Search in sources :

Example 16 with SecurityContext

use of org.apache.ignite.internal.processors.security.SecurityContext in project ignite by apache.

the class TestSecurityProcessor method authenticateNode.

/**
 * {@inheritDoc}
 */
@Override
public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteCheckedException {
    if (!PERMS.containsKey(cred))
        return null;
    SecurityContext res = new TestSecurityContext(new TestSecuritySubject().setType(REMOTE_NODE).setId(node.id()).setAddr(new InetSocketAddress(F.first(node.addresses()), 0)).setLogin(cred.getLogin()).setPerms(PERMS.get(cred)).sandboxPermissions(SANDBOX_PERMS.get(cred)));
    SECURITY_CONTEXTS.put(res.subject().id(), res);
    return res;
}
Also used : InetSocketAddress(java.net.InetSocketAddress) SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext)

Example 17 with SecurityContext

use of org.apache.ignite.internal.processors.security.SecurityContext in project ignite by apache.

the class RestProcessorAuthorizationTest method getPluginProvider.

/**
 * {@inheritDoc}
 */
@Override
protected PluginProvider<?> getPluginProvider(String name) {
    return new TestSecurityPluginProvider(name, null, ALLOW_ALL, globalAuth, clientData()) {

        /**
         * {@inheritDoc}
         */
        @Override
        protected GridSecurityProcessor securityProcessor(GridKernalContext ctx) {
            return new TestSecurityProcessor(ctx, new TestSecurityData(login, pwd, perms, new Permissions()), Arrays.asList(clientData), globalAuth) {

                /**
                 * {@inheritDoc}
                 */
                @Override
                public void authorize(String name, SecurityPermission perm, SecurityContext securityCtx) throws SecurityException {
                    authorizationCtxList.add(F.t(name, perm, securityCtx));
                    super.authorize(name, perm, securityCtx);
                }
            };
        }
    };
}
Also used : TestSecurityData(org.apache.ignite.internal.processors.security.impl.TestSecurityData) TestSecurityProcessor(org.apache.ignite.internal.processors.security.impl.TestSecurityProcessor) TestSecurityPluginProvider(org.apache.ignite.internal.processors.security.impl.TestSecurityPluginProvider) GridKernalContext(org.apache.ignite.internal.GridKernalContext) Permissions(java.security.Permissions) SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext) SecurityPermission(org.apache.ignite.plugin.security.SecurityPermission)

Example 18 with SecurityContext

use of org.apache.ignite.internal.processors.security.SecurityContext in project ignite by apache.

the class RestProcessorAuthorizationTest method testCacheCreateDestroyPermission.

/**
 * @throws Exception if failed.
 */
@Test
public void testCacheCreateDestroyPermission() throws Exception {
    IgniteEx ignite = startGrid(0);
    ignite.cluster().state(ClusterState.ACTIVE);
    assertNull(ignite.cache(TEST_CACHE));
    executeCommand(GridRestCommand.GET_OR_CREATE_CACHE, LOGIN, PWD);
    GridTuple3<String, SecurityPermission, SecurityContext> ctx = authorizationCtxList.get(0);
    assertEquals(TEST_CACHE, ctx.get1());
    assertEquals(SecurityPermission.CACHE_CREATE, ctx.get2());
    assertEquals(LOGIN, ctx.get3().subject().login());
    assertNotNull(ignite.cache(TEST_CACHE));
    authorizationCtxList.clear();
    executeCommand(GridRestCommand.DESTROY_CACHE, LOGIN, PWD);
    ctx = authorizationCtxList.get(0);
    assertEquals(TEST_CACHE, ctx.get1());
    assertEquals(SecurityPermission.CACHE_DESTROY, ctx.get2());
    assertEquals(LOGIN, ctx.get3().subject().login());
    assertNull(ignite.cache(TEST_CACHE));
}
Also used : IgniteEx(org.apache.ignite.internal.IgniteEx) SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext) SecurityPermission(org.apache.ignite.plugin.security.SecurityPermission) CommonSecurityCheckTest(org.apache.ignite.internal.processors.security.client.CommonSecurityCheckTest) Test(org.junit.Test)

Example 19 with SecurityContext

use of org.apache.ignite.internal.processors.security.SecurityContext in project ignite by apache.

the class SqlUserCommandSelfTest method testCreateUpdateDropUser.

