Example 1 with OperationSecurityContext
use of org.apache.ignite.internal.processors.security.OperationSecurityContext in project ignite by apache.
the class GridDiscoveryManager method start.
/**
* {@inheritDoc}
*/
@Override
public void start() throws IgniteCheckedException {
ctx.addNodeAttribute(ATTR_OFFHEAP_SIZE, requiredOffheap());
ctx.addNodeAttribute(ATTR_DATA_REGIONS_OFFHEAP_SIZE, configuredOffheap());
DiscoverySpi spi = getSpi();
discoOrdered = discoOrdered();
histSupported = historySupported();
isLocDaemon = ctx.isDaemon();
hasRslvrs = !ctx.config().isClientMode() && !F.isEmpty(ctx.config().getSegmentationResolvers());
segChkFreq = ctx.config().getSegmentCheckFrequency();
if (hasRslvrs) {
if (segChkFreq < 0)
throw new IgniteCheckedException("Segment check frequency cannot be negative: " + segChkFreq);
if (segChkFreq > 0 && segChkFreq < 2000)
U.warn(log, "Configuration parameter 'segmentCheckFrequency' is too low " + "(at least 2000 ms recommended): " + segChkFreq);
int segResAttemp = ctx.config().getSegmentationResolveAttempts();
if (segResAttemp < 1)
throw new IgniteCheckedException("Segment resolve attempts cannot be negative or zero: " + segResAttemp);
checkSegmentOnStart();
}
spi.setMetricsProvider(createMetricsProvider());
if (ctx.security().enabled()) {
if (isSecurityCompatibilityMode())
ctx.addNodeAttribute(ATTR_SECURITY_COMPATIBILITY_MODE, true);
spi.setAuthenticator(new DiscoverySpiNodeAuthenticator() {
@Override
public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) {
try {
return ctx.security().authenticateNode(node, cred);
} catch (IgniteCheckedException e) {
throw U.convertException(e);
}
}
@Override
public boolean isGlobalNodeAuthentication() {
return ctx.security().isGlobalNodeAuthentication();
}
});
}
if (ctx.config().getCommunicationFailureResolver() != null)
ctx.resource().injectGeneric(ctx.config().getCommunicationFailureResolver());
// Shared reference between DiscoverySpiListener and DiscoverySpiDataExchange.
AtomicReference<IgniteFuture<?>> lastStateChangeEvtLsnrFutRef = new AtomicReference<>();
spi.setListener(new DiscoverySpiListener() {
private long gridStartTime;
private final Marshaller marshaller = MarshallerUtils.jdkMarshaller(ctx.igniteInstanceName());
/**
* {@inheritDoc}
*/
@Override
public void onLocalNodeInitialized(ClusterNode locNode) {
for (IgniteInClosure<ClusterNode> lsnr : locNodeInitLsnrs) lsnr.apply(locNode);
if (locNode instanceof IgniteClusterNode) {
final IgniteClusterNode node = (IgniteClusterNode) locNode;
if (consistentId != null)
node.setConsistentId(consistentId);
}
}
/**
* {@inheritDoc}
*/
@Override
public IgniteFuture<?> onDiscovery(DiscoveryNotification notification) {
GridFutureAdapter<?> notificationFut = new GridFutureAdapter<>();
discoNtfWrk.submit(notificationFut, ctx.security().enabled() ? new SecurityAwareNotificationTask(notification) : new NotificationTask(notification));
IgniteFuture<?> fut = new IgniteFutureImpl<>(notificationFut);
// TODO could be optimized with more specific conditions.
switch(notification.type()) {
case EVT_NODE_JOINED:
case EVT_NODE_LEFT:
case EVT_NODE_FAILED:
if (!CU.isPersistenceEnabled(ctx.config()))
lastStateChangeEvtLsnrFutRef.set(fut);
break;
case EVT_DISCOVERY_CUSTOM_EVT:
lastStateChangeEvtLsnrFutRef.set(fut);
}
return fut;
}
/**
* @param notification Notification.
