use of org.apache.ignite.plugin.security.SecurityCredentials in project ignite by apache.
the class CacheEventSecurityContextTest method testGridClient.
/**
* Tests cache event security context in case operation is initiated from the {@link GridClient}.
*/
@Test
public void testGridClient() throws Exception {
Assume.assumeTrue(txIsolation == null && txConcurrency == null);
operationInitiatorLogin = "grid_client";
GridClientConfiguration cfg = new GridClientConfiguration().setServers(singletonList("127.0.0.1:11211")).setDataConfigurations(singletonList(new GridClientDataConfiguration().setName(cacheName))).setSecurityCredentialsProvider(new SecurityCredentialsBasicProvider(new SecurityCredentials(operationInitiatorLogin, "")));
try (GridClient cli = GridClientFactory.start(cfg)) {
GridClientData cache = cli.data(cacheName);
checkEvents(k -> cache.put(k, "val"), false, EVT_CACHE_OBJECT_PUT);
checkEvents(k -> cache.putAsync(k, "val").get(), false, EVT_CACHE_OBJECT_PUT);
checkEvents(k -> cache.putAll(singletonMap(k, "val")), false, EVT_CACHE_OBJECT_PUT);
checkEvents(k -> cache.putAllAsync(singletonMap(k, "val")).get(), false, EVT_CACHE_OBJECT_PUT);
checkEvents(cache::remove, true, EVT_CACHE_OBJECT_REMOVED);
checkEvents(k -> cache.removeAsync(k).get(), true, EVT_CACHE_OBJECT_REMOVED);
checkEvents(k -> cache.removeAll(of(k)), true, EVT_CACHE_OBJECT_REMOVED);
checkEvents(k -> cache.removeAllAsync(of(k)).get(), true, EVT_CACHE_OBJECT_REMOVED);
checkEvents(cache::get, true, EVT_CACHE_OBJECT_READ);
checkEvents(k -> cache.getAsync(k).get(), true, EVT_CACHE_OBJECT_READ);
checkEvents(k -> cache.getAll(of(k)), true, EVT_CACHE_OBJECT_READ);
checkEvents(k -> cache.getAllAsync(of(k)).get(), true, EVT_CACHE_OBJECT_READ);
checkEvents(k -> cache.replace(k, "val"), true, EVT_CACHE_OBJECT_PUT);
checkEvents(k -> cache.replaceAsync(k, "val").get(), true, EVT_CACHE_OBJECT_PUT);
checkEvents(k -> cache.append(k, "val"), true, EVT_CACHE_OBJECT_READ, EVT_CACHE_OBJECT_PUT);
checkEvents(k -> cache.appendAsync(k, "val").get(), true, EVT_CACHE_OBJECT_READ, EVT_CACHE_OBJECT_PUT);
checkEvents(k -> cache.prepend(k, "val"), true, EVT_CACHE_OBJECT_READ, EVT_CACHE_OBJECT_PUT);
checkEvents(k -> cache.prependAsync(k, "val").get(), true, EVT_CACHE_OBJECT_READ, EVT_CACHE_OBJECT_PUT);
checkEvents(k -> cache.cas(k, "new_val", "val"), true, EVT_CACHE_OBJECT_PUT);
checkEvents(k -> cache.casAsync(k, "new_val", "val").get(), true, EVT_CACHE_OBJECT_PUT);
}
}
use of org.apache.ignite.plugin.security.SecurityCredentials in project ignite by apache.
the class GridDiscoveryManager method start.
