Re: How can I get Ignite security plugin to work with JDBC thin client?

2017-11-16 Thread Andrew Mashenkov 
I've create a ticket [1] for this issue.

[1] https://issues.apache.org/jira/browse/IGNITE-6941



-
Regards, 
Andrew.
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: How can I get Ignite security plugin to work with JDBC thin client?

2017-11-16 Thread Andrew Mashenkov 
I've create a ticket [1] for this issue.

[1] https://issues.apache.org/jira/browse/IGNITE-6941



-
Regards, 
Andrew.
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: How can I get Ignite security plugin to work with JDBC thin client?

2017-11-16 Thread calebs 
Yes, but can you please open another IGNITE ticket to be resolved hopefully
in 2.4? 



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: How can I get Ignite security plugin to work with JDBC thin client?

2017-11-16 Thread Andrey Mashenkov 
Hi Caleb,

JDBC Thin Client doesn't supports authorization for now.

On Wed, Nov 15, 2017 at 6:54 PM, calebs  wrote:

> Hi Valdimir,
>
> There are at least two problems that I've found here. The first is the
> query
> execution engine as you have just pointed out. The second one is the JDBC
> thin driver itself.
>
> In JdbcThinTcpIo.handshake, it doesn't pass in user credentials (i.e., user
> & password) as shown below, so how can the server identify the user during
> the hand shaking?
>
> /**
>  * Used for versions: 2.1.5 and 2.3.0. The protocol version is changed
> but handshake format isn't changed.
>  *
>  * @param ver JDBC client version.
>  * @throws IOException On IO error.
>  * @throws SQLException On connection reject.
>  */
> public void handshake(ClientListenerProtocolVersion ver) throws
> IOException, SQLException {
> BinaryWriterExImpl writer = new BinaryWriterExImpl(null, new
> BinaryHeapOutputStream(HANDSHAKE_MSG_SIZE),
> null, null);
>
> writer.writeByte((byte) ClientListenerRequest.HANDSHAKE);
>
> writer.writeShort(ver.major());
> writer.writeShort(ver.minor());
> writer.writeShort(ver.maintenance());
>
> writer.writeByte(ClientListenerNioListener.JDBC_CLIENT);
>
> writer.writeBoolean(distributedJoins);
> writer.writeBoolean(enforceJoinOrder);
> writer.writeBoolean(collocated);
> writer.writeBoolean(replicatedOnly);
> writer.writeBoolean(autoCloseServerCursor);
> writer.writeBoolean(lazy);
> writer.writeBoolean(skipReducerOnUpdate);
>
> send(writer.array());
>
> BinaryReaderExImpl reader = new BinaryReaderExImpl(null, new
> BinaryHeapInputStream(read()),
> null, null, false);
>
> boolean accepted = reader.readBoolean();
>
> if (accepted) {
> if (reader.available() > 0) {
> byte maj = reader.readByte();
> byte min = reader.readByte();
> byte maintenance = reader.readByte();
>
> String stage = reader.readString();
>
> long ts = reader.readLong();
> byte[] hash = reader.readByteArray();
>
> igniteVer = new IgniteProductVersion(maj, min, maintenance,
> stage, ts, hash);
> }
> else
> igniteVer = new IgniteProductVersion((byte)2, (byte)0,
> (byte)0, "Unknown", 0L, null);
> }
> else {
> short maj = reader.readShort();
> short min = reader.readShort();
> short maintenance = reader.readShort();
>
> String err = reader.readString();
>
> ClientListenerProtocolVersion srvProtocolVer =
> ClientListenerProtocolVersion.create(maj, min, maintenance);
>
> if (VER_2_1_5.equals(srvProtocolVer))
> handshake(VER_2_1_5);
> else if (VER_2_1_0.equals(srvProtocolVer))
> handshake_2_1_0();
> else {
> throw new SQLException("Handshake failed
> [driverProtocolVer=" + CURRENT_VER +
> ", remoteNodeProtocolVer=" + srvProtocolVer + ", err="
> +
> err + ']',
> SqlStateCode.CONNECTION_REJECTED);
> }
> }
> }
>
>
>
>
> --
> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>



-- 
Best regards,
Andrey V. Mashenkov

Re: How can I get Ignite security plugin to work with JDBC thin client?