*/
private void onDiscovery0(DiscoveryNotification notification) {
int type = notification.type();
ClusterNode node = notification.getNode();
long topVer = notification.getTopVer();
DiscoveryCustomMessage customMsg = notification.getCustomMsgData() == null ? null : ((CustomMessageWrapper) notification.getCustomMsgData()).delegate();
if (skipMessage(notification.type(), customMsg))
return;
final ClusterNode locNode = localNode();
if (notification.getTopHist() != null)
topHist = notification.getTopHist();
boolean verChanged;
if (type == EVT_NODE_METRICS_UPDATED)
verChanged = false;
else {
if (type != EVT_NODE_SEGMENTED && type != EVT_CLIENT_NODE_DISCONNECTED && type != EVT_CLIENT_NODE_RECONNECTED && type != EVT_DISCOVERY_CUSTOM_EVT) {
minorTopVer = 0;
verChanged = true;
} else
verChanged = false;
}
if (type == EVT_NODE_FAILED || type == EVT_NODE_LEFT) {
for (DiscoCache c : discoCacheHist.values()) c.updateAlives(node);
updateClientNodes(node.id());
}
boolean locJoinEvt = type == EVT_NODE_JOINED && node.id().equals(locNode.id());
ChangeGlobalStateFinishMessage stateFinishMsg = null;
if (type == EVT_NODE_FAILED || type == EVT_NODE_LEFT)
stateFinishMsg = ctx.state().onNodeLeft(node);
final AffinityTopologyVersion nextTopVer;
if (type == EVT_DISCOVERY_CUSTOM_EVT) {
assert customMsg != null;
boolean incMinorTopVer;
if (customMsg instanceof ChangeGlobalStateMessage) {
incMinorTopVer = ctx.state().onStateChangeMessage(new AffinityTopologyVersion(topVer, minorTopVer), (ChangeGlobalStateMessage) customMsg, discoCache());
} else if (customMsg instanceof ChangeGlobalStateFinishMessage) {
ctx.state().onStateFinishMessage((ChangeGlobalStateFinishMessage) customMsg);
Snapshot snapshot = topSnap.get();
// Topology version does not change, but need create DiscoCache with new state.
DiscoCache discoCache = snapshot.discoCache.copy(snapshot.topVer, ctx.state().clusterState());
topSnap.set(new Snapshot(snapshot.topVer, discoCache));
incMinorTopVer = false;
} else {
incMinorTopVer = ctx.cache().onCustomEvent(customMsg, new AffinityTopologyVersion(topVer, minorTopVer), node);
}
if (incMinorTopVer) {
minorTopVer++;
verChanged = true;
}
nextTopVer = new AffinityTopologyVersion(topVer, minorTopVer);
if (incMinorTopVer)
ctx.cache().onDiscoveryEvent(type, customMsg, node, nextTopVer, ctx.state().clusterState());
} else {
nextTopVer = new AffinityTopologyVersion(topVer, minorTopVer);
ctx.cache().onDiscoveryEvent(type, customMsg, node, nextTopVer, ctx.state().clusterState());
}
DiscoCache discoCache;
// event notifications, since SPI notifies manager about all events from this listener.
if (verChanged) {
Snapshot snapshot = topSnap.get();
if (customMsg == null) {
discoCache = createDiscoCache(nextTopVer, ctx.state().clusterState(), locNode, notification.getTopSnapshot());
} else if (customMsg instanceof ChangeGlobalStateMessage) {
discoCache = createDiscoCache(nextTopVer, ctx.state().pendingState((ChangeGlobalStateMessage) customMsg), locNode, notification.getTopSnapshot());
} else
discoCache = customMsg.createDiscoCache(GridDiscoveryManager.this, nextTopVer, snapshot.discoCache);
discoCacheHist.put(nextTopVer, discoCache);
assert snapshot.topVer.compareTo(nextTopVer) < 0 : "Topology version out of order [this.topVer=" + topSnap + ", topVer=" + topVer + ", node=" + node + ", nextTopVer=" + nextTopVer + ", evt=" + U.gridEventName(type) + ']';
topSnap.set(new Snapshot(nextTopVer, discoCache));
} else
// Current version.
