Re: How can I get Ignite security plugin to work with JDBC thin client?
I've create a ticket [1] for this issue. [1] https://issues.apache.org/jira/browse/IGNITE-6941 - Regards, Andrew. -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: How can I get Ignite security plugin to work with JDBC thin client?
I've create a ticket [1] for this issue. [1] https://issues.apache.org/jira/browse/IGNITE-6941 - Regards, Andrew. -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: How can I get Ignite security plugin to work with JDBC thin client?
Yes, but can you please open another IGNITE ticket to be resolved hopefully in 2.4? -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: How can I get Ignite security plugin to work with JDBC thin client?
Hi Caleb, JDBC Thin Client doesn't supports authorization for now. On Wed, Nov 15, 2017 at 6:54 PM, calebswrote: > Hi Valdimir, > > There are at least two problems that I've found here. The first is the > query > execution engine as you have just pointed out. The second one is the JDBC > thin driver itself. > > In JdbcThinTcpIo.handshake, it doesn't pass in user credentials (i.e., user > & password) as shown below, so how can the server identify the user during > the hand shaking? > > /** > * Used for versions: 2.1.5 and 2.3.0. The protocol version is changed > but handshake format isn't changed. > * > * @param ver JDBC client version. > * @throws IOException On IO error. > * @throws SQLException On connection reject. > */ > public void handshake(ClientListenerProtocolVersion ver) throws > IOException, SQLException { > BinaryWriterExImpl writer = new BinaryWriterExImpl(null, new > BinaryHeapOutputStream(HANDSHAKE_MSG_SIZE), > null, null); > > writer.writeByte((byte) ClientListenerRequest.HANDSHAKE); > > writer.writeShort(ver.major()); > writer.writeShort(ver.minor()); > writer.writeShort(ver.maintenance()); > > writer.writeByte(ClientListenerNioListener.JDBC_CLIENT); > > writer.writeBoolean(distributedJoins); > writer.writeBoolean(enforceJoinOrder); > writer.writeBoolean(collocated); > writer.writeBoolean(replicatedOnly); > writer.writeBoolean(autoCloseServerCursor); > writer.writeBoolean(lazy); > writer.writeBoolean(skipReducerOnUpdate); > > send(writer.array()); > > BinaryReaderExImpl reader = new BinaryReaderExImpl(null, new > BinaryHeapInputStream(read()), > null, null, false); > > boolean accepted = reader.readBoolean(); > > if (accepted) { > if (reader.available() > 0) { > byte maj = reader.readByte(); > byte min = reader.readByte(); > byte maintenance = reader.readByte(); > > String stage = reader.readString(); > > long ts = reader.readLong(); > byte[] hash = reader.readByteArray(); > > igniteVer = new IgniteProductVersion(maj, min, maintenance, > stage, ts, hash); > } > else > igniteVer = new IgniteProductVersion((byte)2, (byte)0, > (byte)0, "Unknown", 0L, null); > } > else { > short maj = reader.readShort(); > short min = reader.readShort(); > short maintenance = reader.readShort(); > > String err = reader.readString(); > > ClientListenerProtocolVersion srvProtocolVer = > ClientListenerProtocolVersion.create(maj, min, maintenance); > > if (VER_2_1_5.equals(srvProtocolVer)) > handshake(VER_2_1_5); > else if (VER_2_1_0.equals(srvProtocolVer)) > handshake_2_1_0(); > else { > throw new SQLException("Handshake failed > [driverProtocolVer=" + CURRENT_VER + > ", remoteNodeProtocolVer=" + srvProtocolVer + ", err=" > + > err + ']', > SqlStateCode.CONNECTION_REJECTED); > } > } > } > > > > > -- > Sent from: http://apache-ignite-users.70518.x6.nabble.com/ > -- Best regards, Andrey V. Mashenkov
Re: How can I get Ignite security plugin to work with JDBC thin client?