2017-11-15 Thread calebs 
Hi Valdimir,

There are at least two problems that I've found here. The first is the query
execution engine as you have just pointed out. The second one is the JDBC
thin driver itself. 

In JdbcThinTcpIo.handshake, it doesn't pass in user credentials (i.e., user
& password) as shown below, so how can the server identify the user during
the hand shaking? 

/**
 * Used for versions: 2.1.5 and 2.3.0. The protocol version is changed
but handshake format isn't changed.
 *
 * @param ver JDBC client version.
 * @throws IOException On IO error.
 * @throws SQLException On connection reject.
 */
public void handshake(ClientListenerProtocolVersion ver) throws
IOException, SQLException {
BinaryWriterExImpl writer = new BinaryWriterExImpl(null, new
BinaryHeapOutputStream(HANDSHAKE_MSG_SIZE),
null, null);

writer.writeByte((byte) ClientListenerRequest.HANDSHAKE);

writer.writeShort(ver.major());
writer.writeShort(ver.minor());
writer.writeShort(ver.maintenance());

writer.writeByte(ClientListenerNioListener.JDBC_CLIENT);

writer.writeBoolean(distributedJoins);
writer.writeBoolean(enforceJoinOrder);
writer.writeBoolean(collocated);
writer.writeBoolean(replicatedOnly);
writer.writeBoolean(autoCloseServerCursor);
writer.writeBoolean(lazy);
writer.writeBoolean(skipReducerOnUpdate);

send(writer.array());

BinaryReaderExImpl reader = new BinaryReaderExImpl(null, new
BinaryHeapInputStream(read()),
null, null, false);

boolean accepted = reader.readBoolean();

if (accepted) {
if (reader.available() > 0) {
byte maj = reader.readByte();
byte min = reader.readByte();
byte maintenance = reader.readByte();

String stage = reader.readString();

long ts = reader.readLong();
byte[] hash = reader.readByteArray();

igniteVer = new IgniteProductVersion(maj, min, maintenance,
stage, ts, hash);
}
else
igniteVer = new IgniteProductVersion((byte)2, (byte)0,
(byte)0, "Unknown", 0L, null);
}
else {
short maj = reader.readShort();
short min = reader.readShort();
short maintenance = reader.readShort();

String err = reader.readString();

ClientListenerProtocolVersion srvProtocolVer =
ClientListenerProtocolVersion.create(maj, min, maintenance);

if (VER_2_1_5.equals(srvProtocolVer))
handshake(VER_2_1_5);
else if (VER_2_1_0.equals(srvProtocolVer))
handshake_2_1_0();
else {
throw new SQLException("Handshake failed
[driverProtocolVer=" + CURRENT_VER +
", remoteNodeProtocolVer=" + srvProtocolVer + ", err=" +
err + ']',
SqlStateCode.CONNECTION_REJECTED);
}
}
}




--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: How can I get Ignite security plugin to work with JDBC thin client?

2017-11-09 Thread Vladimir Ozerov 
Hi Caleb,

This appears to be a problem with our query execution engine, rather than
with thin JDBC driver. I created a ticket to fix it [1].

[1] https://issues.apache.org/jira/browse/IGNITE-6856

On Tue, Oct 31, 2017 at 4:49 PM, Andrey Mashenkov <
andrey.mashen...@gmail.com> wrote:

> Caleb,
>
> I've found authorization should work only when you use url like
> "jdbc:ignite://" with thick driver,
> and won't if  "jdbc:ignite:cfg://" is used.
>
> On Tue, Oct 31, 2017 at 4:33 PM, calebs  wrote:
>
>> The javadoc for the jdbc thick client states that property:
>> "ignite.client.credentials" is available to pass "Client credentials used
>> in
>> authentication process."
>>
>> Is this not being used for authentication/authorization?
>>
>>
>>
>> --
>> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>>
>
>
>
> --
> Best regards,
> Andrey V. Mashenkov
>

Re: How can I get Ignite security plugin to work with JDBC thin client?