discoCache = discoCache();
if (locJoinEvt || !node.isClient() && !node.isDaemon()) {
if (type == EVT_NODE_LEFT || type == EVT_NODE_FAILED || type == EVT_NODE_JOINED) {
boolean discoCacheRecalculationRequired = ctx.state().autoAdjustInMemoryClusterState(node.id(), notification.getTopSnapshot(), discoCache, topVer, minorTopVer);
if (discoCacheRecalculationRequired) {
discoCache = createDiscoCache(nextTopVer, ctx.state().clusterState(), locNode, notification.getTopSnapshot());
discoCacheHist.put(nextTopVer, discoCache);
topSnap.set(new Snapshot(nextTopVer, discoCache));
}
}
}
if (type == EVT_DISCOVERY_CUSTOM_EVT) {
for (Class cls = customMsg.getClass(); cls != null; cls = cls.getSuperclass()) {
List<CustomEventListener<DiscoveryCustomMessage>> list = customEvtLsnrs.get(cls);
if (list != null) {
for (CustomEventListener<DiscoveryCustomMessage> lsnr : list) {
try {
lsnr.onCustomEvent(nextTopVer, node, customMsg);
} catch (Exception e) {
U.error(log, "Failed to notify direct custom event listener: " + customMsg, e);
}
}
}
}
}
SecurityContext secCtx = remoteSecurityContext(ctx);
// If this is a local join event, just save it and do not notify listeners.
if (locJoinEvt) {
if (gridStartTime == 0)
gridStartTime = getSpi().getGridStartTime();
topSnap.set(new Snapshot(nextTopVer, discoCache));
startLatch.countDown();
DiscoveryEvent discoEvt = new DiscoveryEvent();
discoEvt.node(ctx.discovery().localNode());
discoEvt.eventNode(node);
discoEvt.type(EVT_NODE_JOINED);
discoEvt.topologySnapshot(topVer, new ArrayList<>(F.view(notification.getTopSnapshot(), FILTER_NOT_DAEMON)));
if (notification.getSpanContainer() != null)
discoEvt.span(notification.getSpanContainer().span());
discoWrk.discoCache = discoCache;
if (!ctx.clientDisconnected()) {
// The security processor must be notified first, since {@link IgniteSecurity#onLocalJoin}
// finishes local node security context initialization that can be demanded by other Ignite
// components.
ctx.security().onLocalJoin();
if (!isLocDaemon) {
ctx.cache().context().versions().onLocalJoin(topVer);
ctx.cache().context().coordinators().onLocalJoin(discoEvt, discoCache);
ctx.cache().context().exchange().onLocalJoin(discoEvt, discoCache);
ctx.service().onLocalJoin(discoEvt, discoCache);
ctx.encryption().onLocalJoin();
ctx.cluster().onLocalJoin();
}
}
IgniteInternalFuture<Boolean> transitionWaitFut = ctx.state().onLocalJoin(discoCache);
locJoin.onDone(new DiscoveryLocalJoinData(discoEvt, discoCache, transitionWaitFut, ctx.state().clusterState().active()));
return;
} else if (type == EVT_CLIENT_NODE_DISCONNECTED) {
assert locNode.isClient() : locNode;
assert node.isClient() : node;
((IgniteKernal) ctx.grid()).onDisconnected();
if (!locJoin.isDone())
locJoin.onDone(new IgniteCheckedException("Node disconnected"));
locJoin = new GridFutureAdapter<>();
registeredCaches.clear();
registeredCacheGrps.clear();
for (AffinityTopologyVersion histVer : discoCacheHist.keySet()) {
Object rmvd = discoCacheHist.remove(histVer);
assert rmvd != null : histVer;
}
topHist.clear();
topSnap.set(new Snapshot(AffinityTopologyVersion.ZERO, createDiscoCache(AffinityTopologyVersion.ZERO, ctx.state().clusterState(), locNode, Collections.singleton(locNode))));
} else if (type == EVT_CLIENT_NODE_RECONNECTED) {
assert locNode.isClient() : locNode;
assert node.isClient() : node;
ctx.security().onLocalJoin();
boolean clusterRestarted = gridStartTime != getSpi().getGridStartTime();
gridStartTime = getSpi().getGridStartTime();
((IgniteKernal) ctx.grid()).onReconnected(clusterRestarted);
ctx.cache().context().coordinators().onLocalJoin(localJoinEvent(), discoCache);
ctx.cache().context().exchange().onLocalJoin(localJoinEvent(), discoCache);
ctx.service().onLocalJoin(localJoinEvent(), discoCache);
DiscoCache discoCache0 = discoCache;
ctx.cluster().clientReconnectFuture().listen(new CI1<IgniteFuture<?>>() {
@Override
public void apply(IgniteFuture<?> fut) {
try {
fut.get();
discoWrk.addEvent(new NotificationEvent(EVT_CLIENT_NODE_RECONNECTED, nextTopVer, node, discoCache0, notification.getTopSnapshot(), null, notification.getSpanContainer(), secCtx));
} catch (IgniteException ignore) {
// No-op.