/**
* {@inheritDoc}
*/
@Override
public void start() throws IgniteCheckedException {
ctx.addNodeAttribute(ATTR_OFFHEAP_SIZE, requiredOffheap());
ctx.addNodeAttribute(ATTR_DATA_REGIONS_OFFHEAP_SIZE, configuredOffheap());
DiscoverySpi spi = getSpi();
discoOrdered = discoOrdered();
histSupported = historySupported();
isLocDaemon = ctx.isDaemon();
hasRslvrs = !ctx.config().isClientMode() && !F.isEmpty(ctx.config().getSegmentationResolvers());
segChkFreq = ctx.config().getSegmentCheckFrequency();
if (hasRslvrs) {
if (segChkFreq < 0)
throw new IgniteCheckedException("Segment check frequency cannot be negative: " + segChkFreq);
if (segChkFreq > 0 && segChkFreq < 2000)
U.warn(log, "Configuration parameter 'segmentCheckFrequency' is too low " + "(at least 2000 ms recommended): " + segChkFreq);
int segResAttemp = ctx.config().getSegmentationResolveAttempts();
if (segResAttemp < 1)
throw new IgniteCheckedException("Segment resolve attempts cannot be negative or zero: " + segResAttemp);
checkSegmentOnStart();
}
spi.setMetricsProvider(createMetricsProvider());
if (ctx.security().enabled()) {
if (isSecurityCompatibilityMode())
ctx.addNodeAttribute(ATTR_SECURITY_COMPATIBILITY_MODE, true);
spi.setAuthenticator(new DiscoverySpiNodeAuthenticator() {
@Override
public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) {
try {
return ctx.security().authenticateNode(node, cred);
} catch (IgniteCheckedException e) {
throw U.convertException(e);
}
}
@Override
public boolean isGlobalNodeAuthentication() {
return ctx.security().isGlobalNodeAuthentication();
}
});
}
if (ctx.config().getCommunicationFailureResolver() != null)
ctx.resource().injectGeneric(ctx.config().getCommunicationFailureResolver());
// Shared reference between DiscoverySpiListener and DiscoverySpiDataExchange.
AtomicReference<IgniteFuture<?>> lastStateChangeEvtLsnrFutRef = new AtomicReference<>();
spi.setListener(new DiscoverySpiListener() {
private long gridStartTime;
private final Marshaller marshaller = MarshallerUtils.jdkMarshaller(ctx.igniteInstanceName());
/**
* {@inheritDoc}
*/
@Override
public void onLocalNodeInitialized(ClusterNode locNode) {
for (IgniteInClosure<ClusterNode> lsnr : locNodeInitLsnrs) lsnr.apply(locNode);
if (locNode instanceof IgniteClusterNode) {
final IgniteClusterNode node = (IgniteClusterNode) locNode;
if (consistentId != null)
node.setConsistentId(consistentId);
}
}
/**
* {@inheritDoc}
*/
@Override
public IgniteFuture<?> onDiscovery(DiscoveryNotification notification) {
GridFutureAdapter<?> notificationFut = new GridFutureAdapter<>();
discoNtfWrk.submit(notificationFut, ctx.security().enabled() ? new SecurityAwareNotificationTask(notification) : new NotificationTask(notification));
IgniteFuture<?> fut = new IgniteFutureImpl<>(notificationFut);
// TODO could be optimized with more specific conditions.
switch(notification.type()) {
case EVT_NODE_JOINED:
case EVT_NODE_LEFT:
case EVT_NODE_FAILED:
if (!CU.isPersistenceEnabled(ctx.config()))
lastStateChangeEvtLsnrFutRef.set(fut);
break;
case EVT_DISCOVERY_CUSTOM_EVT:
lastStateChangeEvtLsnrFutRef.set(fut);
}
return fut;
}
/**
* @param notification Notification.
*/
private void onDiscovery0(DiscoveryNotification notification) {
int type = notification.type();
ClusterNode node = notification.getNode();
long topVer = notification.getTopVer();
DiscoveryCustomMessage customMsg = notification.getCustomMsgData() == null ? null : ((CustomMessageWrapper) notification.getCustomMsgData()).delegate();
if (skipMessage(notification.type(), customMsg))
return;
final ClusterNode locNode = localNode();
if (notification.getTopHist() != null)
topHist = notification.getTopHist();
boolean verChanged;
if (type == EVT_NODE_METRICS_UPDATED)
verChanged = false;
else {
if (type != EVT_NODE_SEGMENTED && type != EVT_CLIENT_NODE_DISCONNECTED && type != EVT_CLIENT_NODE_RECONNECTED && type != EVT_DISCOVERY_CUSTOM_EVT) {
minorTopVer = 0;
verChanged = true;
} else
verChanged = false;
}
if (type == EVT_NODE_FAILED || type == EVT_NODE_LEFT) {
for (DiscoCache c : discoCacheHist.values()) c.updateAlives(node);
updateClientNodes(node.id());
}
boolean locJoinEvt = type == EVT_NODE_JOINED && node.id().equals(locNode.id());
ChangeGlobalStateFinishMessage stateFinishMsg = null;
if (type == EVT_NODE_FAILED || type == EVT_NODE_LEFT)
stateFinishMsg = ctx.state().onNodeLeft(node);
final AffinityTopologyVersion nextTopVer;
if (type == EVT_DISCOVERY_CUSTOM_EVT) {
assert customMsg != null;
boolean incMinorTopVer;
if (customMsg instanceof ChangeGlobalStateMessage) {
incMinorTopVer = ctx.state().onStateChangeMessage(new AffinityTopologyVersion(topVer, minorTopVer), (ChangeGlobalStateMessage) customMsg, discoCache());
} else if (customMsg instanceof ChangeGlobalStateFinishMessage) {
ctx.state().onStateFinishMessage((ChangeGlobalStateFinishMessage) customMsg);
Snapshot snapshot = topSnap.get();
// Topology version does not change, but need create DiscoCache with new state.
