(ClientOperation op, long reqId, Function<BinaryInputStream, T> payloadReader) - throws ClientConnectionException { + throws ClientConnectionException, ClientAuthorizationException { + final int MIN_RES_SIZE = 8 + 4; // minimal response size: long (8 bytes) ID + int (4 bytes) status int resSize = new BinaryHeapInputStream(read(4)).readInt(); @@ -163,7 +166,12 @@ class TcpClientChannel implements ClientChannel { String err = new BinaryReaderExImpl(null, resIn, null, true).readString(); - throw new ClientServerError(err, status, reqId); + switch (status) { + case ClientStatus.SECURITY_VIOLATION: + throw new ClientAuthorizationException(); + default: + throw new ClientServerError(err, status, reqId); + } } if (resSize <= MIN_RES_SIZE || payloadReader == null) @@ -539,16 +547,10 @@ class TcpClientChannel implements ClientChannel { /** */ private static KeyStore loadKeyStore(String lb, String path, String type, char[] pwd) { - InputStream in = null; + KeyStore store; try { - KeyStore store = KeyStore.getInstance(type); - - in = new FileInputStream(new File(path)); - - store.load(in, pwd); - - return store; + store = KeyStore.getInstance(type); } catch (KeyStoreException e) { throw new ClientError( @@ -556,6 +558,13 @@ class TcpClientChannel implements ClientChannel { e ); } + + try (InputStream in = new FileInputStream(new File(path))) { + + store.load(in, pwd); + + return store; + } catch (FileNotFoundException e) { throw new ClientError(String.format("%s key store file [%s] does not exist", lb, path), e); } @@ -571,16 +580,6 @@ class TcpClientChannel implements ClientChannel { catch (IOException e) { throw new ClientError(String.format("Could not read %s key store", lb), e); } - finally { - if (in != null) { - try { - in.close(); - } - catch (IOException ignored) { - // Fail silently - } - } - } } } } http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java index c025e8c..93b3a5b 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java @@ -897,7 +897,10 @@ public class IgniteAuthenticationProcessor extends GridProcessorAdapter implemen // Can be empty on initial start of PDS cluster (default user will be created and stored after activate) if (!F.isEmpty(initUsrs.usrs)) { - users.clear(); + if (users == null) + users = new ConcurrentHashMap<>(); + else + users.clear(); for (User u : initUsrs.usrs) users.put(u.name(), u); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheProcessor.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheProcessor.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheProcessor.java index 7edac73..3aa6603 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheProcessor.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheProcessor.java @@ -149,6 +149,8 @@ import org.apache.ignite.marshaller.MarshallerUtils; import org.apache.ignite.marshaller.jdk.JdkMarshaller; import org.apache.ignite.mxbean.CacheGroupMetricsMXBean; import org.apache.ignite.mxbean.IgniteMBeanAware; +import org.apache.ignite.plugin.security.SecurityException; +import org.apache.ignite.plugin.security.SecurityPermission; import org.apache.ignite.spi.IgniteNodeValidationResult; import org.apache.ignite.spi.discovery.DiscoveryDataBag; import org.apache.ignite.spi.discovery.DiscoveryDataBag.GridDiscoveryData; @@ -1126,6 +1128,9 @@ public class GridCacheProcessor extends GridProcessorAdapter { CacheConfiguration cfg = cacheCtx.config(); + if (cacheCtx.userCache()) + authorizeCacheCreate(cacheCtx.name(), cfg); + // Intentionally compare Boolean references using '!=' below to check if the flag has been explicitly set. if (cfg.isStoreKeepBinary() && cfg.isStoreKeepBinary() != CacheConfiguration.DFLT_STORE_KEEP_BINARY && !(ctx.config().getMarshaller() instanceof BinaryMarshaller)) @@ -3151,6 +3156,8 @@ public class GridCacheProcessor extends GridProcessorAdapter { Collection<DynamicCacheChangeRequest> sndReqs = new ArrayList<>(reqs.size()); for (DynamicCacheChangeRequest req : reqs) { + authorizeCacheChange(req); + DynamicCacheStartFuture fut = new DynamicCacheStartFuture(req.requestId()); try { @@ -3216,6 +3223,31 @@ public class GridCacheProcessor extends GridProcessorAdapter { } /** + * Authorize dynamic cache management. + */ + private void authorizeCacheChange(DynamicCacheChangeRequest req) { + if (req.cacheType() == null || req.cacheType() == CacheType.USER) { + if (req.stop()) + ctx.security().authorize(req.cacheName(), SecurityPermission.CACHE_DESTROY, null); + else + authorizeCacheCreate(req.cacheName(), req.startCacheConfiguration()); + } + } + + /** + * Authorize start/create cache operation. + */ + private void authorizeCacheCreate(String cacheName, CacheConfiguration cacheCfg) { + ctx.security().authorize(cacheName, SecurityPermission.CACHE_CREATE, null); + + if (cacheCfg != null && cacheCfg.isOnheapCacheEnabled() && + System.getProperty(IgniteSystemProperties.IGNITE_DISABLE_ONHEAP_CACHE, "false") + .toUpperCase().equals("TRUE") + ) + throw new SecurityException("Authorization failed for enabling on-heap cache."); + } + + /** * @return Non null exception if node is stopping or disconnected. */ @Nullable private IgniteCheckedException checkNodeState() { http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheUtils.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheUtils.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheUtils.java index d672420..e244c75 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheUtils.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridCacheUtils.java @@ -98,6 +98,8 @@ import org.apache.ignite.lang.IgnitePredicate; import org.apache.ignite.lang.IgniteReducer; import org.apache.ignite.lifecycle.LifecycleAware; import org.apache.ignite.plugin.CachePluginConfiguration; +import org.apache.ignite.plugin.security.SecurityException; +import org.apache.ignite.spi.discovery.tcp.internal.TcpDiscoveryNode; import org.apache.ignite.transactions.Transaction; import org.apache.ignite.transactions.TransactionConcurrency; import org.apache.ignite.transactions.TransactionIsolation; @@ -1290,6 +1292,9 @@ public class GridCacheUtils { if (e.getCause() instanceof NullPointerException) return (NullPointerException)e.getCause(); + if (e.getCause() instanceof SecurityException) + return (SecurityException)e.getCause(); + C1<IgniteCheckedException, IgniteException> converter = U.getExceptionConverter(e.getClass()); return converter != null ? new CacheException(converter.apply(e)) : new CacheException(e); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java index 7ab2d33..061aab3 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java @@ -20,16 +20,24 @@ package org.apache.ignite.internal.processors.platform.client; import java.io.IOException; import java.util.Arrays; import java.util.Collection; +import java.util.Collections; +import java.util.UUID; import org.apache.ignite.IgniteCheckedException; import org.apache.ignite.internal.GridKernalContext; import org.apache.ignite.internal.binary.BinaryReaderExImpl; import org.apache.ignite.internal.processors.authentication.AuthorizationContext; +import org.apache.ignite.internal.processors.authentication.IgniteAccessControlException; import org.apache.ignite.internal.processors.odbc.ClientListenerConnectionContext; import org.apache.ignite.internal.processors.odbc.ClientListenerMessageParser; import org.apache.ignite.internal.processors.odbc.ClientListenerProtocolVersion; import org.apache.ignite.internal.processors.odbc.ClientListenerRequestHandler; import java.util.concurrent.atomic.AtomicLong; +import org.apache.ignite.internal.processors.security.SecurityContext; +import org.apache.ignite.plugin.security.AuthenticationContext; +import org.apache.ignite.plugin.security.SecurityCredentials; + +import static org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_CLIENT; /** * Thin Client connection context. @@ -62,6 +70,9 @@ public class ClientConnectionContext implements ClientListenerConnectionContext /** Cursor counter. */ private final AtomicLong curCnt = new AtomicLong(); + /** Security context or {@code null} if security is disabled. */ + private SecurityContext secCtx = null; + /** * Ctor. * @@ -129,7 +140,9 @@ public class ClientConnectionContext implements ClientListenerConnectionContext } } - if (kernalCtx.authentication().enabled()) { + if (kernalCtx.security().enabled()) + authCtx = thirdPartyAuthentication(user, pwd).authorizationContext(); + else if (kernalCtx.authentication().enabled()) { if (user == null || user.length() == 0) throw new IgniteCheckedException("Unauthenticated sessions are prohibited."); @@ -179,4 +192,34 @@ public class ClientConnectionContext implements ClientListenerConnectionContext public void decrementCursors() { curCnt.decrementAndGet(); } + + /** + * @return Security context or {@code null} if security is disabled. + */ + public SecurityContext securityContext() { + return secCtx; + } + + /** + * Do 3-rd party authentication. + */ + private AuthenticationContext thirdPartyAuthentication(String user, String pwd) throws IgniteCheckedException { + SecurityCredentials cred = new SecurityCredentials(user, pwd); + + AuthenticationContext authCtx = new AuthenticationContext(); + + authCtx.subjectType(REMOTE_CLIENT); + authCtx.subjectId(UUID.randomUUID()); + authCtx.nodeAttributes(Collections.emptyMap()); + authCtx.credentials(cred); + + secCtx = kernalCtx.security().authenticate(authCtx); + + if (secCtx == null) + throw new IgniteAccessControlException( + String.format("The user name or password is incorrect [userName=%s]", user) + ); + + return authCtx; + } } http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientRequest.java index 76823b5..799b3e7 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientRequest.java @@ -19,6 +19,9 @@ package org.apache.ignite.internal.processors.platform.client; import org.apache.ignite.binary.BinaryRawReader; import org.apache.ignite.internal.processors.odbc.ClientListenerRequest; +import org.apache.ignite.internal.processors.security.SecurityContext; +import org.apache.ignite.plugin.security.SecurityException; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Thin client request. @@ -58,4 +61,30 @@ public class ClientRequest implements ClientListenerRequest { public ClientResponse process(ClientConnectionContext ctx) { return new