}
}
});
return;
}
if (type == EVT_CLIENT_NODE_DISCONNECTED || type == EVT_NODE_SEGMENTED || !ctx.clientDisconnected())
discoWrk.addEvent(new NotificationEvent(type, nextTopVer, node, discoCache, notification.getTopSnapshot(), customMsg, notification.getSpanContainer(), secCtx));
if (stateFinishMsg != null)
discoWrk.addEvent(new NotificationEvent(EVT_DISCOVERY_CUSTOM_EVT, nextTopVer, node, discoCache, notification.getTopSnapshot(), stateFinishMsg, notification.getSpanContainer(), secCtx));
if (type == EVT_CLIENT_NODE_DISCONNECTED)
discoWrk.awaitDisconnectEvent();
}
/**
* Extends {@link NotificationTask} to run in a security context owned by the initiator of the
* discovery event.
*/
class SecurityAwareNotificationTask extends NotificationTask {
/**
*/
public SecurityAwareNotificationTask(DiscoveryNotification notification) {
super(notification);
}
/**
*/
@Override
public void run() {
DiscoverySpiCustomMessage customMsg = notification.getCustomMsgData();
if (customMsg instanceof SecurityAwareCustomMessageWrapper) {
UUID secSubjId = ((SecurityAwareCustomMessageWrapper) customMsg).securitySubjectId();
try (OperationSecurityContext ignored = ctx.security().withContext(secSubjId)) {
super.run();
}
} else {
SecurityContext initiatorNodeSecCtx = nodeSecurityContext(marshaller, U.resolveClassLoader(ctx.config()), notification.getNode());
try (OperationSecurityContext ignored = ctx.security().withContext(initiatorNodeSecCtx)) {
super.run();
}
}
}
}
/**
* Represents task to handle discovery notification asynchronously.
*/
class NotificationTask implements Runnable {
/**
*/
protected final DiscoveryNotification notification;
/**
*/
public NotificationTask(DiscoveryNotification notification) {
this.notification = notification;
}
/**
* {@inheritDoc}
*/
@Override
public void run() {
synchronized (discoEvtMux) {
onDiscovery0(notification);
}
}
}
});
spi.setDataExchange(new DiscoverySpiDataExchange() {
@Override
public DiscoveryDataBag collect(DiscoveryDataBag dataBag) {
assert dataBag != null;
assert dataBag.joiningNodeId() != null;
if (ctx.localNodeId().equals(dataBag.joiningNodeId())) {
for (GridComponent c : ctx.components()) c.collectJoiningNodeData(dataBag);
} else {
waitForLastStateChangeEventFuture();
for (GridComponent c : ctx.components()) c.collectGridNodeData(dataBag);
}
return dataBag;
}
@Override
public void onExchange(DiscoveryDataBag dataBag) {
assert dataBag != null;
assert dataBag.joiningNodeId() != null;
if (ctx.localNodeId().equals(dataBag.joiningNodeId())) {
// NodeAdded msg reached joining node after round-trip over the ring.
IGridClusterStateProcessor stateProc = ctx.state();
stateProc.onGridDataReceived(dataBag.gridDiscoveryData(stateProc.discoveryDataType().ordinal()));
for (GridComponent c : ctx.components()) {
if (c.discoveryDataType() != null && c != stateProc)
c.onGridDataReceived(dataBag.gridDiscoveryData(c.discoveryDataType().ordinal()));
}
} else {
// Discovery data from newly joined node has to be applied to the current old node.
IGridClusterStateProcessor stateProc = ctx.state();
JoiningNodeDiscoveryData data0 = dataBag.newJoinerDiscoveryData(stateProc.discoveryDataType().ordinal());
assert data0 != null;
stateProc.onJoiningNodeDataReceived(data0);
for (GridComponent c : ctx.components()) {
if (c.discoveryDataType() != null && c != stateProc) {
JoiningNodeDiscoveryData data = dataBag.newJoinerDiscoveryData(c.discoveryDataType().ordinal());
if (data != null)
c.onJoiningNodeDataReceived(data);
}
}
}
}
/**
*/
private void waitForLastStateChangeEventFuture() {
IgniteFuture<?> lastStateChangeEvtLsnrFut = lastStateChangeEvtLsnrFutRef.get();
if (lastStateChangeEvtLsnrFut != null) {
Thread currThread = Thread.currentThread();
GridWorker worker = currThread instanceof IgniteDiscoveryThread ? ((IgniteDiscoveryThread) currThread).worker() : null;
if (worker != null)
worker.blockingSectionBegin();
try {
lastStateChangeEvtLsnrFut.get();
} finally {
// Guaranteed to be invoked in the same thread as DiscoverySpiListener#onDiscovery.
