Search in sources :

Example 1 with OperationSecurityContext

use of org.apache.ignite.internal.processors.security.OperationSecurityContext in project ignite by apache.

the class GridDiscoveryManager method start.

/**
 * {@inheritDoc}
 */
@Override
public void start() throws IgniteCheckedException {
    ctx.addNodeAttribute(ATTR_OFFHEAP_SIZE, requiredOffheap());
    ctx.addNodeAttribute(ATTR_DATA_REGIONS_OFFHEAP_SIZE, configuredOffheap());
    DiscoverySpi spi = getSpi();
    discoOrdered = discoOrdered();
    histSupported = historySupported();
    isLocDaemon = ctx.isDaemon();
    hasRslvrs = !ctx.config().isClientMode() && !F.isEmpty(ctx.config().getSegmentationResolvers());
    segChkFreq = ctx.config().getSegmentCheckFrequency();
    if (hasRslvrs) {
        if (segChkFreq < 0)
            throw new IgniteCheckedException("Segment check frequency cannot be negative: " + segChkFreq);
        if (segChkFreq > 0 && segChkFreq < 2000)
            U.warn(log, "Configuration parameter 'segmentCheckFrequency' is too low " + "(at least 2000 ms recommended): " + segChkFreq);
        int segResAttemp = ctx.config().getSegmentationResolveAttempts();
        if (segResAttemp < 1)
            throw new IgniteCheckedException("Segment resolve attempts cannot be negative or zero: " + segResAttemp);
        checkSegmentOnStart();
    }
    spi.setMetricsProvider(createMetricsProvider());
    if (ctx.security().enabled()) {
        if (isSecurityCompatibilityMode())
            ctx.addNodeAttribute(ATTR_SECURITY_COMPATIBILITY_MODE, true);
        spi.setAuthenticator(new DiscoverySpiNodeAuthenticator() {

            @Override
            public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) {
                try {
                    return ctx.security().authenticateNode(node, cred);
                } catch (IgniteCheckedException e) {
                    throw U.convertException(e);
                }
            }

            @Override
            public boolean isGlobalNodeAuthentication() {
                return ctx.security().isGlobalNodeAuthentication();
            }
        });
    }
    if (ctx.config().getCommunicationFailureResolver() != null)
        ctx.resource().injectGeneric(ctx.config().getCommunicationFailureResolver());
    // Shared reference between DiscoverySpiListener and DiscoverySpiDataExchange.
    AtomicReference<IgniteFuture<?>> lastStateChangeEvtLsnrFutRef = new AtomicReference<>();
    spi.setListener(new DiscoverySpiListener() {

        private long gridStartTime;

        private final Marshaller marshaller = MarshallerUtils.jdkMarshaller(ctx.igniteInstanceName());

        /**
         * {@inheritDoc}
         */
        @Override
        public void onLocalNodeInitialized(ClusterNode locNode) {
            for (IgniteInClosure<ClusterNode> lsnr : locNodeInitLsnrs) lsnr.apply(locNode);
            if (locNode instanceof IgniteClusterNode) {
                final IgniteClusterNode node = (IgniteClusterNode) locNode;
                if (consistentId != null)
                    node.setConsistentId(consistentId);
            }
        }

        /**
         * {@inheritDoc}
         */
        @Override
        public IgniteFuture<?> onDiscovery(DiscoveryNotification notification) {
            GridFutureAdapter<?> notificationFut = new GridFutureAdapter<>();
            discoNtfWrk.submit(notificationFut, ctx.security().enabled() ? new SecurityAwareNotificationTask(notification) : new NotificationTask(notification));
            IgniteFuture<?> fut = new IgniteFutureImpl<>(notificationFut);
            // TODO could be optimized with more specific conditions.
            switch(notification.type()) {
                case EVT_NODE_JOINED:
                case EVT_NODE_LEFT:
                case EVT_NODE_FAILED:
                    if (!CU.isPersistenceEnabled(ctx.config()))
                        lastStateChangeEvtLsnrFutRef.set(fut);
                    break;
                case EVT_DISCOVERY_CUSTOM_EVT:
                    lastStateChangeEvtLsnrFutRef.set(fut);
            }
            return fut;
        }