/**
 * @throws Exception If failed.
 */
@Test
public void testCreateUpdateDropUser() throws Exception {
    withSecurityContextOnAllNodes(secCtxDflt);
    for (int i = 0; i < NODES_COUNT; ++i) {
        userSql(i, "CREATE USER test WITH PASSWORD 'test'");
        SecurityContext secCtx = authenticate(grid(i), "TEST", "test");
        assertNotNull(secCtx);
        assertEquals("TEST", secCtx.subject().login());
        userSql(i, "ALTER USER test WITH PASSWORD 'newpasswd'");
        secCtx = authenticate(grid(i), "TEST", "newpasswd");
        assertNotNull(secCtx);
        assertEquals("TEST", secCtx.subject().login());
        userSql(i, "DROP USER test");
    }
}
Also used : SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext) GridCommonAbstractTest(org.apache.ignite.testframework.junits.common.GridCommonAbstractTest) Test(org.junit.Test)

Example 20 with SecurityContext

use of org.apache.ignite.internal.processors.security.SecurityContext in project ignite by apache.

the class GridDiscoveryManager method start.

/** {@inheritDoc} */
@Override
public void start(boolean activeOnStart) throws IgniteCheckedException {
    long totSysMemory = -1;
    try {
        totSysMemory = U.<Long>property(os, "totalPhysicalMemorySize");
    } catch (RuntimeException ignored) {
    // No-op.
    }
    ctx.addNodeAttribute(IgniteNodeAttributes.ATTR_PHY_RAM, totSysMemory);
    DiscoverySpi spi = getSpi();
    discoOrdered = discoOrdered();
    histSupported = historySupported();
    isLocDaemon = ctx.isDaemon();
    hasRslvrs = !ctx.config().isClientMode() && !F.isEmpty(ctx.config().getSegmentationResolvers());
    segChkFreq = ctx.config().getSegmentCheckFrequency();
    if (hasRslvrs) {
        if (segChkFreq < 0)
            throw new IgniteCheckedException("Segment check frequency cannot be negative: " + segChkFreq);
        if (segChkFreq > 0 && segChkFreq < 2000)
            U.warn(log, "Configuration parameter 'segmentCheckFrequency' is too low " + "(at least 2000 ms recommended): " + segChkFreq);
        int segResAttemp = ctx.config().getSegmentationResolveAttempts();
        if (segResAttemp < 1)
            throw new IgniteCheckedException("Segment resolve attempts cannot be negative or zero: " + segResAttemp);
        checkSegmentOnStart();
    }
    metricsUpdateTask = ctx.timeout().schedule(new MetricsUpdater(), METRICS_UPDATE_FREQ, METRICS_UPDATE_FREQ);
    spi.setMetricsProvider(createMetricsProvider());
    if (ctx.security().enabled()) {
        if (isSecurityCompatibilityMode())
            ctx.addNodeAttribute(ATTR_SECURITY_COMPATIBILITY_MODE, true);
        spi.setAuthenticator(new DiscoverySpiNodeAuthenticator() {

            @Override
            public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) {
                try {
                    return ctx.security().authenticateNode(node, cred);
                } catch (IgniteCheckedException e) {
                    throw U.convertException(e);
                }
            }

            @Override
            public boolean isGlobalNodeAuthentication() {
                return ctx.security().isGlobalNodeAuthentication();
            }
        });
    }
    spi.setListener(new DiscoverySpiListener() {

        private long gridStartTime;

        /** {@inheritDoc} */
        @Override
        public void onLocalNodeInitialized(ClusterNode locNode) {
            for (IgniteInClosure<ClusterNode> lsnr : localNodeInitLsnrs) lsnr.apply(locNode);
        }