// No additional synchronization for reference is required.
lastStateChangeEvtLsnrFutRef.set(null);
if (worker != null)
worker.blockingSectionEnd();
}
}
}
});
new DiscoveryMessageNotifierThread(discoNtfWrk).start();
startSpi();
registeredDiscoSpi = true;
try {
U.await(startLatch);
} catch (IgniteInterruptedException e) {
throw new IgniteCheckedException("Failed to start discovery manager (thread has been interrupted).", e);
}
// Start segment check worker only if frequency is greater than 0.
if (hasRslvrs && segChkFreq > 0) {
segChkWrk = new SegmentCheckWorker();
segChkThread = new IgniteThread(segChkWrk);
segChkThread.setUncaughtExceptionHandler(new OomExceptionHandler(ctx));
segChkThread.start();
}
locNode = spi.getLocalNode();
checkAttributes(discoCache().remoteNodes());
// Start discovery worker.
new IgniteThread(discoWrk).start();
if (log.isDebugEnabled())
log.debug(startInfo());
}
Also used :
CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList)
ArrayList(java.util.ArrayList)
CI1(org.apache.ignite.internal.util.typedef.CI1)
IgniteInternalFuture(org.apache.ignite.internal.IgniteInternalFuture)
IgniteCheckedException(org.apache.ignite.IgniteCheckedException)
IgniteException(org.apache.ignite.IgniteException)
GridFutureAdapter(org.apache.ignite.internal.util.future.GridFutureAdapter)
CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList)
ArrayList(java.util.ArrayList)
List(java.util.List)
UUID(java.util.UUID)
OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext)
ClusterNode(org.apache.ignite.cluster.ClusterNode)
AffinityTopologyVersion(org.apache.ignite.internal.processors.affinity.AffinityTopologyVersion)
DiscoverySpiNodeAuthenticator(org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator)
IgniteInterruptedException(org.apache.ignite.IgniteInterruptedException)
IgniteDiscoveryThread(org.apache.ignite.spi.discovery.IgniteDiscoveryThread)
SecurityCredentials(org.apache.ignite.plugin.security.SecurityCredentials)
DiscoverySpiDataExchange(org.apache.ignite.spi.discovery.DiscoverySpiDataExchange)
IgniteThread(org.apache.ignite.thread.IgniteThread)
OomExceptionHandler(org.apache.ignite.thread.OomExceptionHandler)
GridComponent(org.apache.ignite.internal.GridComponent)
IgniteFuture(org.apache.ignite.lang.IgniteFuture)
DiscoveryEvent(org.apache.ignite.events.DiscoveryEvent)
JoiningNodeDiscoveryData(org.apache.ignite.spi.discovery.DiscoveryDataBag.JoiningNodeDiscoveryData)
DiscoveryDataBag(org.apache.ignite.spi.discovery.DiscoveryDataBag)
IGridClusterStateProcessor(org.apache.ignite.internal.processors.cluster.IGridClusterStateProcessor)
IgniteKernal(org.apache.ignite.internal.IgniteKernal)
Marshaller(org.apache.ignite.marshaller.Marshaller)
ChangeGlobalStateMessage(org.apache.ignite.internal.processors.cluster.ChangeGlobalStateMessage)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
DiscoverySpiListener(org.apache.ignite.spi.discovery.DiscoverySpiListener)
GridWorker(org.apache.ignite.internal.util.worker.GridWorker)
IgniteClientDisconnectedException(org.apache.ignite.IgniteClientDisconnectedException)
IgniteCheckedException(org.apache.ignite.IgniteCheckedException)
IgniteSpiException(org.apache.ignite.spi.IgniteSpiException)
IgniteInterruptedException(org.apache.ignite.IgniteInterruptedException)
IgniteInterruptedCheckedException(org.apache.ignite.internal.IgniteInterruptedCheckedException)
IgniteClientDisconnectedCheckedException(org.apache.ignite.internal.IgniteClientDisconnectedCheckedException)
IgniteException(org.apache.ignite.IgniteException)
NodeStoppingException(org.apache.ignite.internal.NodeStoppingException)
IgniteThread(org.apache.ignite.thread.IgniteThread)