        /**
         * @param notification Notification.
         */
        private void onDiscovery0(DiscoveryNotification notification) {
            int type = notification.type();
            ClusterNode node = notification.getNode();
            long topVer = notification.getTopVer();
            DiscoveryCustomMessage customMsg = notification.getCustomMsgData() == null ? null : ((CustomMessageWrapper) notification.getCustomMsgData()).delegate();
            if (skipMessage(notification.type(), customMsg))
                return;
            final ClusterNode locNode = localNode();
            if (notification.getTopHist() != null)
                topHist = notification.getTopHist();
            boolean verChanged;
            if (type == EVT_NODE_METRICS_UPDATED)
                verChanged = false;
            else {
                if (type != EVT_NODE_SEGMENTED && type != EVT_CLIENT_NODE_DISCONNECTED && type != EVT_CLIENT_NODE_RECONNECTED && type != EVT_DISCOVERY_CUSTOM_EVT) {
                    minorTopVer = 0;
                    verChanged = true;
                } else
                    verChanged = false;
            }
            if (type == EVT_NODE_FAILED || type == EVT_NODE_LEFT) {
                for (DiscoCache c : discoCacheHist.values()) c.updateAlives(node);
                updateClientNodes(node.id());
            }
            boolean locJoinEvt = type == EVT_NODE_JOINED && node.id().equals(locNode.id());
            ChangeGlobalStateFinishMessage stateFinishMsg = null;
            if (type == EVT_NODE_FAILED || type == EVT_NODE_LEFT)
                stateFinishMsg = ctx.state().onNodeLeft(node);
            final AffinityTopologyVersion nextTopVer;
            if (type == EVT_DISCOVERY_CUSTOM_EVT) {
                assert customMsg != null;
                boolean incMinorTopVer;
                if (customMsg instanceof ChangeGlobalStateMessage) {
                    incMinorTopVer = ctx.state().onStateChangeMessage(new AffinityTopologyVersion(topVer, minorTopVer), (ChangeGlobalStateMessage) customMsg, discoCache());
                } else if (customMsg instanceof ChangeGlobalStateFinishMessage) {
                    ctx.state().onStateFinishMessage((ChangeGlobalStateFinishMessage) customMsg);
                    Snapshot snapshot = topSnap.get();
                    // Topology version does not change, but need create DiscoCache with new state.
                    DiscoCache discoCache = snapshot.discoCache.copy(snapshot.topVer, ctx.state().clusterState());
                    topSnap.set(new Snapshot(snapshot.topVer, discoCache));
                    incMinorTopVer = false;
                } else {
                    incMinorTopVer = ctx.cache().onCustomEvent(customMsg, new AffinityTopologyVersion(topVer, minorTopVer), node);
                }
                if (incMinorTopVer) {
                    minorTopVer++;
                    verChanged = true;
                }
                nextTopVer = new AffinityTopologyVersion(topVer, minorTopVer);
                if (incMinorTopVer)
                    ctx.cache().onDiscoveryEvent(type, customMsg, node, nextTopVer, ctx.state().clusterState());
            } else {
                nextTopVer = new AffinityTopologyVersion(topVer, minorTopVer);
                ctx.cache().onDiscoveryEvent(type, customMsg, node, nextTopVer, ctx.state().clusterState());
            }
            DiscoCache discoCache;
            // event notifications, since SPI notifies manager about all events from this listener.
            if (verChanged) {
                Snapshot snapshot = topSnap.get();
                if (customMsg == null) {
                    discoCache = createDiscoCache(nextTopVer, ctx.state().clusterState(), locNode, notification.getTopSnapshot());
                } else if (customMsg instanceof ChangeGlobalStateMessage) {
                    discoCache = createDiscoCache(nextTopVer, ctx.state().pendingState((ChangeGlobalStateMessage) customMsg), locNode, notification.getTopSnapshot());
                } else
                    discoCache = customMsg.createDiscoCache(GridDiscoveryManager.this, nextTopVer, snapshot.discoCache);
                discoCacheHist.put(nextTopVer, discoCache);
                assert snapshot.topVer.compareTo(nextTopVer) < 0 : "Topology version out of order [this.topVer=" + topSnap + ", topVer=" + topVer + ", node=" + node + ", nextTopVer=" + nextTopVer + ", evt=" + U.gridEventName(type) + ']';
                topSnap.set(new Snapshot(nextTopVer, discoCache));
            } else
                // Current version.
                discoCache = discoCache();
            if (locJoinEvt || !node.isClient() && !node.isDaemon()) {
                if (type == EVT_NODE_LEFT || type == EVT_NODE_FAILED || type == EVT_NODE_JOINED) {
                    boolean discoCacheRecalculationRequired = ctx.state().autoAdjustInMemoryClusterState(node.id(), notification.getTopSnapshot(), discoCache, topVer, minorTopVer);
