Search in sources :

Example 1 with SecurityException

use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.

the class ValidationOnNodeJoinUtils method validateNode.

/**
 * Checks a joining node to configuration consistency.
 *
 * @param node Node.
 * @param discoData Disco data.
 * @param marsh Marsh.
 * @param ctx Context.
 * @param cacheDescProvider Cache descriptor provider.
 */
@Nullable
static IgniteNodeValidationResult validateNode(ClusterNode node, DiscoveryDataBag.JoiningNodeDiscoveryData discoData, Marshaller marsh, GridKernalContext ctx, Function<String, DynamicCacheDescriptor> cacheDescProvider) {
    if (discoData.hasJoiningNodeData() && discoData.joiningNodeData() instanceof CacheJoinNodeDiscoveryData) {
        CacheJoinNodeDiscoveryData nodeData = (CacheJoinNodeDiscoveryData) discoData.joiningNodeData();
        boolean isGridActive = ctx.state().clusterState().active();
        StringBuilder errorMsg = new StringBuilder();
        if (!node.isClient()) {
            validateRmtRegions(node, ctx).forEach(error -> {
                if (errorMsg.length() > 0)
                    errorMsg.append("\n");
                errorMsg.append(error);
            });
        }
        SecurityContext secCtx = null;
        if (ctx.security().enabled()) {
            try {
                secCtx = nodeSecurityContext(marsh, U.resolveClassLoader(ctx.config()), node);
            } catch (SecurityException se) {
                errorMsg.append(se.getMessage());
            }
        }
        for (CacheJoinNodeDiscoveryData.CacheInfo cacheInfo : nodeData.caches().values()) {
            if (secCtx != null && cacheInfo.cacheType() == CacheType.USER) {
                try (OperationSecurityContext s = ctx.security().withContext(secCtx)) {
                    GridCacheProcessor.authorizeCacheCreate(ctx.security(), cacheInfo.cacheData().config());
                } catch (SecurityException ex) {
                    if (errorMsg.length() > 0)
                        errorMsg.append("\n");
                    errorMsg.append(ex.getMessage());
                }
            }
            DynamicCacheDescriptor locDesc = cacheDescProvider.apply(cacheInfo.cacheData().config().getName());
            if (locDesc == null)
                continue;
            String joinedSchema = cacheInfo.cacheData().config().getSqlSchema();
            Collection<QueryEntity> joinedQryEntities = cacheInfo.cacheData().queryEntities();
            String locSchema = locDesc.cacheConfiguration().getSqlSchema();
            // QuerySchema is empty and schema name is null (when indexing enabled dynamically).
            if (!F.eq(joinedSchema, locSchema) && (locSchema != null || !locDesc.schema().isEmpty()) && (joinedSchema != null || !F.isEmpty(joinedQryEntities))) {
                errorMsg.append(String.format(SQL_SCHEMA_CONFLICTS_MESSAGE, locDesc.cacheName(), joinedSchema, locSchema));
            }
            QuerySchemaPatch schemaPatch = locDesc.makeSchemaPatch(joinedQryEntities);
            if (schemaPatch.hasConflicts() || (isGridActive && !schemaPatch.isEmpty())) {
                if (errorMsg.length() > 0)
                    errorMsg.append("\n");
                if (schemaPatch.hasConflicts()) {
                    errorMsg.append(String.format(MERGE_OF_CONFIG_CONFLICTS_MESSAGE, locDesc.cacheName(), schemaPatch.getConflictsMessage()));
                } else
                    errorMsg.append(String.format(MERGE_OF_CONFIG_REQUIRED_MESSAGE, locDesc.cacheName()));
            }
            // This check must be done on join, otherwise group encryption key will be
            // written to metastore regardless of validation check and could trigger WAL write failures.
            boolean locEnc = locDesc.cacheConfiguration().isEncryptionEnabled();
            boolean rmtEnc = cacheInfo.cacheData().config().isEncryptionEnabled();
            if (locEnc != rmtEnc) {
                if (errorMsg.length() > 0)
                    errorMsg.append("\n");
                // Message will be printed on remote node, so need to swap local and remote.
                errorMsg.append(String.format(ENCRYPT_MISMATCH_MESSAGE, locDesc.cacheName(), rmtEnc, locEnc));
            }
        }
        if (errorMsg.length() > 0) {
            String msg = errorMsg.toString();
            return new IgniteNodeValidationResult(node.id(), msg);
        }
    }
    return null;
}
Also used : IgniteNodeValidationResult(org.apache.ignite.spi.IgniteNodeValidationResult) SecurityException(org.apache.ignite.plugin.security.SecurityException) QueryEntity(org.apache.ignite.cache.QueryEntity) QuerySchemaPatch(org.apache.ignite.internal.processors.query.QuerySchemaPatch) OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext) SecurityUtils.nodeSecurityContext(org.apache.ignite.internal.processors.security.SecurityUtils.nodeSecurityContext) SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext) OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext) Nullable(org.jetbrains.annotations.Nullable)