IgniteDiscoveryThread(org.apache.ignite.spi.discovery.IgniteDiscoveryThread)
DiscoverySpiCustomMessage(org.apache.ignite.spi.discovery.DiscoverySpiCustomMessage)
DiscoverySpi(org.apache.ignite.spi.discovery.DiscoverySpi)
TcpDiscoverySpi(org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi)
SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext)
SecurityUtils.remoteSecurityContext(org.apache.ignite.internal.processors.security.SecurityUtils.remoteSecurityContext)
SecurityUtils.withRemoteSecurityContext(org.apache.ignite.internal.processors.security.SecurityUtils.withRemoteSecurityContext)
OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext)
SecurityUtils.nodeSecurityContext(org.apache.ignite.internal.processors.security.SecurityUtils.nodeSecurityContext)
IgniteInClosure(org.apache.ignite.lang.IgniteInClosure)
DiscoveryNotification(org.apache.ignite.spi.discovery.DiscoveryNotification)
ChangeGlobalStateFinishMessage(org.apache.ignite.internal.processors.cluster.ChangeGlobalStateFinishMessage)
Example 2 with OperationSecurityContext
use of org.apache.ignite.internal.processors.security.OperationSecurityContext in project ignite by apache.
the class ClientListenerNioListener method onMessage.
/**
* {@inheritDoc}
*/
@Override
public void onMessage(GridNioSession ses, ClientMessage msg) {
assert msg != null;
ClientListenerConnectionContext connCtx = ses.meta(CONN_CTX_META_KEY);
if (connCtx == null) {
try {
onHandshake(ses, msg);
} catch (Exception e) {
U.error(log, "Failed to handle handshake request " + "(probably, connection has already been closed).", e);
}
return;
}
ClientListenerMessageParser parser = connCtx.parser();
ClientListenerRequestHandler handler = connCtx.handler();
ClientListenerRequest req;
try {
req = parser.decode(msg);
} catch (Exception e) {
try {
handler.unregisterRequest(parser.decodeRequestId(msg));
} catch (Exception e1) {
U.error(log, "Failed to unregister request.", e1);
}
U.error(log, "Failed to parse client request.", e);
ses.close();
return;
}
assert req != null;
try {
long startTime = 0;
if (log.isDebugEnabled()) {
startTime = System.nanoTime();
log.debug("Client request received [reqId=" + req.requestId() + ", addr=" + ses.remoteAddress() + ", req=" + req + ']');
}
ClientListenerResponse resp;
try (OperationSecurityContext s = ctx.security().withContext(connCtx.securityContext())) {
resp = handler.handle(req);
}
if (resp != null) {
if (log.isDebugEnabled()) {
long dur = (System.nanoTime() - startTime) / 1000;
log.debug("Client request processed [reqId=" + req.requestId() + ", dur(mcs)=" + dur + ", resp=" + resp.status() + ']');
}
GridNioFuture<?> fut = ses.send(parser.encode(resp));
fut.listen(f -> {
if (f.error() == null)
resp.onSent();
});
}
} catch (Throwable e) {
handler.unregisterRequest(req.requestId());
if (e instanceof Error)
U.error(log, "Failed to process client request [req=" + req + ", msg=" + e.getMessage() + "]", e);
else
U.warn(log, "Failed to process client request [req=" + req + ", msg=" + e.getMessage() + "]", e);
ses.send(parser.encode(handler.handleException(e, req)));
if (e instanceof Error)
throw (Error) e;
}
}
Also used :
IgniteAccessControlException(org.apache.ignite.internal.processors.authentication.IgniteAccessControlException)
IgniteCheckedException(org.apache.ignite.IgniteCheckedException)
OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext)
Example 3 with OperationSecurityContext
use of org.apache.ignite.internal.processors.security.OperationSecurityContext in project ignite by apache.
the class AuthenticationProcessorSelfTest method testRemoteNodeSecurityContext.
/**
* Test the ability to obtain the security context ot an authenticated user on the remote server node.