        @Override
        public void onDiscovery(final int type, final long topVer, final ClusterNode node, final Collection<ClusterNode> topSnapshot, final Map<Long, Collection<ClusterNode>> snapshots, @Nullable DiscoverySpiCustomMessage spiCustomMsg) {
            DiscoveryCustomMessage customMsg = spiCustomMsg == null ? null : ((CustomMessageWrapper) spiCustomMsg).delegate();
            if (skipMessage(type, customMsg))
                return;
            final ClusterNode locNode = localNode();
            if (snapshots != null)
                topHist = snapshots;
            boolean verChanged;
            if (type == EVT_NODE_METRICS_UPDATED)
                verChanged = false;
            else {
                if (type != EVT_NODE_SEGMENTED && type != EVT_CLIENT_NODE_DISCONNECTED && type != EVT_CLIENT_NODE_RECONNECTED && type != DiscoveryCustomEvent.EVT_DISCOVERY_CUSTOM_EVT) {
                    minorTopVer = 0;
                    verChanged = true;
                } else
                    verChanged = false;
            }
            if (type == EVT_NODE_FAILED || type == EVT_NODE_LEFT) {
                for (DiscoCache c : discoCacheHist.values()) c.updateAlives(node);
                updateClientNodes(node.id());
            }
            final AffinityTopologyVersion nextTopVer;
            if (type == DiscoveryCustomEvent.EVT_DISCOVERY_CUSTOM_EVT) {
                assert customMsg != null;
                boolean incMinorTopVer = ctx.cache().onCustomEvent(customMsg, new AffinityTopologyVersion(topVer, minorTopVer));
                if (incMinorTopVer) {
                    minorTopVer++;
                    verChanged = true;
                }
                nextTopVer = new AffinityTopologyVersion(topVer, minorTopVer);
                if (verChanged)
                    ctx.cache().onDiscoveryEvent(type, node, nextTopVer);
            } else {
                nextTopVer = new AffinityTopologyVersion(topVer, minorTopVer);
                ctx.cache().onDiscoveryEvent(type, node, nextTopVer);
            }
            if (type == DiscoveryCustomEvent.EVT_DISCOVERY_CUSTOM_EVT) {
                for (Class cls = customMsg.getClass(); cls != null; cls = cls.getSuperclass()) {
                    List<CustomEventListener<DiscoveryCustomMessage>> list = customEvtLsnrs.get(cls);
                    if (list != null) {
                        for (CustomEventListener<DiscoveryCustomMessage> lsnr : list) {
                            try {
                                lsnr.onCustomEvent(nextTopVer, node, customMsg);
                            } catch (Exception e) {
                                U.error(log, "Failed to notify direct custom event listener: " + customMsg, e);
                            }
                        }
                    }
                }
            }
            final DiscoCache discoCache;
            // event notifications, since SPI notifies manager about all events from this listener.
            if (verChanged) {
                discoCache = createDiscoCache(locNode, topSnapshot);
                discoCacheHist.put(nextTopVer, discoCache);
                boolean set = updateTopologyVersionIfGreater(nextTopVer, discoCache);
                assert set || topVer == 0 : "Topology version has not been updated [this.topVer=" + topSnap + ", topVer=" + topVer + ", node=" + node + ", evt=" + U.gridEventName(type) + ']';
            } else
                // Current version.
                discoCache = discoCache();
            // If this is a local join event, just save it and do not notify listeners.
            if (type == EVT_NODE_JOINED && node.id().equals(locNode.id())) {
                if (gridStartTime == 0)
                    gridStartTime = getSpi().getGridStartTime();
                updateTopologyVersionIfGreater(new AffinityTopologyVersion(locNode.order()), discoCache);
                startLatch.countDown();
                DiscoveryEvent discoEvt = new DiscoveryEvent();
                discoEvt.node(ctx.discovery().localNode());
                discoEvt.eventNode(node);
                discoEvt.type(EVT_NODE_JOINED);
                discoEvt.topologySnapshot(topVer, new ArrayList<>(F.view(topSnapshot, FILTER_DAEMON)));
                locJoin.onDone(new T2<>(discoEvt, discoCache));
                return;
            } else if (type == EVT_CLIENT_NODE_DISCONNECTED) {
                assert locNode.isClient() : locNode;
                assert node.isClient() : node;
                ((IgniteKernal) ctx.grid()).onDisconnected();
                locJoin = new GridFutureAdapter<>();
                registeredCaches.clear();
                for (AffinityTopologyVersion histVer : discoCacheHist.keySet()) {
                    Object rmvd = discoCacheHist.remove(histVer);
                    assert rmvd != null : histVer;
                }
                topHist.clear();
                topSnap.set(new Snapshot(AffinityTopologyVersion.ZERO, createDiscoCache(locNode, Collections.<ClusterNode>emptySet())));
            } else if (type == EVT_CLIENT_NODE_RECONNECTED) {
                assert locNode.isClient() : locNode;
                assert node.isClient() : node;
                boolean clusterRestarted = gridStartTime != getSpi().getGridStartTime();
                gridStartTime = getSpi().getGridStartTime();
                ((IgniteKernal) ctx.grid()).onReconnected(clusterRestarted);
                ctx.cluster().clientReconnectFuture().listen(new CI1<IgniteFuture<?>>() {