Hi Valdimir, There are at least two problems that I've found here. The first is the query execution engine as you have just pointed out. The second one is the JDBC thin driver itself. In JdbcThinTcpIo.handshake, it doesn't pass in user credentials (i.e., user & password) as shown below, so how can the server identify the user during the hand shaking? /** * Used for versions: 2.1.5 and 2.3.0. The protocol version is changed but handshake format isn't changed. * * @param ver JDBC client version. * @throws IOException On IO error. * @throws SQLException On connection reject. */ public void handshake(ClientListenerProtocolVersion ver) throws IOException, SQLException { BinaryWriterExImpl writer = new BinaryWriterExImpl(null, new BinaryHeapOutputStream(HANDSHAKE_MSG_SIZE), null, null); writer.writeByte((byte) ClientListenerRequest.HANDSHAKE); writer.writeShort(ver.major()); writer.writeShort(ver.minor()); writer.writeShort(ver.maintenance()); writer.writeByte(ClientListenerNioListener.JDBC_CLIENT); writer.writeBoolean(distributedJoins); writer.writeBoolean(enforceJoinOrder); writer.writeBoolean(collocated); writer.writeBoolean(replicatedOnly); writer.writeBoolean(autoCloseServerCursor); writer.writeBoolean(lazy); writer.writeBoolean(skipReducerOnUpdate); send(writer.array()); BinaryReaderExImpl reader = new BinaryReaderExImpl(null, new BinaryHeapInputStream(read()), null, null, false); boolean accepted = reader.readBoolean(); if (accepted) { if (reader.available() > 0) { byte maj = reader.readByte(); byte min = reader.readByte(); byte maintenance = reader.readByte(); String stage = reader.readString(); long ts = reader.readLong(); byte[] hash = reader.readByteArray(); igniteVer = new IgniteProductVersion(maj, min, maintenance, stage, ts, hash); } else igniteVer = new IgniteProductVersion((byte)2, (byte)0, (byte)0, "Unknown", 0L, null); } else { short maj = reader.readShort(); short min = reader.readShort(); short maintenance = reader.readShort(); String err = reader.readString(); ClientListenerProtocolVersion srvProtocolVer = ClientListenerProtocolVersion.create(maj, min, maintenance); if (VER_2_1_5.equals(srvProtocolVer)) handshake(VER_2_1_5); else if (VER_2_1_0.equals(srvProtocolVer)) handshake_2_1_0(); else { throw new SQLException("Handshake failed [driverProtocolVer=" + CURRENT_VER + ", remoteNodeProtocolVer=" + srvProtocolVer + ", err=" + err + ']', SqlStateCode.CONNECTION_REJECTED); } } } -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: How can I get Ignite security plugin to work with JDBC thin client?
Hi Caleb, This appears to be a problem with our query execution engine, rather than with thin JDBC driver. I created a ticket to fix it [1]. [1] https://issues.apache.org/jira/browse/IGNITE-6856 On Tue, Oct 31, 2017 at 4:49 PM, Andrey Mashenkov < andrey.mashen...@gmail.com> wrote: > Caleb, > > I've found authorization should work only when you use url like > "jdbc:ignite://" with thick driver, > and won't if "jdbc:ignite:cfg://" is used. > > On Tue, Oct 31, 2017 at 4:33 PM, calebswrote: > >> The javadoc for the jdbc thick client states that property: >> "ignite.client.credentials" is available to pass "Client credentials used >> in >> authentication process." >> >> Is this not being used for authentication/authorization? >> >> >> >> -- >> Sent from: http://apache-ignite-users.70518.x6.nabble.com/ >> > > > > -- > Best regards, > Andrey V. Mashenkov >
Re: How can I get Ignite security plugin to work with JDBC thin client?