Example 2 with SecurityException

use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.

the class ClientCacheSqlFieldsQueryRequest method process.

/**
 * {@inheritDoc}
 */
@Override
public ClientResponse process(ClientConnectionContext ctx) {
    qry.setPartitions(partitions);
    if (updateBatchSize != null)
        qry.setUpdateBatchSize(updateBatchSize);
    ctx.incrementCursors();
    try {
        qry.setQueryInitiatorId(ctx.clientDescriptor());
        // If cacheId is provided, we must check the cache for existence.
        if (cacheId() != 0) {
            DynamicCacheDescriptor desc = cacheDescriptor(ctx);
            if (qry.getSchema() == null) {
                String schema = QueryUtils.normalizeSchemaName(desc.cacheName(), desc.cacheConfiguration().getSqlSchema());
                qry.setSchema(schema);
            }
        }
        List<FieldsQueryCursor<List<?>>> curs = ctx.kernalContext().query().querySqlFields(qry, true, true);
        assert curs.size() == 1;
        FieldsQueryCursor cur = curs.get(0);
        ClientCacheFieldsQueryCursor cliCur = new ClientCacheFieldsQueryCursor(cur, qry.getPageSize(), ctx);
        long cursorId = ctx.resources().put(cliCur);
        cliCur.id(cursorId);
        return new ClientCacheSqlFieldsQueryResponse(requestId(), cliCur, cur, includeFieldNames);
    } catch (Exception e) {
        ctx.decrementCursors();
        SecurityException securityEx = X.cause(e, SecurityException.class);
        if (securityEx != null) {
            throw new IgniteClientException(ClientStatus.SECURITY_VIOLATION, "Client is not authorized to perform this operation", securityEx);
        }
        throw e;
    }
}
Also used : FieldsQueryCursor(org.apache.ignite.cache.query.FieldsQueryCursor) IgniteClientException(org.apache.ignite.internal.processors.platform.client.IgniteClientException) DynamicCacheDescriptor(org.apache.ignite.internal.processors.cache.DynamicCacheDescriptor) SecurityException(org.apache.ignite.plugin.security.SecurityException) IgniteClientException(org.apache.ignite.internal.processors.platform.client.IgniteClientException) SecurityException(org.apache.ignite.plugin.security.SecurityException)

Example 3 with SecurityException

use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.

the class IgniteServiceProcessor method validateNode.

/**
 * {@inheritDoc}
 */
@Override
@Nullable
public IgniteNodeValidationResult validateNode(ClusterNode node, DiscoveryDataBag.JoiningNodeDiscoveryData data) {
    if (data.joiningNodeData() == null || !ctx.security().enabled())
        return null;
    List<ServiceInfo> svcs = ((ServiceProcessorJoinNodeDiscoveryData) data.joiningNodeData()).services();
    SecurityException err = checkDeployPermissionDuringJoin(node, svcs);
    if (err != null)
        return new IgniteNodeValidationResult(node.id(), err.getMessage());
    return null;
}
Also used : IgniteNodeValidationResult(org.apache.ignite.spi.IgniteNodeValidationResult) SecurityException(org.apache.ignite.plugin.security.SecurityException) Nullable(org.jetbrains.annotations.Nullable)

Example 4 with SecurityException

use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.

the class AccessControllerSandbox method execute.