DiscoCache discoCache = snapshot.discoCache.copy(snapshot.topVer, ctx.state().clusterState());
topSnap.set(new Snapshot(snapshot.topVer, discoCache));
incMinorTopVer = false;
} else {
incMinorTopVer = ctx.cache().onCustomEvent(customMsg, new AffinityTopologyVersion(topVer, minorTopVer), node);
}
if (incMinorTopVer) {
minorTopVer++;
verChanged = true;
}
nextTopVer = new AffinityTopologyVersion(topVer, minorTopVer);
if (incMinorTopVer)
ctx.cache().onDiscoveryEvent(type, customMsg, node, nextTopVer, ctx.state().clusterState());
} else {
nextTopVer = new AffinityTopologyVersion(topVer, minorTopVer);
ctx.cache().onDiscoveryEvent(type, customMsg, node, nextTopVer, ctx.state().clusterState());
}
DiscoCache discoCache;
// event notifications, since SPI notifies manager about all events from this listener.
if (verChanged) {
Snapshot snapshot = topSnap.get();
if (customMsg == null) {
discoCache = createDiscoCache(nextTopVer, ctx.state().clusterState(), locNode, notification.getTopSnapshot());
} else if (customMsg instanceof ChangeGlobalStateMessage) {
discoCache = createDiscoCache(nextTopVer, ctx.state().pendingState((ChangeGlobalStateMessage) customMsg), locNode, notification.getTopSnapshot());
} else
discoCache = customMsg.createDiscoCache(GridDiscoveryManager.this, nextTopVer, snapshot.discoCache);
discoCacheHist.put(nextTopVer, discoCache);
assert snapshot.topVer.compareTo(nextTopVer) < 0 : "Topology version out of order [this.topVer=" + topSnap + ", topVer=" + topVer + ", node=" + node + ", nextTopVer=" + nextTopVer + ", evt=" + U.gridEventName(type) + ']';
topSnap.set(new Snapshot(nextTopVer, discoCache));
} else
// Current version.
discoCache = discoCache();
if (locJoinEvt || !node.isClient() && !node.isDaemon()) {
if (type == EVT_NODE_LEFT || type == EVT_NODE_FAILED || type == EVT_NODE_JOINED) {
boolean discoCacheRecalculationRequired = ctx.state().autoAdjustInMemoryClusterState(node.id(), notification.getTopSnapshot(), discoCache, topVer, minorTopVer);
if (discoCacheRecalculationRequired) {
discoCache = createDiscoCache(nextTopVer, ctx.state().clusterState(), locNode, notification.getTopSnapshot());
discoCacheHist.put(nextTopVer, discoCache);
topSnap.set(new Snapshot(nextTopVer, discoCache));
}
}
}
if (type == EVT_DISCOVERY_CUSTOM_EVT) {
for (Class cls = customMsg.getClass(); cls != null; cls = cls.getSuperclass()) {
List<CustomEventListener<DiscoveryCustomMessage>> list = customEvtLsnrs.get(cls);
if (list != null) {
for (CustomEventListener<DiscoveryCustomMessage> lsnr : list) {
try {
lsnr.onCustomEvent(nextTopVer, node, customMsg);
} catch (Exception e) {
U.error(log, "Failed to notify direct custom event listener: " + customMsg, e);
}
}
}
}
}
SecurityContext secCtx = remoteSecurityContext(ctx);
// If this is a local join event, just save it and do not notify listeners.