ClientResponse(reqId); } + + /** + * Run the code with converting {@link SecurityException} to {@link IgniteClientException}. + */ + protected static void runWithSecurityExceptionHandler(Runnable runnable) { + try { + runnable.run(); + } + catch (SecurityException ex) { + throw new IgniteClientException( + ClientStatus.SECURITY_VIOLATION, + "Client is not authorized to perform this operation", + ex + ); + } + } + + /** + * Authorize for specified permission. + */ + protected void authorize(ClientConnectionContext ctx, SecurityPermission perm) { + SecurityContext secCtx = ctx.securityContext(); + + if (secCtx != null) + runWithSecurityExceptionHandler(() -> ctx.kernalContext().security().authorize(null, perm, secCtx)); + } } http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientStatus.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientStatus.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientStatus.java index e0049b4..b8dfb1f 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientStatus.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientStatus.java @@ -48,4 +48,7 @@ public final class ClientStatus { /** Resource does not exist. */ public static final int RESOURCE_DOES_NOT_EXIST = 1011; + + /** Resource does not exist. */ + public static final int SECURITY_VIOLATION = 1012; } http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearKeyRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearKeyRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearKeyRequest.java index 6bcbbe8..5f8e952 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearKeyRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearKeyRequest.java @@ -20,6 +20,7 @@ package org.apache.ignite.internal.processors.platform.client.cache; import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Clear key request. @@ -37,6 +38,8 @@ public class ClientCacheClearKeyRequest extends ClientCacheKeyRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_REMOVE); + cache(ctx).clear(key()); return super.process(ctx); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearKeysRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearKeysRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearKeysRequest.java index 04eb7f6..d803f69 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearKeysRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearKeysRequest.java @@ -20,6 +20,7 @@ package org.apache.ignite.internal.processors.platform.client.cache; import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Clear keys request. @@ -37,6 +38,8 @@ public class ClientCacheClearKeysRequest extends ClientCacheKeysRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_REMOVE); + cache(ctx).clearAll(keys()); return super.process(ctx); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearRequest.java index 0e5f20d..7b84522 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheClearRequest.java @@ -20,6 +20,7 @@ package org.apache.ignite.internal.processors.platform.client.cache; import org.apache.ignite.binary.BinaryRawReader; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache clear request. @@ -37,6 +38,8 @@ public class ClientCacheClearRequest extends ClientCacheRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_REMOVE); + cache(ctx).clear(); return super.process(ctx); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheContainsKeyRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheContainsKeyRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheContainsKeyRequest.java index 8470828..386f448 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheContainsKeyRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheContainsKeyRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientBooleanResponse; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * ContainsKey request. @@ -38,6 +39,8 @@ public class ClientCacheContainsKeyRequest extends ClientCacheKeyRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ); + boolean val = cache(ctx).containsKey(key()); return new ClientBooleanResponse(requestId(), val); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheContainsKeysRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheContainsKeysRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheContainsKeysRequest.java index 41e1306..b5184bf 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheContainsKeysRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheContainsKeysRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientBooleanResponse; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * ContainsKeys request. @@ -38,6 +39,8 @@ public class ClientCacheContainsKeysRequest extends ClientCacheKeysRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ); + boolean val = cache(ctx).containsKeys(keys()); return new ClientBooleanResponse(requestId(), val); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheCreateWithConfigurationRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheCreateWithConfigurationRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheCreateWithConfigurationRequest.java index 4b4dcec..65f9784 