Caleb, I've found authorization should work only when you use url like "jdbc:ignite://" with thick driver, and won't if "jdbc:ignite:cfg://" is used. On Tue, Oct 31, 2017 at 4:33 PM, calebswrote: > The javadoc for the jdbc thick client states that property: > "ignite.client.credentials" is available to pass "Client credentials used > in > authentication process." > > Is this not being used for authentication/authorization? > > > > -- > Sent from: http://apache-ignite-users.70518.x6.nabble.com/ > -- Best regards, Andrey V. Mashenkov
Re: How can I get Ignite security plugin to work with JDBC thin client?
The javadoc for the jdbc thick client states that property: "ignite.client.credentials" is available to pass "Client credentials used in authentication process." Is this not being used for authentication/authorization? -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: How can I get Ignite security plugin to work with JDBC thin client?
Hi, IgniteCache.query() method requires CACHE_READ permission, but looks like all JDBC clients bypass security checks. On Mon, Oct 30, 2017 at 5:27 PM, calebswrote: > Hi Andrew, > > Then, does JDBC "thick" client have the support security plugin? The > security includes User Authentication and Authorization. > > In GridCacheContext, I see the following method > > /** > * @param op Operation to check. > * @throws SecurityException If security check failed. > */ > public void checkSecurity(SecurityPermission op) throws > SecurityException { > if (CU.isSystemCache(name())) > return; > > ctx.security().authorize(name(), op, null); > } > > where it calls security plugin's authorize method without passing user's > SecurityContext. I wonder when and where the security context is used for > any permission like CACHE_PUT & CACHE_READ. > > > > -- > Sent from: http://apache-ignite-users.70518.x6.nabble.com/ > -- Best regards, Andrey V. Mashenkov
Re: How can I get Ignite security plugin to work with JDBC thin client?
Hi Andrew, Then, does JDBC "thick" client have the support security plugin? The security includes User Authentication and Authorization. In GridCacheContext, I see the following method /** * @param op Operation to check. * @throws SecurityException If security check failed. */ public void checkSecurity(SecurityPermission op) throws SecurityException { if (CU.isSystemCache(name())) return; ctx.security().authorize(name(), op, null); } where it calls security plugin's authorize method without passing user's SecurityContext. I wonder when and where the security context is used for any permission like CACHE_PUT & CACHE_READ. -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: How can I get Ignite security plugin to work with JDBC thin client?
Hi Caleb, JDBC thin client have no support security plugin for now. If you don't need full permissions support for sql objects (i mean "GRANT" operation), but just restrict unauthorized access to grid, then you can wait for IGNITE-6625 [1] and try JDBC via SSL. [1] https://issues.apache.org/jira/browse/IGNITE-6625 On Thu, Oct 26, 2017 at 12:30 AM, calebswrote: > Version: Ignite 2.3-SNAPSHOT from ignite-2.3 branch. > > A jar that contains our custom security plugin for the security named > ACSPluginProvider & ACSSecurityProcessor is placed in $IGNITE_HOME/libs > folder. > > Run ignite.sh to start the single data node and see > ACSSecurityProcessor.start method is called. > > 10-23 20:46:16.567 [main ] INFO > apache.ignite.internal.IgniteKernal%cdev_cluster - Configured caches [in > 'sysMemPlc' memoryPolicy: ['ignite-sys-cache']] > 10-23 20:46:16.601 [main ] INFO > apache.ignite.internal.IgniteKernal%cdev_cluster - 3-rd party licenses can > be found at: /opt/ignite/libs/licenses > 10-23 20:46:16.663 [main ] INFO > internal.processors.plugin.IgnitePluginProcessor - Configured plugins: > 10-23 20:46:16.664 [main ] INFO > internal.processors.plugin.IgnitePluginProcessor - ^-- ACSPluginProvider > 1.0.0 > 10-23 20:46:16.664 [main ] INFO > internal.processors.plugin.IgnitePluginProcessor - ^-- MaxPoint > 10-23 20:46:16.664 [main ] INFO > internal.processors.plugin.IgnitePluginProcessor - > 10-23 20:46:16.673 [main ] INFO platform.auth.ignite.ACSSecurityProcessor > - > start > 10-23 20:46:16.726 [main ] INFO spi.communication.tcp.TcpCommunicationSpi > - > Successfully bound communication NIO server to TCP port [port=47100, > locHost=0.0.0.0/0.0.0.0, selectorsCnt=4, selectorSpins=0, > pairedConn=false] > > Use Ignite JDBC thin driver to connect to the cluster with user & password > properties. Then I see ACSSecurityProcessor - authenticate as shown below. > But the login is null. Also, I can see ACSSecurityProcessor.authorize is > called for CACHE_PUT when I execute INSERT or DELETE statements, but I do > not see ACSSecurityProcessor.authorize is called for CACHE_READ. > > /opt/ignite/log$ grep platform.auth.ignite ignite.log > 10-25 14:56:35.182 [main ] INFO platform.auth.ignite.ACSSecurityProcessor > - > start > 10-25 14:56:35.779 [main ] INFO platform.auth.ignite.ACSPluginProvider > - > start > 10-25 14:56:35.810 [main ] INFO platform.auth.ignite.ACSSecurityProcessor > - > authenticateNode: id=cdb8bd19-d1b0-4d54-a982-01abdc83761a, hosts=[shei1], > address=[0:0:0:0:0:0:0:1%lo, 127.0.0.1, 172.16.128.96] > 10-25 14:56:35.858 [main ] INFO platform.auth.ignite.ACSSecurityProcessor > - > onKernalStart(false) > 10-25 14:56:35.891 [main ] INFO platform.auth.ignite.ACSPluginProvider > - > onIgniteStart > 10-25 14:57:09.417 [rest-#44%cdev_cluster%] INFO > platform.auth.ignite.ACSSecurityProcessor - authenticate: > id=b5052d01-5a1c-47ea-9bb1-0ee89519bde7, login=null > 10-25 15:01:21.862 [client-connector-#79%cdev_cluster%] WARN > platform.auth.ignite.ACSSecurityProcessor - authorize: > name=SQL_PUBLIC_TEST1, permission=CACHE_PUT > 10-25 15:01:55.818 [client-connector-#80%cdev_cluster%] WARN > platform.auth.ignite.ACSSecurityProcessor - authorize: > name=SQL_PUBLIC_TEST1, permission=CACHE_PUT > > The code for ACSSecurityProcessor.authenticate is > > @Override > public SecurityContext authenticate(AuthenticationContext authCtx) > throws IgniteCheckedException { > ACSSecuritySubject subject = > (ACSSecuritySubject)userMap.get(authCtx.subjectId()); > if(subject == null) { > subject = new ACSSecuritySubject(authCtx.subjectId(), > authCtx.credentials(), authCtx.address()); > if(logger.isInfoEnabled()) { > logger.info("authenticate: id=" + subject.id() + ", > login=" > + subject.login()); > } > userMap.put(authCtx.subjectId(), subject); > } > return new ACSSecurityContext(subject); > } > > where subject.login() will return null if authCtx.credentials() is null. > > So here, I have two questions: > 1. How can I get authCtx.credentials() to return the not null credentials > when I use the thin driver with user/password properties? > 2. How can I get ACSSecurityProcessor.authorize invoked for CACHE_READ for > any SELECT query? > > > > > -- > Sent from: http://apache-ignite-users.70518.x6.nabble.com/ > -- Best regards, Andrey V. Mashenkov
How can I get Ignite security plugin to work with JDBC thin client?