                    @Override
                    public void apply(IgniteFuture<?> fut) {
                        try {
                            fut.get();
                            discoWrk.addEvent(type, nextTopVer, node, discoCache, topSnapshot, null);
                        } catch (IgniteException ignore) {
                        // No-op.
                        }
                    }
                });
                return;
            }
            if (type == EVT_CLIENT_NODE_DISCONNECTED || type == EVT_NODE_SEGMENTED || !ctx.clientDisconnected())
                discoWrk.addEvent(type, nextTopVer, node, discoCache, topSnapshot, customMsg);
        }
    });
    spi.setDataExchange(new DiscoverySpiDataExchange() {

        @Override
        public DiscoveryDataBag collect(DiscoveryDataBag dataBag) {
            assert dataBag != null;
            assert dataBag.joiningNodeId() != null;
            if (ctx.localNodeId().equals(dataBag.joiningNodeId())) {
                for (GridComponent c : ctx.components()) c.collectJoiningNodeData(dataBag);
            } else {
                for (GridComponent c : ctx.components()) c.collectGridNodeData(dataBag);
            }
            return dataBag;
        }

        @Override
        public void onExchange(DiscoveryDataBag dataBag) {
            if (ctx.localNodeId().equals(dataBag.joiningNodeId())) {
                //NodeAdded msg reached joining node after round-trip over the ring
                for (GridComponent c : ctx.components()) {
                    if (c.discoveryDataType() != null)
                        c.onGridDataReceived(dataBag.gridDiscoveryData(c.discoveryDataType().ordinal()));
                }
            } else {
                //discovery data from newly joined node has to be applied to the current old node
                for (GridComponent c : ctx.components()) {
                    if (c.discoveryDataType() != null) {
                        JoiningNodeDiscoveryData data = dataBag.newJoinerDiscoveryData(c.discoveryDataType().ordinal());
                        if (data != null)
                            c.onJoiningNodeDataReceived(data);
                    }
                }
            }
        }
    });
    startSpi();
    registeredDiscoSpi = true;
    try {
        U.await(startLatch);
    } catch (IgniteInterruptedException e) {
        throw new IgniteCheckedException("Failed to start discovery manager (thread has been interrupted).", e);
    }
    // Start segment check worker only if frequency is greater than 0.
    if (hasRslvrs && segChkFreq > 0) {
        segChkWrk = new SegmentCheckWorker();
        segChkThread = new IgniteThread(segChkWrk);
        segChkThread.start();
    }
    locNode = spi.getLocalNode();
    checkAttributes(discoCache().remoteNodes());
    ctx.service().initCompatibilityMode(discoCache().remoteNodes());
    // Start discovery worker.
    new IgniteThread(discoWrk).start();
    if (log.isDebugEnabled())
        log.debug(startInfo());
}