if (locJoinEvt) {
if (gridStartTime == 0)
gridStartTime = getSpi().getGridStartTime();
topSnap.set(new Snapshot(nextTopVer, discoCache));
startLatch.countDown();
DiscoveryEvent discoEvt = new DiscoveryEvent();
discoEvt.node(ctx.discovery().localNode());
discoEvt.eventNode(node);
discoEvt.type(EVT_NODE_JOINED);
discoEvt.topologySnapshot(topVer, new ArrayList<>(F.view(notification.getTopSnapshot(), FILTER_NOT_DAEMON)));
if (notification.getSpanContainer() != null)
discoEvt.span(notification.getSpanContainer().span());
discoWrk.discoCache = discoCache;
if (!ctx.clientDisconnected()) {
// The security processor must be notified first, since {@link IgniteSecurity#onLocalJoin}
// finishes local node security context initialization that can be demanded by other Ignite
// components.
ctx.security().onLocalJoin();
if (!isLocDaemon) {
ctx.cache().context().versions().onLocalJoin(topVer);
ctx.cache().context().coordinators().onLocalJoin(discoEvt, discoCache);
ctx.cache().context().exchange().onLocalJoin(discoEvt, discoCache);
ctx.service().onLocalJoin(discoEvt, discoCache);
ctx.encryption().onLocalJoin();
ctx.cluster().onLocalJoin();
}
}
IgniteInternalFuture<Boolean> transitionWaitFut = ctx.state().onLocalJoin(discoCache);
locJoin.onDone(new DiscoveryLocalJoinData(discoEvt, discoCache, transitionWaitFut, ctx.state().clusterState().active()));
return;
} else if (type == EVT_CLIENT_NODE_DISCONNECTED) {
assert locNode.isClient() : locNode;
assert node.isClient() : node;
((IgniteKernal) ctx.grid()).onDisconnected();
if (!locJoin.isDone())
locJoin.onDone(new IgniteCheckedException("Node disconnected"));
locJoin = new GridFutureAdapter<>();
registeredCaches.clear();
registeredCacheGrps.clear();
for (AffinityTopologyVersion histVer : discoCacheHist.keySet()) {
Object rmvd = discoCacheHist.remove(histVer);
assert rmvd != null : histVer;
}
topHist.clear();
topSnap.set(new Snapshot(AffinityTopologyVersion.ZERO, createDiscoCache(AffinityTopologyVersion.ZERO, ctx.state().clusterState(), locNode, Collections.singleton(locNode))));
} else if (type == EVT_CLIENT_NODE_RECONNECTED) {
assert locNode.isClient() : locNode;
assert node.isClient() : node;
ctx.security().onLocalJoin();
boolean clusterRestarted = gridStartTime != getSpi().getGridStartTime();
gridStartTime = getSpi().getGridStartTime();
((IgniteKernal) ctx.grid()).onReconnected(clusterRestarted);
ctx.cache().context().coordinators().onLocalJoin(localJoinEvent(), discoCache);
ctx.cache().context().exchange().onLocalJoin(localJoinEvent(), discoCache);
ctx.service().onLocalJoin(localJoinEvent(), discoCache);
DiscoCache discoCache0 = discoCache;
ctx.cluster().clientReconnectFuture().listen(new CI1<IgniteFuture<?>>() {
@Override
public void apply(IgniteFuture<?> fut) {
try {
fut.get();
discoWrk.addEvent(new NotificationEvent(EVT_CLIENT_NODE_RECONNECTED, nextTopVer, node, discoCache0, notification.getTopSnapshot(), null, notification.getSpanContainer(), secCtx));
} catch (IgniteException ignore) {
// No-op.