                    if (discoCacheRecalculationRequired) {
                        discoCache = createDiscoCache(nextTopVer, ctx.state().clusterState(), locNode, notification.getTopSnapshot());
                        discoCacheHist.put(nextTopVer, discoCache);
                        topSnap.set(new Snapshot(nextTopVer, discoCache));
                    }
                }
            }
            if (type == EVT_DISCOVERY_CUSTOM_EVT) {
                for (Class cls = customMsg.getClass(); cls != null; cls = cls.getSuperclass()) {
                    List<CustomEventListener<DiscoveryCustomMessage>> list = customEvtLsnrs.get(cls);
                    if (list != null) {
                        for (CustomEventListener<DiscoveryCustomMessage> lsnr : list) {
                            try {
                                lsnr.onCustomEvent(nextTopVer, node, customMsg);
                            } catch (Exception e) {
                                U.error(log, "Failed to notify direct custom event listener: " + customMsg, e);
                            }
                        }
                    }
                }
            }
            SecurityContext secCtx = remoteSecurityContext(ctx);
            // If this is a local join event, just save it and do not notify listeners.
            if (locJoinEvt) {
                if (gridStartTime == 0)
                    gridStartTime = getSpi().getGridStartTime();
                topSnap.set(new Snapshot(nextTopVer, discoCache));
                startLatch.countDown();
                DiscoveryEvent discoEvt = new DiscoveryEvent();
                discoEvt.node(ctx.discovery().localNode());
                discoEvt.eventNode(node);
                discoEvt.type(EVT_NODE_JOINED);
                discoEvt.topologySnapshot(topVer, new ArrayList<>(F.view(notification.getTopSnapshot(), FILTER_NOT_DAEMON)));
                if (notification.getSpanContainer() != null)
                    discoEvt.span(notification.getSpanContainer().span());
                discoWrk.discoCache = discoCache;
                if (!ctx.clientDisconnected()) {
                    // The security processor must be notified first, since {@link IgniteSecurity#onLocalJoin}
                    // finishes local node security context initialization that can be demanded by other Ignite
                    // components.
                    ctx.security().onLocalJoin();
                    if (!isLocDaemon) {
                        ctx.cache().context().versions().onLocalJoin(topVer);
                        ctx.cache().context().coordinators().onLocalJoin(discoEvt, discoCache);
                        ctx.cache().context().exchange().onLocalJoin(discoEvt, discoCache);
                        ctx.service().onLocalJoin(discoEvt, discoCache);
                        ctx.encryption().onLocalJoin();
                        ctx.cluster().onLocalJoin();
                    }
                }
                IgniteInternalFuture<Boolean> transitionWaitFut = ctx.state().onLocalJoin(discoCache);
                locJoin.onDone(new DiscoveryLocalJoinData(discoEvt, discoCache, transitionWaitFut, ctx.state().clusterState().active()));
                return;
            } else if (type == EVT_CLIENT_NODE_DISCONNECTED) {
                assert locNode.isClient() : locNode;
                assert node.isClient() : node;
                ((IgniteKernal) ctx.grid()).onDisconnected();
                if (!locJoin.isDone())
                    locJoin.onDone(new IgniteCheckedException("Node disconnected"));
                locJoin = new GridFutureAdapter<>();
                registeredCaches.clear();
                registeredCacheGrps.clear();
                for (AffinityTopologyVersion histVer : discoCacheHist.keySet()) {
                    Object rmvd = discoCacheHist.remove(histVer);
                    assert rmvd != null : histVer;
                }
                topHist.clear();
                topSnap.set(new Snapshot(AffinityTopologyVersion.ZERO, createDiscoCache(AffinityTopologyVersion.ZERO, ctx.state().clusterState(), locNode, Collections.singleton(locNode))));
            } else if (type == EVT_CLIENT_NODE_RECONNECTED) {
                assert locNode.isClient() : locNode;
                assert node.isClient() : node;
                ctx.security().onLocalJoin();
                boolean clusterRestarted = gridStartTime != getSpi().getGridStartTime();
                gridStartTime = getSpi().getGridStartTime();
                ((IgniteKernal) ctx.grid()).onReconnected(clusterRestarted);
                ctx.cache().context().coordinators().onLocalJoin(localJoinEvent(), discoCache);
                ctx.cache().context().exchange().onLocalJoin(localJoinEvent(), discoCache);
                ctx.service().onLocalJoin(localJoinEvent(), discoCache);
                DiscoCache discoCache0 = discoCache;
                ctx.cluster().clientReconnectFuture().listen(new CI1<IgniteFuture<?>>() {