Also used : GridComponent(org.apache.ignite.internal.GridComponent) CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList) ArrayList(java.util.ArrayList) DiscoveryEvent(org.apache.ignite.events.DiscoveryEvent) IgniteFuture(org.apache.ignite.lang.IgniteFuture) CI1(org.apache.ignite.internal.util.typedef.CI1) IgniteCheckedException(org.apache.ignite.IgniteCheckedException) JoiningNodeDiscoveryData(org.apache.ignite.spi.discovery.DiscoveryDataBag.JoiningNodeDiscoveryData) DiscoveryDataBag(org.apache.ignite.spi.discovery.DiscoveryDataBag) IgniteException(org.apache.ignite.IgniteException) CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList) ArrayList(java.util.ArrayList) List(java.util.List) T2(org.apache.ignite.internal.util.typedef.T2) ClusterNode(org.apache.ignite.cluster.ClusterNode) IgniteKernal(org.apache.ignite.internal.IgniteKernal) AffinityTopologyVersion(org.apache.ignite.internal.processors.affinity.AffinityTopologyVersion) DiscoverySpiNodeAuthenticator(org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator) IgniteInterruptedException(org.apache.ignite.IgniteInterruptedException) DiscoverySpiListener(org.apache.ignite.spi.discovery.DiscoverySpiListener) IgniteClientDisconnectedException(org.apache.ignite.IgniteClientDisconnectedException) IgniteCheckedException(org.apache.ignite.IgniteCheckedException) IgniteSpiException(org.apache.ignite.spi.IgniteSpiException) IgniteInterruptedException(org.apache.ignite.IgniteInterruptedException) IgniteClientDisconnectedCheckedException(org.apache.ignite.internal.IgniteClientDisconnectedCheckedException) IgniteException(org.apache.ignite.IgniteException) SecurityCredentials(org.apache.ignite.plugin.security.SecurityCredentials) DiscoverySpiCustomMessage(org.apache.ignite.spi.discovery.DiscoverySpiCustomMessage) ClusterMetricsSnapshot(org.apache.ignite.internal.ClusterMetricsSnapshot) DiscoverySpiDataExchange(org.apache.ignite.spi.discovery.DiscoverySpiDataExchange) DiscoverySpi(org.apache.ignite.spi.discovery.DiscoverySpi) TcpDiscoverySpi(org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi) SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext) AtomicLong(java.util.concurrent.atomic.AtomicLong) IgniteInClosure(org.apache.ignite.lang.IgniteInClosure) Collection(java.util.Collection) IgniteThread(org.apache.ignite.thread.IgniteThread)

Aggregations

SecurityContext (org.apache.ignite.internal.processors.security.SecurityContext)32 OperationSecurityContext (org.apache.ignite.internal.processors.security.OperationSecurityContext)15 Test (org.junit.Test)15 GridCommonAbstractTest (org.apache.ignite.testframework.junits.common.GridCommonAbstractTest)14 IgniteCheckedException (org.apache.ignite.IgniteCheckedException)10 IgniteException (org.apache.ignite.IgniteException)6 SecurityCredentials (org.apache.ignite.plugin.security.SecurityCredentials)4 IgniteClientDisconnectedException (org.apache.ignite.IgniteClientDisconnectedException)3 IgniteInterruptedException (org.apache.ignite.IgniteInterruptedException)3 ClusterNode (org.apache.ignite.cluster.ClusterNode)3 IgniteClientDisconnectedCheckedException (org.apache.ignite.internal.IgniteClientDisconnectedCheckedException)3 IgniteInternalFuture (org.apache.ignite.internal.IgniteInternalFuture)3 IgniteSpiException (org.apache.ignite.spi.IgniteSpiException)3 InetSocketAddress (java.net.InetSocketAddress)2 ArrayList (java.util.ArrayList)2 List (java.util.List)2 CopyOnWriteArrayList (java.util.concurrent.CopyOnWriteArrayList)2 DiscoveryEvent (org.apache.ignite.events.DiscoveryEvent)2 GridComponent (org.apache.ignite.internal.GridComponent)2 IgniteKernal (org.apache.ignite.internal.IgniteKernal)2