}
}
});
return;
}
if (type == EVT_CLIENT_NODE_DISCONNECTED || type == EVT_NODE_SEGMENTED || !ctx.clientDisconnected())
discoWrk.addEvent(new NotificationEvent(type, nextTopVer, node, discoCache, notification.getTopSnapshot(), customMsg, notification.getSpanContainer(), secCtx));
if (stateFinishMsg != null)
discoWrk.addEvent(new NotificationEvent(EVT_DISCOVERY_CUSTOM_EVT, nextTopVer, node, discoCache, notification.getTopSnapshot(), stateFinishMsg, notification.getSpanContainer(), secCtx));
if (type == EVT_CLIENT_NODE_DISCONNECTED)
discoWrk.awaitDisconnectEvent();
}
/**
* Extends {@link NotificationTask} to run in a security context owned by the initiator of the
* discovery event.
*/
class SecurityAwareNotificationTask extends NotificationTask {
/**
*/
public SecurityAwareNotificationTask(DiscoveryNotification notification) {
super(notification);
}
/**
*/
@Override
public void run() {
DiscoverySpiCustomMessage customMsg = notification.getCustomMsgData();
if (customMsg instanceof SecurityAwareCustomMessageWrapper) {
UUID secSubjId = ((SecurityAwareCustomMessageWrapper) customMsg).securitySubjectId();
try (OperationSecurityContext ignored = ctx.security().withContext(secSubjId)) {
super.run();
}
} else {
SecurityContext initiatorNodeSecCtx = nodeSecurityContext(marshaller, U.resolveClassLoader(ctx.config()), notification.getNode());
try (OperationSecurityContext ignored = ctx.security().withContext(initiatorNodeSecCtx)) {
super.run();
}
}
}
}
/**
* Represents task to handle discovery notification asynchronously.
*/
class NotificationTask implements Runnable {
/**
*/
protected final DiscoveryNotification notification;
/**
*/
public NotificationTask(DiscoveryNotification notification) {
this.notification = notification;
}
/**
* {@inheritDoc}
*/
@Override
public void run() {
synchronized (discoEvtMux) {
onDiscovery0(notification);
}
}
}
});
spi.setDataExchange(new DiscoverySpiDataExchange() {
@Override
public DiscoveryDataBag collect(DiscoveryDataBag dataBag) {
assert dataBag != null;
assert dataBag.joiningNodeId() != null;
if (ctx.localNodeId().equals(dataBag.joiningNodeId())) {
for (GridComponent c : ctx.components()) c.collectJoiningNodeData(dataBag);
} else {
waitForLastStateChangeEventFuture();
for (GridComponent c : ctx.components()) c.collectGridNodeData(dataBag);
}
return dataBag;
}
@Override
public void onExchange(DiscoveryDataBag dataBag) {
assert dataBag != null;
assert dataBag.joiningNodeId() != null;
if (ctx.localNodeId().equals(dataBag.joiningNodeId())) {
// NodeAdded msg reached joining node after round-trip over the ring.
IGridClusterStateProcessor stateProc = ctx.state();
stateProc.onGridDataReceived(dataBag.gridDiscoveryData(stateProc.discoveryDataType().ordinal()));
for (GridComponent c : ctx.components()) {
if (c.discoveryDataType() != null && c != stateProc)
c.onGridDataReceived(dataBag.gridDiscoveryData(c.discoveryDataType().ordinal()));
}
} else {
// Discovery data from newly joined node has to be applied to the current old node.
IGridClusterStateProcessor stateProc = ctx.state();
JoiningNodeDiscoveryData data0 = dataBag.newJoinerDiscoveryData(stateProc.discoveryDataType().ordinal());
assert data0 != null;
stateProc.onJoiningNodeDataReceived(data0);
for (GridComponent c : ctx.components()) {
if (c.discoveryDataType() != null && c != stateProc) {
JoiningNodeDiscoveryData data = dataBag.newJoinerDiscoveryData(c.discoveryDataType().ordinal());
if (data != null)
c.onJoiningNodeDataReceived(data);
}
}
}
}
/**
*/
private void waitForLastStateChangeEventFuture() {
IgniteFuture<?> lastStateChangeEvtLsnrFut = lastStateChangeEvtLsnrFutRef.get();
if (lastStateChangeEvtLsnrFut != null) {
Thread currThread = Thread.currentThread();
GridWorker worker = currThread instanceof IgniteDiscoveryThread ? ((IgniteDiscoveryThread) currThread).worker() : null;
if (worker != null)
worker.blockingSectionBegin();
try {
lastStateChangeEvtLsnrFut.get();
} finally {
// Guaranteed to be invoked in the same thread as DiscoverySpiListener#onDiscovery.