                    @Override
                    public void apply(IgniteFuture<?> fut) {
                        try {
                            fut.get();
                            discoWrk.addEvent(new NotificationEvent(EVT_CLIENT_NODE_RECONNECTED, nextTopVer, node, discoCache0, notification.getTopSnapshot(), null, notification.getSpanContainer(), secCtx));
                        } catch (IgniteException ignore) {
                        // No-op.
                        }
                    }
                });
                return;
            }
            if (type == EVT_CLIENT_NODE_DISCONNECTED || type == EVT_NODE_SEGMENTED || !ctx.clientDisconnected())
                discoWrk.addEvent(new NotificationEvent(type, nextTopVer, node, discoCache, notification.getTopSnapshot(), customMsg, notification.getSpanContainer(), secCtx));
            if (stateFinishMsg != null)
                discoWrk.addEvent(new NotificationEvent(EVT_DISCOVERY_CUSTOM_EVT, nextTopVer, node, discoCache, notification.getTopSnapshot(), stateFinishMsg, notification.getSpanContainer(), secCtx));
            if (type == EVT_CLIENT_NODE_DISCONNECTED)
                discoWrk.awaitDisconnectEvent();
        }

        /**
         * Extends {@link NotificationTask} to run in a security context owned by the initiator of the
         * discovery event.
         */
        class SecurityAwareNotificationTask extends NotificationTask {

            /**
             */
            public SecurityAwareNotificationTask(DiscoveryNotification notification) {
                super(notification);
            }

            /**
             */
            @Override
            public void run() {
                DiscoverySpiCustomMessage customMsg = notification.getCustomMsgData();
                if (customMsg instanceof SecurityAwareCustomMessageWrapper) {
                    UUID secSubjId = ((SecurityAwareCustomMessageWrapper) customMsg).securitySubjectId();
                    try (OperationSecurityContext ignored = ctx.security().withContext(secSubjId)) {
                        super.run();
                    }
                } else {
                    SecurityContext initiatorNodeSecCtx = nodeSecurityContext(marshaller, U.resolveClassLoader(ctx.config()), notification.getNode());
                    try (OperationSecurityContext ignored = ctx.security().withContext(initiatorNodeSecCtx)) {
                        super.run();
                    }
                }
            }
        }

        /**
         * Represents task to handle discovery notification asynchronously.
         */
        class NotificationTask implements Runnable {

            /**
             */
            protected final DiscoveryNotification notification;

            /**
             */
            public NotificationTask(DiscoveryNotification notification) {
                this.notification = notification;
            }

            /**
             * {@inheritDoc}
             */
            @Override
            public void run() {
                synchronized (discoEvtMux) {
                    onDiscovery0(notification);
                }
            }
        }
    });
    spi.setDataExchange(new DiscoverySpiDataExchange() {

        @Override
        public DiscoveryDataBag collect(DiscoveryDataBag dataBag) {
            assert dataBag != null;
            assert dataBag.joiningNodeId() != null;
            if (ctx.localNodeId().equals(dataBag.joiningNodeId())) {
                for (GridComponent c : ctx.components()) c.collectJoiningNodeData(dataBag);
            } else {
                waitForLastStateChangeEventFuture();
                for (GridComponent c : ctx.components()) c.collectGridNodeData(dataBag);
            }
            return dataBag;
        }

        @Override
        public void onExchange(DiscoveryDataBag dataBag) {
            assert dataBag != null;
            assert dataBag.joiningNodeId() != null;
            if (ctx.localNodeId().equals(dataBag.joiningNodeId())) {
                // NodeAdded msg reached joining node after round-trip over the ring.
                IGridClusterStateProcessor stateProc = ctx.state();
                stateProc.onGridDataReceived(dataBag.gridDiscoveryData(stateProc.discoveryDataType().ordinal()));
                for (GridComponent c : ctx.components()) {
                    if (c.discoveryDataType() != null && c != stateProc)
                        c.onGridDataReceived(dataBag.gridDiscoveryData(c.discoveryDataType().ordinal()));
                }
            } else {
                // Discovery data from newly joined node has to be applied to the current old node.
                IGridClusterStateProcessor stateProc = ctx.state();
                JoiningNodeDiscoveryData data0 = dataBag.newJoinerDiscoveryData(stateProc.discoveryDataType().ordinal());
                assert data0 != null;
                stateProc.onJoiningNodeDataReceived(data0);
                for (GridComponent c : ctx.components()) {
                    if (c.discoveryDataType() != null && c != stateProc) {
                        JoiningNodeDiscoveryData data = dataBag.newJoinerDiscoveryData(c.discoveryDataType().ordinal());
                        if (data != null)
                            c.onJoiningNodeDataReceived(data);
                    }
                }
            }
        }