2017-10-31 Thread Andrey Mashenkov 
Caleb,

I've found authorization should work only when you use url like
"jdbc:ignite://" with thick driver,
and won't if  "jdbc:ignite:cfg://" is used.

On Tue, Oct 31, 2017 at 4:33 PM, calebs  wrote:

> The javadoc for the jdbc thick client states that property:
> "ignite.client.credentials" is available to pass "Client credentials used
> in
> authentication process."
>
> Is this not being used for authentication/authorization?
>
>
>
> --
> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>



-- 
Best regards,
Andrey V. Mashenkov

Re: How can I get Ignite security plugin to work with JDBC thin client?

2017-10-31 Thread calebs 
The javadoc for the jdbc thick client states that property: 
"ignite.client.credentials" is available to pass "Client credentials used in 
authentication process." 

Is this not being used for authentication/authorization?



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: How can I get Ignite security plugin to work with JDBC thin client?

2017-10-30 Thread Andrey Mashenkov 
Hi,

IgniteCache.query() method requires CACHE_READ permission,
but looks like all JDBC clients bypass security checks.

On Mon, Oct 30, 2017 at 5:27 PM, calebs  wrote:

> Hi Andrew,
>
> Then, does JDBC "thick" client have the support security plugin? The
> security includes User Authentication and Authorization.
>
> In GridCacheContext, I see the following method
>
> /**
>  * @param op Operation to check.
>  * @throws SecurityException If security check failed.
>  */
> public void checkSecurity(SecurityPermission op) throws
> SecurityException {
> if (CU.isSystemCache(name()))
> return;
>
> ctx.security().authorize(name(), op, null);
> }
>
> where it calls security plugin's authorize method without passing user's
> SecurityContext. I wonder when and where the security context is used for
> any permission like CACHE_PUT & CACHE_READ.
>
>
>
> --
> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>



-- 
Best regards,
Andrey V. Mashenkov

Re: How can I get Ignite security plugin to work with JDBC thin client?

2017-10-30 Thread calebs 
Hi Andrew,

Then, does JDBC "thick" client have the support security plugin? The
security includes User Authentication and Authorization. 

In GridCacheContext, I see the following method

/**
 * @param op Operation to check.
 * @throws SecurityException If security check failed.
 */
public void checkSecurity(SecurityPermission op) throws
SecurityException {
if (CU.isSystemCache(name()))
return;

ctx.security().authorize(name(), op, null);
}

where it calls security plugin's authorize method without passing user's
SecurityContext. I wonder when and where the security context is used for
any permission like CACHE_PUT & CACHE_READ. 



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: How can I get Ignite security plugin to work with JDBC thin client?

2017-10-30 Thread Andrey Mashenkov 
Hi Caleb,

JDBC thin client have no support security plugin for now.

If you don't need full permissions support for sql objects (i mean "GRANT"
operation),
but just restrict unauthorized access to grid, then you can wait for
IGNITE-6625 [1] and try JDBC via SSL.


[1] https://issues.apache.org/jira/browse/IGNITE-6625


On Thu, Oct 26, 2017 at 12:30 AM, calebs  wrote:

> Version: Ignite 2.3-SNAPSHOT from ignite-2.3 branch.
>
> A jar that contains our custom security plugin for the security named
> ACSPluginProvider & ACSSecurityProcessor is placed in $IGNITE_HOME/libs
> folder.
>
> Run ignite.sh to start the single data node and see
> ACSSecurityProcessor.start method is called.
>
> 10-23 20:46:16.567 [main ] INFO
> apache.ignite.internal.IgniteKernal%cdev_cluster - Configured caches [in
> 'sysMemPlc' memoryPolicy: ['ignite-sys-cache']]
> 10-23 20:46:16.601 [main ] INFO
> apache.ignite.internal.IgniteKernal%cdev_cluster - 3-rd party licenses can
> be found at: /opt/ignite/libs/licenses
> 10-23 20:46:16.663 [main ] INFO
> internal.processors.plugin.IgnitePluginProcessor - Configured plugins:
> 10-23 20:46:16.664 [main ] INFO
> internal.processors.plugin.IgnitePluginProcessor -   ^-- ACSPluginProvider
> 1.0.0
> 10-23 20:46:16.664 [main ] INFO
> internal.processors.plugin.IgnitePluginProcessor -   ^-- MaxPoint
> 10-23 20:46:16.664 [main ] INFO
> internal.processors.plugin.IgnitePluginProcessor -
> 10-23 20:46:16.673 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor
> -
> start
> 10-23 20:46:16.726 [main ] INFO  spi.communication.tcp.TcpCommunicationSpi
> -
> Successfully bound communication NIO server to TCP port [port=47100,
> locHost=0.0.0.0/0.0.0.0, selectorsCnt=4, selectorSpins=0,
> pairedConn=false]
>
> Use Ignite JDBC thin driver to connect to the cluster with user & password
> properties. Then I see ACSSecurityProcessor - authenticate as shown below.
> But the login is null. Also, I can see ACSSecurityProcessor.authorize is
> called for CACHE_PUT when I execute INSERT or DELETE statements, but I do
> not see ACSSecurityProcessor.authorize is called for CACHE_READ.
>
> /opt/ignite/log$ grep platform.auth.ignite ignite.log
> 10-25 14:56:35.182 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor
> -
> start
> 10-25 14:56:35.779 [main ] INFO  platform.auth.ignite.ACSPluginProvider
>  -
> start
> 10-25 14:56:35.810 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor
> -
> authenticateNode: id=cdb8bd19-d1b0-4d54-a982-01abdc83761a, hosts=[shei1],
> address=[0:0:0:0:0:0:0:1%lo, 127.0.0.1, 172.16.128.96]
> 10-25 14:56:35.858 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor
> -
> onKernalStart(false)
> 10-25 14:56:35.891 [main ] INFO  platform.auth.ignite.ACSPluginProvider
>  -
> onIgniteStart
> 10-25 14:57:09.417 [rest-#44%cdev_cluster%] INFO
> platform.auth.ignite.ACSSecurityProcessor - authenticate:
> id=b5052d01-5a1c-47ea-9bb1-0ee89519bde7, login=null
> 10-25 15:01:21.862 [client-connector-#79%cdev_cluster%] WARN
> platform.auth.ignite.ACSSecurityProcessor - authorize:
> name=SQL_PUBLIC_TEST1, permission=CACHE_PUT
> 10-25 15:01:55.818 [client-connector-#80%cdev_cluster%] WARN
> platform.auth.ignite.ACSSecurityProcessor - authorize:
> name=SQL_PUBLIC_TEST1, permission=CACHE_PUT
>
> The code for ACSSecurityProcessor.authenticate is
>
>  @Override
> public SecurityContext authenticate(AuthenticationContext authCtx)
> throws IgniteCheckedException {
> ACSSecuritySubject subject =
> (ACSSecuritySubject)userMap.get(authCtx.subjectId());
> if(subject == null) {
> subject = new ACSSecuritySubject(authCtx.subjectId(),
> authCtx.credentials(), authCtx.address());
> if(logger.isInfoEnabled()) {
> logger.info("authenticate: id=" + subject.id() + ",
> login="
> + subject.login());
> }
> userMap.put(authCtx.subjectId(), subject);
> }
> return new ACSSecurityContext(subject);
> }
>
> where subject.login() will return null if authCtx.credentials() is null.
>
> So here, I have two questions:
> 1. How can I get authCtx.credentials() to return the not null credentials
> when I use the thin driver with user/password properties?
> 2. How can I get ACSSecurityProcessor.authorize invoked for CACHE_READ for
> any SELECT query?
>
>
>
>
> --
> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>



-- 
Best regards,
Andrey V. Mashenkov

How can I get Ignite security plugin to work with JDBC thin client?

2017-10-25 Thread calebs 
Version: Ignite 2.3-SNAPSHOT from ignite-2.3 branch. 

A jar that contains our custom security plugin for the security named
ACSPluginProvider & ACSSecurityProcessor is placed in $IGNITE_HOME/libs
folder.