Version: Ignite 2.3-SNAPSHOT from ignite-2.3 branch. A jar that contains our custom security plugin for the security named ACSPluginProvider & ACSSecurityProcessor is placed in $IGNITE_HOME/libs folder. Run ignite.sh to start the single data node and see ACSSecurityProcessor.start method is called. 10-23 20:46:16.567 [main ] INFO apache.ignite.internal.IgniteKernal%cdev_cluster - Configured caches [in 'sysMemPlc' memoryPolicy: ['ignite-sys-cache']] 10-23 20:46:16.601 [main ] INFO apache.ignite.internal.IgniteKernal%cdev_cluster - 3-rd party licenses can be found at: /opt/ignite/libs/licenses 10-23 20:46:16.663 [main ] INFO internal.processors.plugin.IgnitePluginProcessor - Configured plugins: 10-23 20:46:16.664 [main ] INFO internal.processors.plugin.IgnitePluginProcessor - ^-- ACSPluginProvider 1.0.0 10-23 20:46:16.664 [main ] INFO internal.processors.plugin.IgnitePluginProcessor - ^-- MaxPoint 10-23 20:46:16.664 [main ] INFO internal.processors.plugin.IgnitePluginProcessor - 10-23 20:46:16.673 [main ] INFO platform.auth.ignite.ACSSecurityProcessor - start 10-23 20:46:16.726 [main ] INFO spi.communication.tcp.TcpCommunicationSpi - Successfully bound communication NIO server to TCP port [port=47100, locHost=0.0.0.0/0.0.0.0, selectorsCnt=4, selectorSpins=0, pairedConn=false] Use Ignite JDBC thin driver to connect to the cluster with user & password properties. Then I see ACSSecurityProcessor - authenticate as shown below. But the login is null. Also, I can see ACSSecurityProcessor.authorize is called for CACHE_PUT when I execute INSERT or DELETE statements, but I do not see ACSSecurityProcessor.authorize is called for CACHE_READ. /opt/ignite/log$ grep platform.auth.ignite ignite.log 10-25 14:56:35.182 [main ] INFO platform.auth.ignite.ACSSecurityProcessor - start 10-25 14:56:35.779 [main ] INFO platform.auth.ignite.ACSPluginProvider - start 10-25 14:56:35.810 [main ] INFO platform.auth.ignite.ACSSecurityProcessor - authenticateNode: id=cdb8bd19-d1b0-4d54-a982-01abdc83761a, hosts=[shei1], address=[0:0:0:0:0:0:0:1%lo, 127.0.0.1, 172.16.128.96] 10-25 14:56:35.858 [main ] INFO platform.auth.ignite.ACSSecurityProcessor - onKernalStart(false) 10-25 14:56:35.891 [main ] INFO platform.auth.ignite.ACSPluginProvider - onIgniteStart 10-25 14:57:09.417 [rest-#44%cdev_cluster%] INFO platform.auth.ignite.ACSSecurityProcessor - authenticate: id=b5052d01-5a1c-47ea-9bb1-0ee89519bde7, login=null 10-25 15:01:21.862 [client-connector-#79%cdev_cluster%] WARN platform.auth.ignite.ACSSecurityProcessor - authorize: name=SQL_PUBLIC_TEST1, permission=CACHE_PUT 10-25 15:01:55.818 [client-connector-#80%cdev_cluster%] WARN platform.auth.ignite.ACSSecurityProcessor - authorize: name=SQL_PUBLIC_TEST1, permission=CACHE_PUT The code for ACSSecurityProcessor.authenticate is @Override public SecurityContext authenticate(AuthenticationContext authCtx) throws IgniteCheckedException { ACSSecuritySubject subject = (ACSSecuritySubject)userMap.get(authCtx.subjectId()); if(subject == null) { subject = new ACSSecuritySubject(authCtx.subjectId(), authCtx.credentials(), authCtx.address()); if(logger.isInfoEnabled()) { logger.info("authenticate: id=" + subject.id() + ", login=" + subject.login()); } userMap.put(authCtx.subjectId(), subject); } return new ACSSecurityContext(subject); } where subject.login() will return null if authCtx.credentials() is null. So here, I have two questions: 1. How can I get authCtx.credentials() to return the not null credentials when I use the thin driver with user/password properties? 2. How can I get ACSSecurityProcessor.authorize invoked for CACHE_READ for any SELECT query? -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/