        /**
         */
        private void waitForLastStateChangeEventFuture() {
            IgniteFuture<?> lastStateChangeEvtLsnrFut = lastStateChangeEvtLsnrFutRef.get();
            if (lastStateChangeEvtLsnrFut != null) {
                Thread currThread = Thread.currentThread();
                GridWorker worker = currThread instanceof IgniteDiscoveryThread ? ((IgniteDiscoveryThread) currThread).worker() : null;
                if (worker != null)
                    worker.blockingSectionBegin();
                try {
                    lastStateChangeEvtLsnrFut.get();
                } finally {
                    // Guaranteed to be invoked in the same thread as DiscoverySpiListener#onDiscovery.
                    // No additional synchronization for reference is required.
                    lastStateChangeEvtLsnrFutRef.set(null);
                    if (worker != null)
                        worker.blockingSectionEnd();
                }
            }
        }
    });
    new DiscoveryMessageNotifierThread(discoNtfWrk).start();
    startSpi();
    registeredDiscoSpi = true;
    try {
        U.await(startLatch);
    } catch (IgniteInterruptedException e) {
        throw new IgniteCheckedException("Failed to start discovery manager (thread has been interrupted).", e);
    }
    // Start segment check worker only if frequency is greater than 0.
    if (hasRslvrs && segChkFreq > 0) {
        segChkWrk = new SegmentCheckWorker();
        segChkThread = new IgniteThread(segChkWrk);
        segChkThread.setUncaughtExceptionHandler(new OomExceptionHandler(ctx));
        segChkThread.start();
    }
    locNode = spi.getLocalNode();
    checkAttributes(discoCache().remoteNodes());
    // Start discovery worker.
    new IgniteThread(discoWrk).start();
    if (log.isDebugEnabled())
        log.debug(startInfo());
}
Also used : CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList) ArrayList(java.util.ArrayList) CI1(org.apache.ignite.internal.util.typedef.CI1) IgniteInternalFuture(org.apache.ignite.internal.IgniteInternalFuture) IgniteCheckedException(org.apache.ignite.IgniteCheckedException) IgniteException(org.apache.ignite.IgniteException) GridFutureAdapter(org.apache.ignite.internal.util.future.GridFutureAdapter) CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList) ArrayList(java.util.ArrayList) List(java.util.List) UUID(java.util.UUID) OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext) ClusterNode(org.apache.ignite.cluster.ClusterNode) AffinityTopologyVersion(org.apache.ignite.internal.processors.affinity.AffinityTopologyVersion) DiscoverySpiNodeAuthenticator(org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator) IgniteInterruptedException(org.apache.ignite.IgniteInterruptedException) IgniteDiscoveryThread(org.apache.ignite.spi.discovery.IgniteDiscoveryThread) SecurityCredentials(org.apache.ignite.plugin.security.SecurityCredentials) DiscoverySpiDataExchange(org.apache.ignite.spi.discovery.DiscoverySpiDataExchange) IgniteThread(org.apache.ignite.thread.IgniteThread) OomExceptionHandler(org.apache.ignite.thread.OomExceptionHandler) GridComponent(org.apache.ignite.internal.GridComponent) IgniteFuture(org.apache.ignite.lang.IgniteFuture) DiscoveryEvent(org.apache.ignite.events.DiscoveryEvent) JoiningNodeDiscoveryData(org.apache.ignite.spi.discovery.DiscoveryDataBag.JoiningNodeDiscoveryData) DiscoveryDataBag(org.apache.ignite.spi.discovery.DiscoveryDataBag) IGridClusterStateProcessor(org.apache.ignite.internal.processors.cluster.IGridClusterStateProcessor) IgniteKernal(org.apache.ignite.internal.IgniteKernal) Marshaller(org.apache.ignite.marshaller.Marshaller) ChangeGlobalStateMessage(org.apache.ignite.internal.processors.cluster.ChangeGlobalStateMessage) AtomicReference(java.util.concurrent.atomic.AtomicReference) DiscoverySpiListener(org.apache.ignite.spi.discovery.DiscoverySpiListener) GridWorker(org.apache.ignite.internal.util.worker.GridWorker) IgniteClientDisconnectedException(org.apache.ignite.IgniteClientDisconnectedException) IgniteCheckedException(org.apache.ignite.IgniteCheckedException) IgniteSpiException(org.apache.ignite.spi.IgniteSpiException) IgniteInterruptedException(org.apache.ignite.IgniteInterruptedException) IgniteInterruptedCheckedException(org.apache.ignite.internal.IgniteInterruptedCheckedException) IgniteClientDisconnectedCheckedException(org.apache.ignite.internal.IgniteClientDisconnectedCheckedException) IgniteException(org.apache.ignite.IgniteException) NodeStoppingException(org.apache.ignite.internal.NodeStoppingException) IgniteThread(org.apache.ignite.thread.IgniteThread) IgniteDiscoveryThread(org.apache.ignite.spi.discovery.IgniteDiscoveryThread) DiscoverySpiCustomMessage(org.apache.ignite.spi.discovery.DiscoverySpiCustomMessage) DiscoverySpi(org.apache.ignite.spi.discovery.DiscoverySpi) TcpDiscoverySpi(org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi) SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext) SecurityUtils.remoteSecurityContext(org.apache.ignite.internal.processors.security.SecurityUtils.remoteSecurityContext) SecurityUtils.withRemoteSecurityContext(org.apache.ignite.internal.processors.security.SecurityUtils.withRemoteSecurityContext) OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext) SecurityUtils.nodeSecurityContext(org.apache.ignite.internal.processors.security.SecurityUtils.nodeSecurityContext) IgniteInClosure(org.apache.ignite.lang.IgniteInClosure) DiscoveryNotification(org.apache.ignite.spi.discovery.DiscoveryNotification) ChangeGlobalStateFinishMessage(org.apache.ignite.internal.processors.cluster.ChangeGlobalStateFinishMessage)