Run ignite.sh to start the single data node and see
ACSSecurityProcessor.start method is called.

10-23 20:46:16.567 [main ] INFO 
apache.ignite.internal.IgniteKernal%cdev_cluster - Configured caches [in
'sysMemPlc' memoryPolicy: ['ignite-sys-cache']]
10-23 20:46:16.601 [main ] INFO 
apache.ignite.internal.IgniteKernal%cdev_cluster - 3-rd party licenses can
be found at: /opt/ignite/libs/licenses
10-23 20:46:16.663 [main ] INFO 
internal.processors.plugin.IgnitePluginProcessor - Configured plugins:
10-23 20:46:16.664 [main ] INFO 
internal.processors.plugin.IgnitePluginProcessor -   ^-- ACSPluginProvider
1.0.0
10-23 20:46:16.664 [main ] INFO 
internal.processors.plugin.IgnitePluginProcessor -   ^-- MaxPoint
10-23 20:46:16.664 [main ] INFO 
internal.processors.plugin.IgnitePluginProcessor -
10-23 20:46:16.673 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor -
start
10-23 20:46:16.726 [main ] INFO  spi.communication.tcp.TcpCommunicationSpi -
Successfully bound communication NIO server to TCP port [port=47100,
locHost=0.0.0.0/0.0.0.0, selectorsCnt=4, selectorSpins=0, pairedConn=false]

Use Ignite JDBC thin driver to connect to the cluster with user & password
properties. Then I see ACSSecurityProcessor - authenticate as shown below.
But the login is null. Also, I can see ACSSecurityProcessor.authorize is
called for CACHE_PUT when I execute INSERT or DELETE statements, but I do
not see ACSSecurityProcessor.authorize is called for CACHE_READ. 

/opt/ignite/log$ grep platform.auth.ignite ignite.log 
10-25 14:56:35.182 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor -
start
10-25 14:56:35.779 [main ] INFO  platform.auth.ignite.ACSPluginProvider   -
start
10-25 14:56:35.810 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor -
authenticateNode: id=cdb8bd19-d1b0-4d54-a982-01abdc83761a, hosts=[shei1],
address=[0:0:0:0:0:0:0:1%lo, 127.0.0.1, 172.16.128.96]
10-25 14:56:35.858 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor -
onKernalStart(false)
10-25 14:56:35.891 [main ] INFO  platform.auth.ignite.ACSPluginProvider   -
onIgniteStart
10-25 14:57:09.417 [rest-#44%cdev_cluster%] INFO 
platform.auth.ignite.ACSSecurityProcessor - authenticate:
id=b5052d01-5a1c-47ea-9bb1-0ee89519bde7, login=null
10-25 15:01:21.862 [client-connector-#79%cdev_cluster%] WARN 
platform.auth.ignite.ACSSecurityProcessor - authorize:
name=SQL_PUBLIC_TEST1, permission=CACHE_PUT
10-25 15:01:55.818 [client-connector-#80%cdev_cluster%] WARN 
platform.auth.ignite.ACSSecurityProcessor - authorize:
name=SQL_PUBLIC_TEST1, permission=CACHE_PUT

The code for ACSSecurityProcessor.authenticate is

 @Override
public SecurityContext authenticate(AuthenticationContext authCtx)
throws IgniteCheckedException {
ACSSecuritySubject subject =
(ACSSecuritySubject)userMap.get(authCtx.subjectId());
if(subject == null) {
subject = new ACSSecuritySubject(authCtx.subjectId(),
authCtx.credentials(), authCtx.address());
if(logger.isInfoEnabled()) {
logger.info("authenticate: id=" + subject.id() + ", login="
+ subject.login());
}
userMap.put(authCtx.subjectId(), subject);
}
return new ACSSecurityContext(subject);
}

where subject.login() will return null if authCtx.credentials() is null. 

So here, I have two questions:
1. How can I get authCtx.credentials() to return the not null credentials
when I use the thin driver with user/password properties?
2. How can I get ACSSecurityProcessor.authorize invoked for CACHE_READ for
any SELECT query? 




--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/