// No additional synchronization for reference is required.
lastStateChangeEvtLsnrFutRef.set(null);
if (worker != null)
worker.blockingSectionEnd();
}
}
}
});
new DiscoveryMessageNotifierThread(discoNtfWrk).start();
startSpi();
registeredDiscoSpi = true;
try {
U.await(startLatch);
} catch (IgniteInterruptedException e) {
throw new IgniteCheckedException("Failed to start discovery manager (thread has been interrupted).", e);
}
// Start segment check worker only if frequency is greater than 0.
if (hasRslvrs && segChkFreq > 0) {
segChkWrk = new SegmentCheckWorker();
segChkThread = new IgniteThread(segChkWrk);
segChkThread.setUncaughtExceptionHandler(new OomExceptionHandler(ctx));
segChkThread.start();
}
locNode = spi.getLocalNode();
checkAttributes(discoCache().remoteNodes());
// Start discovery worker.
new IgniteThread(discoWrk).start();
if (log.isDebugEnabled())
log.debug(startInfo());
}
use of org.apache.ignite.plugin.security.SecurityCredentials in project ignite by apache.
the class ClientListenerAbstractConnectionContext method authenticate.
/**
* Perform authentication.
*
* @throws IgniteCheckedException If failed.
*/
protected void authenticate(GridNioSession ses, String user, String pwd) throws IgniteCheckedException {
if (!ctx.security().enabled())
return;
SecurityCredentials cred = new SecurityCredentials(user, pwd);
AuthenticationContext authCtx = new AuthenticationContext();
authCtx.subjectType(REMOTE_CLIENT);
authCtx.subjectId(UUID.randomUUID());
authCtx.nodeAttributes(F.isEmpty(userAttrs) ? Collections.emptyMap() : userAttrs);
authCtx.credentials(cred);
authCtx.address(ses.remoteAddress());
authCtx.certificates(ses.certificates());
secCtx = ctx.security().authenticate(authCtx);
if (secCtx == null) {
throw new IgniteAccessControlException(String.format("The user name or password is incorrect [userName=%s]", user));
}
}
use of org.apache.ignite.plugin.security.SecurityCredentials in project ignite by apache.
the class AuthenticationProcessorSelfTest method authenticate.
/**
* Authenticates user on the specified node.
*/
public static SecurityContext authenticate(IgniteEx ignite, String login, String pwd) throws IgniteCheckedException {
AuthenticationContext authCtx = new AuthenticationContext();
authCtx.credentials(new SecurityCredentials(login, pwd));
authCtx.subjectType(REMOTE_CLIENT);
return ignite.context().security().authenticate(authCtx);
}
use of org.apache.ignite.plugin.security.SecurityCredentials in project ignite by apache.
the class ComputeTaskRemoteSecurityContextTest method testGridClient.
/**
* Tests task execution security context in case task was initiated from the {@link GridClient}.
*/
@Test
public void testGridClient() throws Exception {
Assume.assumeFalse(failWithTimeout);
String login = "grid_client";
GridClientConfiguration cfg = new GridClientConfiguration().setServers(singletonList("127.0.0.1:11211")).setSecurityCredentialsProvider(new SecurityCredentialsBasicProvider(new SecurityCredentials(login, "")));
try (GridClient cli = GridClientFactory.start(cfg)) {
GridClientNode taskReqRecipient = cli.compute().nodes().stream().filter(n -> "crd".equals(n.attribute(ATTR_IGNITE_INSTANCE_NAME))).findFirst().orElseThrow(NoSuchElementException::new);
GridClientCompute comp = cli.compute().projection(taskReqRecipient);
String taskName = mapAsync ? MapAsyncTestTask.class.getName() : TestTask.class.getName();
if (async)
comp.executeAsync(taskName, login).get();
else
comp.execute(taskName, login);
checkTaskEvents("crd", login, REDUCER_SUCCEEDED_TASK_EVENTS, MAP_NODE_SUCCEEDED_TASK_EVENTS);
}
}
Aggregations