Example 2 with OperationSecurityContext

use of org.apache.ignite.internal.processors.security.OperationSecurityContext in project ignite by apache.

the class ClientListenerNioListener method onMessage.

/**
 * {@inheritDoc}
 */
@Override
public void onMessage(GridNioSession ses, ClientMessage msg) {
    assert msg != null;
    ClientListenerConnectionContext connCtx = ses.meta(CONN_CTX_META_KEY);
    if (connCtx == null) {
        try {
            onHandshake(ses, msg);
        } catch (Exception e) {
            U.error(log, "Failed to handle handshake request " + "(probably, connection has already been closed).", e);
        }
        return;
    }
    ClientListenerMessageParser parser = connCtx.parser();
    ClientListenerRequestHandler handler = connCtx.handler();
    ClientListenerRequest req;
    try {
        req = parser.decode(msg);
    } catch (Exception e) {
        try {
            handler.unregisterRequest(parser.decodeRequestId(msg));
        } catch (Exception e1) {
            U.error(log, "Failed to unregister request.", e1);
        }
        U.error(log, "Failed to parse client request.", e);
        ses.close();
        return;
    }
    assert req != null;
    try {
        long startTime = 0;
        if (log.isDebugEnabled()) {
            startTime = System.nanoTime();
            log.debug("Client request received [reqId=" + req.requestId() + ", addr=" + ses.remoteAddress() + ", req=" + req + ']');
        }
        ClientListenerResponse resp;
        try (OperationSecurityContext s = ctx.security().withContext(connCtx.securityContext())) {
            resp = handler.handle(req);
        }
        if (resp != null) {
            if (log.isDebugEnabled()) {
                long dur = (System.nanoTime() - startTime) / 1000;
                log.debug("Client request processed [reqId=" + req.requestId() + ", dur(mcs)=" + dur + ", resp=" + resp.status() + ']');
            }
            GridNioFuture<?> fut = ses.send(parser.encode(resp));
            fut.listen(f -> {
                if (f.error() == null)
                    resp.onSent();
            });
        }
    } catch (Throwable e) {
        handler.unregisterRequest(req.requestId());
        if (e instanceof Error)
            U.error(log, "Failed to process client request [req=" + req + ", msg=" + e.getMessage() + "]", e);
        else
            U.warn(log, "Failed to process client request [req=" + req + ", msg=" + e.getMessage() + "]", e);
        ses.send(parser.encode(handler.handleException(e, req)));
        if (e instanceof Error)
            throw (Error) e;
    }
}
Also used : IgniteAccessControlException(org.apache.ignite.internal.processors.authentication.IgniteAccessControlException) IgniteCheckedException(org.apache.ignite.IgniteCheckedException) OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext)

Example 3 with OperationSecurityContext

use of org.apache.ignite.internal.processors.security.OperationSecurityContext in project ignite by apache.

the class AuthenticationProcessorSelfTest method testRemoteNodeSecurityContext.