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheCreateWithConfigurationRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheCreateWithConfigurationRequest.java @@ -25,6 +25,7 @@ import org.apache.ignite.internal.processors.platform.client.ClientRequest; import org.apache.ignite.internal.processors.platform.client.ClientResponse; import org.apache.ignite.internal.processors.platform.client.ClientStatus; import org.apache.ignite.internal.processors.platform.client.IgniteClientException; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache create with configuration request. @@ -47,8 +48,11 @@ public class ClientCacheCreateWithConfigurationRequest extends ClientRequest { /** {@inheritDoc} */ @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_CREATE); + try { - ctx.kernalContext().grid().createCache(cacheCfg); + // Use security exception handler since the code authorizes "enable on-heap cache" permission + runWithSecurityExceptionHandler(() -> ctx.kernalContext().grid().createCache(cacheCfg)); } catch (CacheExistsException e) { throw new IgniteClientException(ClientStatus.CACHE_EXISTS, e.getMessage()); } http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheCreateWithNameRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheCreateWithNameRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheCreateWithNameRequest.java index 9155d76..cacf099 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheCreateWithNameRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheCreateWithNameRequest.java @@ -24,6 +24,7 @@ import org.apache.ignite.internal.processors.platform.client.ClientRequest; import org.apache.ignite.internal.processors.platform.client.ClientResponse; import org.apache.ignite.internal.processors.platform.client.ClientStatus; import org.apache.ignite.internal.processors.platform.client.IgniteClientException; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache create with name request. @@ -45,6 +46,8 @@ public class ClientCacheCreateWithNameRequest extends ClientRequest { /** {@inheritDoc} */ @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_CREATE); + try { ctx.kernalContext().grid().createCache(cacheName); } catch (CacheExistsException e) { http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheDestroyRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheDestroyRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheDestroyRequest.java index 6645a03..b6f85ee 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheDestroyRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheDestroyRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.binary.BinaryRawReader; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientRequest; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache destroy request. @@ -42,6 +43,8 @@ public class ClientCacheDestroyRequest extends ClientRequest { /** {@inheritDoc} */ @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_DESTROY); + String cacheName = ClientCacheRequest.cacheDescriptor(ctx, cacheId).cacheName(); ctx.kernalContext().grid().destroyCache(cacheName); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAllRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAllRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAllRequest.java index 2b33af1..a07305c 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAllRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAllRequest.java @@ -22,6 +22,7 @@ import org.apache.ignite.internal.processors.platform.client.ClientConnectionCon import org.apache.ignite.internal.processors.platform.client.ClientResponse; import java.util.Map; +import org.apache.ignite.plugin.security.SecurityPermission; /** * GetAll request. @@ -39,6 +40,8 @@ public class ClientCacheGetAllRequest extends ClientCacheKeysRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ); + Map val = cache(ctx).getAll(keys()); return new ClientCacheGetAllResponse(requestId(), val); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndPutIfAbsentRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndPutIfAbsentRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndPutIfAbsentRequest.java index 8360213..8713a21 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndPutIfAbsentRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndPutIfAbsentRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientObjectResponse; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache get and put if absent request. @@ -38,6 +39,8 @@ public class ClientCacheGetAndPutIfAbsentRequest extends ClientCacheKeyValueRequ /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ, SecurityPermission.CACHE_PUT); + Object res = cache(ctx).getAndPutIfAbsent(key(), val()); return new ClientObjectResponse(requestId(), res); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndPutRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndPutRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndPutRequest.java index 7a540e8..dde5181 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndPutRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndPutRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientObjectResponse; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache get and put request. @@ -38,6 +39,8 @@ public class ClientCacheGetAndPutRequest extends ClientCacheKeyValueRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ, SecurityPermission.CACHE_PUT); + Object res = cache(ctx).getAndPut(key(), val()); return new ClientObjectResponse(requestId(), res); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndRemoveRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndRemoveRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndRemoveRequest.java index e4fd735..3b9dd4b 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndRemoveRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndRemoveRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientObjectResponse; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache get and remove request. @@ -38,6 +39,8 @@ public class ClientCacheGetAndRemoveRequest extends ClientCacheKeyRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ, SecurityPermission.CACHE_REMOVE); + Object val = cache(ctx).getAndRemove(key()); return new ClientObjectResponse(requestId(), val); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndReplaceRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndReplaceRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndReplaceRequest.java index dba8639..8ba157a 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndReplaceRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetAndReplaceRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientObjectResponse; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache get and replace request. @@ -38,6 +39,8 @@ public class ClientCacheGetAndReplaceRequest extends ClientCacheKeyValueRequest /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ, SecurityPermission.CACHE_PUT); + Object res = cache(ctx).getAndReplace(key(), val()); return new ClientObjectResponse(requestId(), res); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetOrCreateWithConfigurationRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetOrCreateWithConfigurationRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetOrCreateWithConfigurationRequest.java index 267318a..48569b4 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetOrCreateWithConfigurationRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetOrCreateWithConfigurationRequest.java @@ -25,6 +25,7 @@ import org.apache.ignite.internal.processors.platform.client.ClientRequest; import org.apache.ignite.internal.processors.platform.client.ClientResponse; import org.apache.ignite.internal.processors.platform.client.ClientStatus; import org.apache.ignite.internal.processors.platform.client.IgniteClientException; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache get or create with configuration request. @@ -47,8 +48,11 @@ public class ClientCacheGetOrCreateWithConfigurationRequest extends ClientReques /** {@inheritDoc} */ @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_CREATE); + try { - ctx.kernalContext().grid().getOrCreateCache(cacheCfg); + // Use security exception handler since the code authorizes "enable on-heap cache" permission + runWithSecurityExceptionHandler(() -> ctx.kernalContext().grid().getOrCreateCache(cacheCfg)); } catch (CacheExistsException e) { throw new IgniteClientException(ClientStatus.CACHE_EXISTS, e.getMessage()); } http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetOrCreateWithNameRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetOrCreateWithNameRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetOrCreateWithNameRequest.java index 94dd115..3c4ce7b 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetOrCreateWithNameRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetOrCreateWithNameRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.binary.BinaryRawReader; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientRequest; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache create with name request. @@ -42,6 +43,8 @@ public class ClientCacheGetOrCreateWithNameRequest extends ClientRequest { /** {@inheritDoc} */ @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_CREATE); + ctx.kernalContext().grid().getOrCreateCache(cacheName); return super.process(ctx); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetRequest.java index 41558c2..dc17cbf 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientObjectResponse; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache get request. @@ -38,6 +39,8 @@ public class ClientCacheGetRequest extends ClientCacheKeyRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ); + Object val = cache(ctx).get(key()); return new ClientObjectResponse(requestId(), val); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetSizeRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetSizeRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetSizeRequest.java index ba185bf..474c206 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetSizeRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheGetSizeRequest.java @@ -22,6 +22,7 @@ import org.apache.ignite.cache.CachePeekMode; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientLongResponse; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache size request. @@ -50,6 +51,8 @@ public class ClientCacheGetSizeRequest extends ClientCacheRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ); + long res = cache(ctx).sizeLong(modes); return new ClientLongResponse(requestId(), res); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutAllRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutAllRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutAllRequest.java index 28a7fa5..57e3144 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutAllRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutAllRequest.java @@ -23,6 +23,7 @@ import org.apache.ignite.internal.processors.platform.client.ClientResponse; import java.util.LinkedHashMap; import java.util.Map; +import org.apache.ignite.plugin.security.SecurityPermission; /** * PutAll request. @@ -50,6 +51,8 @@ public class ClientCachePutAllRequest extends ClientCacheRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_PUT); + cache(ctx).putAll(map); return super.process(ctx); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutIfAbsentRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutIfAbsentRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutIfAbsentRequest.java index 4dd2cde..ec81bc0 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutIfAbsentRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutIfAbsentRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientBooleanResponse; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache put if absent request. @@ -38,6 +39,8 @@ public class ClientCachePutIfAbsentRequest extends ClientCacheKeyValueRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ, SecurityPermission.CACHE_PUT); + boolean res = cache(ctx).putIfAbsent(key(), val()); return new ClientBooleanResponse(requestId(), res); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutRequest.java index 2c396b7..116460e 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCachePutRequest.java @@ -20,6 +20,7 @@ package org.apache.ignite.internal.processors.platform.client.cache; import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache put request. @@ -37,6 +38,8 @@ public class ClientCachePutRequest extends ClientCacheKeyValueRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_PUT); + cache(ctx).put(key(), val()); return super.process(ctx); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveAllRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveAllRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveAllRequest.java index f5adc63..d90d873 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveAllRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveAllRequest.java @@ -20,6 +20,7 @@ package org.apache.ignite.internal.processors.platform.client.cache; import org.apache.ignite.binary.BinaryRawReader; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache removeAll request. @@ -37,6 +38,8 @@ public class ClientCacheRemoveAllRequest extends ClientCacheRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_REMOVE); + cache(ctx).removeAll(); return super.process(ctx); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveIfEqualsRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveIfEqualsRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveIfEqualsRequest.java index b86f2f8..26c191f 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveIfEqualsRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveIfEqualsRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientBooleanResponse; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache remove request with value. @@ -38,6 +39,8 @@ public class ClientCacheRemoveIfEqualsRequest extends ClientCacheKeyValueRequest /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ, SecurityPermission.CACHE_REMOVE); + boolean res = cache(ctx).remove(key(), val()); return new ClientBooleanResponse(requestId(), res); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveKeyRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveKeyRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveKeyRequest.java index a68c327..5af9743 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveKeyRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveKeyRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientBooleanResponse; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Remove request. @@ -38,6 +39,8 @@ public class ClientCacheRemoveKeyRequest extends ClientCacheKeyRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_REMOVE); + boolean val = cache(ctx).remove(key()); return new ClientBooleanResponse(requestId(), val); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveKeysRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveKeysRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveKeysRequest.java index 043b568..62dea00 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveKeysRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRemoveKeysRequest.java @@ -20,6 +20,7 @@ package org.apache.ignite.internal.processors.platform.client.cache; import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Remove