*/
@Test
public void testRemoteNodeSecurityContext() throws Exception {
try (OperationSecurityContext ignored = grid(CLI_NODE).context().security().withContext(secCtxDflt)) {
grid(CLI_NODE).context().security().createUser("test", "pwd".toCharArray());
}
SecuritySubject subj = authenticate(grid(0), "test", "pwd").subject();
for (int i = 1; i < NODES_COUNT; i++) {
IgniteSecurity security = ignite(i).context().security();
try (OperationSecurityContext ignored = security.withContext(subj.id())) {
SecuritySubject rmtSubj = security.securityContext().subject();
assertEquals(subj.id(), rmtSubj.id());
assertEquals(i != CLI_NODE ? subj.login() : null, rmtSubj.login());
assertEquals(subj.type(), rmtSubj.type());
}
}
}
Also used :
SecuritySubject(org.apache.ignite.plugin.security.SecuritySubject)
IgniteSecurity(org.apache.ignite.internal.processors.security.IgniteSecurity)
OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext)
GridCommonAbstractTest(org.apache.ignite.testframework.junits.common.GridCommonAbstractTest)
Test(org.junit.Test)
Example 4 with OperationSecurityContext
use of org.apache.ignite.internal.processors.security.OperationSecurityContext in project ignite by apache.
the class ValidationOnNodeJoinUtils method validateNode.
/**
* Checks a joining node to configuration consistency.
*
* @param node Node.
* @param discoData Disco data.
* @param marsh Marsh.
* @param ctx Context.
* @param cacheDescProvider Cache descriptor provider.
*/
@Nullable
static IgniteNodeValidationResult validateNode(ClusterNode node, DiscoveryDataBag.JoiningNodeDiscoveryData discoData, Marshaller marsh, GridKernalContext ctx, Function<String, DynamicCacheDescriptor> cacheDescProvider) {
if (discoData.hasJoiningNodeData() && discoData.joiningNodeData() instanceof CacheJoinNodeDiscoveryData) {
CacheJoinNodeDiscoveryData nodeData = (CacheJoinNodeDiscoveryData) discoData.joiningNodeData();
boolean isGridActive = ctx.state().clusterState().active();
StringBuilder errorMsg = new StringBuilder();
if (!node.isClient()) {
validateRmtRegions(node, ctx).forEach(error -> {
if (errorMsg.length() > 0)
errorMsg.append("\n");
errorMsg.append(error);
});
}
SecurityContext secCtx = null;
if (ctx.security().enabled()) {
try {
secCtx = nodeSecurityContext(marsh, U.resolveClassLoader(ctx.config()), node);
} catch (SecurityException se) {
errorMsg.append(se.getMessage());
}
}
for (CacheJoinNodeDiscoveryData.CacheInfo cacheInfo : nodeData.caches().values()) {
if (secCtx != null && cacheInfo.cacheType() == CacheType.USER) {
try (OperationSecurityContext s = ctx.security().withContext(secCtx)) {
GridCacheProcessor.authorizeCacheCreate(ctx.security(), cacheInfo.cacheData().config());
} catch (SecurityException ex) {
if (errorMsg.length() > 0)
errorMsg.append("\n");
errorMsg.append(ex.getMessage());
}
}
DynamicCacheDescriptor locDesc = cacheDescProvider.apply(cacheInfo.cacheData().config().getName());
if (locDesc == null)
continue;
String joinedSchema = cacheInfo.cacheData().config().getSqlSchema();
Collection<QueryEntity> joinedQryEntities = cacheInfo.cacheData().queryEntities();
String locSchema = locDesc.cacheConfiguration().getSqlSchema();
// QuerySchema is empty and schema name is null (when indexing enabled dynamically).
if (!F.eq(joinedSchema, locSchema) && (locSchema != null || !locDesc.schema().isEmpty()) && (joinedSchema != null || !F.isEmpty(joinedQryEntities))) {
errorMsg.append(String.format(SQL_SCHEMA_CONFLICTS_MESSAGE, locDesc.cacheName(), joinedSchema, locSchema));
}
QuerySchemaPatch schemaPatch = locDesc.makeSchemaPatch(joinedQryEntities);
if (schemaPatch.hasConflicts() || (isGridActive && !schemaPatch.isEmpty())) {
if (errorMsg.length() > 0)
errorMsg.append("\n");
if (schemaPatch.hasConflicts()) {
errorMsg.append(String.format(MERGE_OF_CONFIG_CONFLICTS_MESSAGE, locDesc.cacheName(), schemaPatch.getConflictsMessage()));
} else
errorMsg.append(String.format(MERGE_OF_CONFIG_REQUIRED_MESSAGE, locDesc.cacheName()));
}
// This check must be done on join, otherwise group encryption key will be
// written to metastore regardless of validation check and could trigger WAL write failures.