/**
 * Test the ability to obtain the security context ot an authenticated user on the remote server node.
 */
@Test
public void testRemoteNodeSecurityContext() throws Exception {
    try (OperationSecurityContext ignored = grid(CLI_NODE).context().security().withContext(secCtxDflt)) {
        grid(CLI_NODE).context().security().createUser("test", "pwd".toCharArray());
    }
    SecuritySubject subj = authenticate(grid(0), "test", "pwd").subject();
    for (int i = 1; i < NODES_COUNT; i++) {
        IgniteSecurity security = ignite(i).context().security();
        try (OperationSecurityContext ignored = security.withContext(subj.id())) {
            SecuritySubject rmtSubj = security.securityContext().subject();
            assertEquals(subj.id(), rmtSubj.id());
            assertEquals(i != CLI_NODE ? subj.login() : null, rmtSubj.login());
            assertEquals(subj.type(), rmtSubj.type());
        }
    }
}
Also used : SecuritySubject(org.apache.ignite.plugin.security.SecuritySubject) IgniteSecurity(org.apache.ignite.internal.processors.security.IgniteSecurity) OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext) GridCommonAbstractTest(org.apache.ignite.testframework.junits.common.GridCommonAbstractTest) Test(org.junit.Test)

Example 4 with OperationSecurityContext

use of org.apache.ignite.internal.processors.security.OperationSecurityContext in project ignite by apache.

the class ValidationOnNodeJoinUtils method validateNode.

/**
 * Checks a joining node to configuration consistency.
 *
 * @param node Node.
 * @param discoData Disco data.
 * @param marsh Marsh.
 * @param ctx Context.
 * @param cacheDescProvider Cache descriptor provider.
 */
@Nullable
static IgniteNodeValidationResult validateNode(ClusterNode node, DiscoveryDataBag.JoiningNodeDiscoveryData discoData, Marshaller marsh, GridKernalContext ctx, Function<String, DynamicCacheDescriptor> cacheDescProvider) {
    if (discoData.hasJoiningNodeData() && discoData.joiningNodeData() instanceof CacheJoinNodeDiscoveryData) {
        CacheJoinNodeDiscoveryData nodeData = (CacheJoinNodeDiscoveryData) discoData.joiningNodeData();
        boolean isGridActive = ctx.state().clusterState().active();
        StringBuilder errorMsg = new StringBuilder();
        if (!node.isClient()) {
            validateRmtRegions(node, ctx).forEach(error -> {
                if (errorMsg.length() > 0)
                    errorMsg.append("\n");
                errorMsg.append(error);
            });
        }
        SecurityContext secCtx = null;
        if (ctx.security().enabled()) {
            try {
                secCtx = nodeSecurityContext(marsh, U.resolveClassLoader(ctx.config()), node);
            } catch (SecurityException se) {
                errorMsg.append(se.getMessage());
            }
        }
        for (CacheJoinNodeDiscoveryData.CacheInfo cacheInfo : nodeData.caches().values()) {
            if (secCtx != null && cacheInfo.cacheType() == CacheType.USER) {
                try (OperationSecurityContext s = ctx.security().withContext(secCtx)) {
                    GridCacheProcessor.authorizeCacheCreate(ctx.security(), cacheInfo.cacheData().config());
                } catch (SecurityException ex) {
                    if (errorMsg.length() > 0)
                        errorMsg.append("\n");
                    errorMsg.append(ex.getMessage());
                }
            }
            DynamicCacheDescriptor locDesc = cacheDescProvider.apply(cacheInfo.cacheData().config().getName());
            if (locDesc == null)
                continue;
            String joinedSchema = cacheInfo.cacheData().config().getSqlSchema();
            Collection<QueryEntity> joinedQryEntities = cacheInfo.cacheData().queryEntities();
            String locSchema = locDesc.cacheConfiguration().getSqlSchema();
            // QuerySchema is empty and schema name is null (when indexing enabled dynamically).
            if (!F.eq(joinedSchema, locSchema) && (locSchema != null || !locDesc.schema().isEmpty()) && (joinedSchema != null || !F.isEmpty(joinedQryEntities))) {
                errorMsg.append(String.format(SQL_SCHEMA_CONFLICTS_MESSAGE, locDesc.cacheName(), joinedSchema, locSchema));
            }
            QuerySchemaPatch schemaPatch = locDesc.makeSchemaPatch(joinedQryEntities);
            if (schemaPatch.hasConflicts() || (isGridActive && !schemaPatch.isEmpty())) {
                if (errorMsg.length() > 0)
                    errorMsg.append("\n");
                if (schemaPatch.hasConflicts()) {
                    errorMsg.append(String.format(MERGE_OF_CONFIG_CONFLICTS_MESSAGE, locDesc.cacheName(), schemaPatch.getConflictsMessage()));
                } else
                    errorMsg.append(String.format(MERGE_OF_CONFIG_REQUIRED_MESSAGE, locDesc.cacheName()));
            }
            // This check must be done on join, otherwise group encryption key will be
            // written to metastore regardless of validation check and could trigger WAL write failures.
            boolean locEnc = locDesc.cacheConfiguration().isEncryptionEnabled();
            boolean rmtEnc = cacheInfo.cacheData().config().isEncryptionEnabled();
            if (locEnc != rmtEnc) {
                if (errorMsg.length() > 0)
                    errorMsg.append("\n");
                // Message will be printed on remote node, so need to swap local and remote.
                errorMsg.append(String.format(ENCRYPT_MISMATCH_MESSAGE, locDesc.cacheName(), rmtEnc, locEnc));
            }
        }
        if (errorMsg.length() > 0) {
            String msg = errorMsg.toString();
            return new IgniteNodeValidationResult(node.id(), msg);
        }
    }
    return null;
}
Also used : IgniteNodeValidationResult(org.apache.ignite.spi.IgniteNodeValidationResult) SecurityException(org.apache.ignite.plugin.security.SecurityException) QueryEntity(org.apache.ignite.cache.QueryEntity) QuerySchemaPatch(org.apache.ignite.internal.processors.query.QuerySchemaPatch) OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext) SecurityUtils.nodeSecurityContext(org.apache.ignite.internal.processors.security.SecurityUtils.nodeSecurityContext) SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext) OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext) Nullable(org.jetbrains.annotations.Nullable)