keys request. @@ -37,6 +38,8 @@ public class ClientCacheRemoveKeysRequest extends ClientCacheKeysRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_REMOVE); + cache(ctx).removeAll(keys()); return super.process(ctx); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheReplaceIfEqualsRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheReplaceIfEqualsRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheReplaceIfEqualsRequest.java index 8645fbb..056367d 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheReplaceIfEqualsRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheReplaceIfEqualsRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientBooleanResponse; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache replace request. @@ -43,6 +44,8 @@ public class ClientCacheReplaceIfEqualsRequest extends ClientCacheKeyValueReques /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ, SecurityPermission.CACHE_PUT); + boolean res = cache(ctx).replace(key(), val(), newVal); return new ClientBooleanResponse(requestId(), res); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheReplaceRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheReplaceRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheReplaceRequest.java index bd7a642..ea04593 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheReplaceRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheReplaceRequest.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.binary.BinaryRawReaderEx; import org.apache.ignite.internal.processors.platform.client.ClientBooleanResponse; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache replace request. @@ -38,6 +39,8 @@ public class ClientCacheReplaceRequest extends ClientCacheKeyValueRequest { /** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ, SecurityPermission.CACHE_PUT); + boolean res = cache(ctx).replace(key(), val()); return new ClientBooleanResponse(requestId(), res); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRequest.java index 52b799f..9e2d1f1 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheRequest.java @@ -24,6 +24,8 @@ import org.apache.ignite.internal.processors.platform.client.ClientConnectionCon import org.apache.ignite.internal.processors.platform.client.ClientRequest; import org.apache.ignite.internal.processors.platform.client.ClientStatus; import org.apache.ignite.internal.processors.platform.client.IgniteClientException; +import org.apache.ignite.internal.processors.security.SecurityContext; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Cache get request. @@ -119,4 +121,34 @@ class ClientCacheRequest extends ClientRequest { protected int cacheId() { return cacheId; } + + /** {@inheritDoc} */ + protected void authorize(ClientConnectionContext ctx, SecurityPermission perm) { + SecurityContext secCtx = ctx.securityContext(); + + if (secCtx != null) { + DynamicCacheDescriptor cacheDesc = cacheDescriptor(ctx, cacheId); + + runWithSecurityExceptionHandler(() -> { + ctx.kernalContext().security().authorize(cacheDesc.cacheName(), perm, secCtx); + }); + } + } + + /** + * Authorize for multiple permissions. + */ + protected void authorize(ClientConnectionContext ctx, SecurityPermission... perm) + throws IgniteClientException { + SecurityContext secCtx = ctx.securityContext(); + + if (secCtx != null) { + DynamicCacheDescriptor cacheDesc = cacheDescriptor(ctx, cacheId); + + runWithSecurityExceptionHandler(() -> { + for (SecurityPermission p : perm) + ctx.kernalContext().security().authorize(cacheDesc.cacheName(), p, secCtx); + }); + } + } } http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheScanQueryRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheScanQueryRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheScanQueryRequest.java index 26ab236..70b6966 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheScanQueryRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheScanQueryRequest.java @@ -28,6 +28,7 @@ import org.apache.ignite.internal.processors.platform.client.ClientConnectionCon import org.apache.ignite.internal.processors.platform.client.ClientResponse; import org.apache.ignite.internal.processors.platform.utils.PlatformUtils; import org.apache.ignite.lang.IgniteBiPredicate; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Scan query request. @@ -80,6 +81,8 @@ public class ClientCacheScanQueryRequest extends ClientCacheRequest { /** {@inheritDoc} */ @Override public ClientResponse process(ClientConnectionContext ctx) { + authorize(ctx, SecurityPermission.CACHE_READ); + IgniteCache cache = filterPlatform == FILTER_PLATFORM_JAVA && !isKeepBinary() ? rawCache(ctx) : cache(ctx); ScanQuery qry = new ScanQuery() http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheSqlFieldsQueryRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheSqlFieldsQueryRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheSqlFieldsQueryRequest.java index cfd4498..3aa95bf 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheSqlFieldsQueryRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheSqlFieldsQueryRequest.java @@ -29,6 +29,7 @@ import org.apache.ignite.internal.processors.platform.cache.PlatformCache; import org.apache.ignite.internal.processors.platform.client.ClientConnectionContext; import org.apache.ignite.internal.processors.platform.client.ClientResponse; import org.apache.ignite.internal.processors.query.QueryUtils; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Sql query request. http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheSqlQueryRequest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheSqlQueryRequest.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheSqlQueryRequest.java index 8c21be1..40693e7 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheSqlQueryRequest.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/cache/ClientCacheSqlQueryRequest.java @@ -26,6 +26,7 @@ import org.apache.ignite.internal.processors.platform.client.ClientConnectionCon import org.apache.ignite.internal.processors.platform.client.ClientResponse; import java.util.concurrent.TimeUnit; +import org.apache.ignite.plugin.security.SecurityPermission; /** * Sql query request. http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/plugin/security/AuthenticationContext.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/AuthenticationContext.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/AuthenticationContext.java index 91f3379..9f2cfe2 100644 --- a/modules/core/src/main/java/org/apache/ignite/plugin/security/AuthenticationContext.java +++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/AuthenticationContext.java @@ -21,6 +21,7 @@ import java.net.InetSocketAddress; import java.util.Collections; import java.util.Map; import java.util.UUID; +import org.apache.ignite.internal.processors.authentication.AuthorizationContext; /** * Authentication context. @@ -41,6 +42,12 @@ public class AuthenticationContext { /** */ private Map<String, Object> nodeAttrs; + /** Authorization context. */ + private AuthorizationContext athrCtx; + + /** True if this is a client node context. */ + private boolean client; + /** * Gets subject type. * @@ -130,4 +137,37 @@ public class AuthenticationContext { public void nodeAttributes(Map<String, Object> nodeAttrs) { this.nodeAttrs = nodeAttrs; } + + /** + * @return Native Apache Ignite authorization context acquired after authentication or {@code null} if native + * Ignite authentication is not used. + */ + public AuthorizationContext authorizationContext(){ + return athrCtx; + } + + /** + * Set authorization context acquired after native Apache Ignite authentication. + */ + public AuthenticationContext authorizationContext(AuthorizationContext newVal) { + athrCtx = newVal; + + return this; + } + + /** + * @return {@code true} if this is a client node context. + */ + public boolean isClient() { + return client; + } + + /** + * Sets flag indicating if this is client node context. + */ + public AuthenticationContext setClient(boolean newVal) { + client = newVal; + + return this; + } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java index 5436161..bca667d 100644 --- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java +++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java @@ -64,7 +64,16 @@ public enum SecurityPermission { SERVICE_CANCEL, /** Service invoke permission. */ - SERVICE_INVOKE; + SERVICE_INVOKE, + + /** Cache create permission. */ + CACHE_CREATE, + + /** Cache create permission. */ + CACHE_DESTROY, + + /** Join as server node permission. */ + JOIN_AS_SERVER; /** Enumerated values. */ private static final SecurityPermission[] VALS = values(); http://git-wip-us.apache.org/repos/asf/ignite/blob/5a292763/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java index 7bf37e1..6d3864e 100644 --- a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java +++ b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java @@ -99,6 +99,7 @@ import org.apache.ignite.lang.IgniteInClosure; import org.apache.ignite.lang.IgniteProductVersion; import org.apache.ignite.lang.IgniteUuid; import org.apache.ignite.plugin.security.SecurityCredentials; +import org.apache.ignite.plugin.security.SecurityPermission; import org.apache.ignite.plugin.security.SecurityPermissionSet; import org.apache.ignite.spi.IgniteNodeValidationResult; import org.apache.ignite.spi.IgniteSpiContext; @@ -3559,6 +3560,8 @@ class ServerImpl extends TcpDiscoveryImpl { return; } else { + String authFailedMsg = null; + if (!(subj instanceof Serializable)) { // Node has not pass authentication. LT.warn(log, "Authentication subject is not Serializable [nodeId=" + node.id() + @@ -3567,9 +3570,16 @@ class ServerImpl extends TcpDiscoveryImpl { ", addrs=" + U.addressesAsString(node) + ']'); + authFailedMsg = "Authentication subject is not serializable"; + } + else if (!node.isClient() && + !subj.systemOperationAllowed(SecurityPermission.JOIN_AS_SERVER)) + authFailedMsg = "Node is not authorised to join as a server node"; + + if (authFailedMsg != null) { // Always output in debug. if (log.isDebugEnabled()) - log.debug("Authentication subject is not serializable [nodeId=" + node.id() + + log.debug(authFailedMsg + " [nodeId=" + node.id() + ", addrs=" + U.addressesAsString(node)); try {