boolean locEnc = locDesc.cacheConfiguration().isEncryptionEnabled();
boolean rmtEnc = cacheInfo.cacheData().config().isEncryptionEnabled();
if (locEnc != rmtEnc) {
if (errorMsg.length() > 0)
errorMsg.append("\n");
// Message will be printed on remote node, so need to swap local and remote.
errorMsg.append(String.format(ENCRYPT_MISMATCH_MESSAGE, locDesc.cacheName(), rmtEnc, locEnc));
}
}
if (errorMsg.length() > 0) {
String msg = errorMsg.toString();
return new IgniteNodeValidationResult(node.id(), msg);
}
}
return null;
}
Also used :
IgniteNodeValidationResult(org.apache.ignite.spi.IgniteNodeValidationResult)
SecurityException(org.apache.ignite.plugin.security.SecurityException)
QueryEntity(org.apache.ignite.cache.QueryEntity)
QuerySchemaPatch(org.apache.ignite.internal.processors.query.QuerySchemaPatch)
OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext)
SecurityUtils.nodeSecurityContext(org.apache.ignite.internal.processors.security.SecurityUtils.nodeSecurityContext)
SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext)
OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext)
Nullable(org.jetbrains.annotations.Nullable)
Example 5 with OperationSecurityContext
use of org.apache.ignite.internal.processors.security.OperationSecurityContext in project ignite by apache.
the class GridIoManager method invokeListener.
/**
* Invoke message listener.
*
* @param plc Policy.
* @param lsnr Listener.
* @param nodeId Node ID.
* @param msg Message.
* @param secSubjId Security subject that will be used to open a security session.
*/
private void invokeListener(Byte plc, GridMessageListener lsnr, UUID nodeId, Object msg, UUID secSubjId) {
MTC.span().addLog(() -> "Invoke listener");
Byte oldPlc = CUR_PLC.get();
boolean change = !F.eq(oldPlc, plc);
if (change)
CUR_PLC.set(plc);
UUID newSecSubjId = secSubjId != null ? secSubjId : nodeId;
try (OperationSecurityContext s = ctx.security().withContext(newSecSubjId)) {
lsnr.onMessage(nodeId, msg, plc);
} finally {
if (change)
CUR_PLC.set(oldPlc);
}
}
Also used :
UUID(java.util.UUID)
OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext)
Aggregations
OperationSecurityContext (org.apache.ignite.internal.processors.security.OperationSecurityContext)8
IgniteCheckedException (org.apache.ignite.IgniteCheckedException)4
SecurityContext (org.apache.ignite.internal.processors.security.SecurityContext)3
UUID (java.util.UUID)2
IgniteException (org.apache.ignite.IgniteException)2
IgniteInterruptedCheckedException (org.apache.ignite.internal.IgniteInterruptedCheckedException)2
NodeStoppingException (org.apache.ignite.internal.NodeStoppingException)2
SecurityUtils.nodeSecurityContext (org.apache.ignite.internal.processors.security.SecurityUtils.nodeSecurityContext)2
SecurityException (org.apache.ignite.plugin.security.SecurityException)2
ArrayList (java.util.ArrayList)1
List (java.util.List)1
Callable (java.util.concurrent.Callable)1
CopyOnWriteArrayList (java.util.concurrent.CopyOnWriteArrayList)1
AtomicReference (java.util.concurrent.atomic.AtomicReference)1
IgniteAuthenticationException (org.apache.ignite.IgniteAuthenticationException)1
IgniteClientDisconnectedException (org.apache.ignite.IgniteClientDisconnectedException)1
IgniteInterruptedException (org.apache.ignite.IgniteInterruptedException)1
QueryEntity (org.apache.ignite.cache.QueryEntity)1
ClusterNode (org.apache.ignite.cluster.ClusterNode)1
ComputeExecutionRejectedException (org.apache.ignite.compute.ComputeExecutionRejectedException)1