Example 5 with OperationSecurityContext

use of org.apache.ignite.internal.processors.security.OperationSecurityContext in project ignite by apache.

the class GridIoManager method invokeListener.

/**
 * Invoke message listener.
 *
 * @param plc Policy.
 * @param lsnr Listener.
 * @param nodeId Node ID.
 * @param msg Message.
 * @param secSubjId Security subject that will be used to open a security session.
 */
private void invokeListener(Byte plc, GridMessageListener lsnr, UUID nodeId, Object msg, UUID secSubjId) {
    MTC.span().addLog(() -> "Invoke listener");
    Byte oldPlc = CUR_PLC.get();
    boolean change = !F.eq(oldPlc, plc);
    if (change)
        CUR_PLC.set(plc);
    UUID newSecSubjId = secSubjId != null ? secSubjId : nodeId;
    try (OperationSecurityContext s = ctx.security().withContext(newSecSubjId)) {
        lsnr.onMessage(nodeId, msg, plc);
    } finally {
        if (change)
            CUR_PLC.set(oldPlc);
    }
}
Also used : UUID(java.util.UUID) OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext)

Aggregations

OperationSecurityContext (org.apache.ignite.internal.processors.security.OperationSecurityContext)8 IgniteCheckedException (org.apache.ignite.IgniteCheckedException)4 SecurityContext (org.apache.ignite.internal.processors.security.SecurityContext)3 UUID (java.util.UUID)2 IgniteException (org.apache.ignite.IgniteException)2 IgniteInterruptedCheckedException (org.apache.ignite.internal.IgniteInterruptedCheckedException)2 NodeStoppingException (org.apache.ignite.internal.NodeStoppingException)2 SecurityUtils.nodeSecurityContext (org.apache.ignite.internal.processors.security.SecurityUtils.nodeSecurityContext)2 SecurityException (org.apache.ignite.plugin.security.SecurityException)2 ArrayList (java.util.ArrayList)1 List (java.util.List)1 Callable (java.util.concurrent.Callable)1 CopyOnWriteArrayList (java.util.concurrent.CopyOnWriteArrayList)1 AtomicReference (java.util.concurrent.atomic.AtomicReference)1 IgniteAuthenticationException (org.apache.ignite.IgniteAuthenticationException)1 IgniteClientDisconnectedException (org.apache.ignite.IgniteClientDisconnectedException)1 IgniteInterruptedException (org.apache.ignite.IgniteInterruptedException)1 QueryEntity (org.apache.ignite.cache.QueryEntity)1 ClusterNode (org.apache.ignite.cluster.ClusterNode)1 ComputeExecutionRejectedException (org.apache.ignite.compute.ComputeExecutionRejectedException)1