/**
 * {@inheritDoc}
 */
@Override
public <T> T execute(Callable<T> c) throws IgniteException {
    Objects.requireNonNull(c);
    if (!hasSecurityManager())
        throw new SecurityException("SecurityManager was, but it disappeared!");
    final SecurityContext secCtx = security.securityContext();
    assert secCtx != null;
    final AccessControlContext acc = AccessController.doPrivileged((PrivilegedAction<AccessControlContext>) () -> new AccessControlContext(AccessController.getContext(), new IgniteDomainCombiner(secCtx.subject().sandboxPermissions())));
    if (log.isDebugEnabled())
        log.debug("Executing the action inside the sandbox [subjId=" + secCtx.subject().id() + ']');
    try {
        return AccessController.doPrivileged((PrivilegedExceptionAction<T>) c::call, acc);
    } catch (PrivilegedActionException e) {
        throw new IgniteException(e.getException());
    }
}
Also used : AccessControlContext(java.security.AccessControlContext) PrivilegedActionException(java.security.PrivilegedActionException) IgniteException(org.apache.ignite.IgniteException) SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext) SecurityException(org.apache.ignite.plugin.security.SecurityException)

Example 5 with SecurityException

use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.

the class GridRestProcessor method handleRequest.

/**
 * @param req Request.
 * @return Future.
 */
private IgniteInternalFuture<GridRestResponse> handleRequest(final GridRestRequest req) {
    if (req instanceof GridRestNodeStateBeforeStartRequest) {
        if (startLatch.getCount() == 0)
            return new GridFinishedFuture<>(new IgniteCheckedException("Node has already started."));
    } else if (!(req instanceof GridRestAuthenticationRequest) && startLatch.getCount() > 0) {
        try {
            startLatch.await();
        } catch (InterruptedException e) {
            return new GridFinishedFuture<>(new IgniteCheckedException("Failed to handle request " + "(protocol handler was interrupted when awaiting grid start).", e));
        }
    }
    if (log.isDebugEnabled())
        log.debug("Received request from client: " + req);
    if (securityEnabled) {
        Session ses;
        try {
            ses = session(req);
        } catch (IgniteAuthenticationException e) {
            return new GridFinishedFuture<>(new GridRestResponse(STATUS_AUTH_FAILED, e.getMessage()));
        } catch (IgniteCheckedException e) {
            return new GridFinishedFuture<>(new GridRestResponse(STATUS_FAILED, e.getMessage()));
        }
        assert ses != null;
        req.clientId(ses.clientId);
        req.sessionToken(U.uuidToBytes(ses.sesId));
        if (log.isDebugEnabled())
            log.debug("Next clientId and sessionToken were extracted according to request: " + "[clientId=" + req.clientId() + ", sesTok=" + Arrays.toString(req.sessionToken()) + "]");
        SecurityContext secCtx0 = ses.secCtx;
        try {
            if (secCtx0 == null || ses.isTokenExpired(sesTokTtl))
                ses.secCtx = secCtx0 = authenticate(req, ses);
            try (OperationSecurityContext s = ctx.security().withContext(secCtx0)) {
                authorize(req);
                return handleRequest0(req);
            }
        } catch (SecurityException e) {
            assert secCtx0 != null;
            return new GridFinishedFuture<>(new GridRestResponse(STATUS_SECURITY_CHECK_FAILED, e.getMessage()));
        } catch (IgniteCheckedException e) {
            return new GridFinishedFuture<>(new GridRestResponse(STATUS_AUTH_FAILED, e.getMessage()));
        }
    } else
        return handleRequest0(req);
}
Also used : IgniteAuthenticationException(org.apache.ignite.IgniteAuthenticationException) IgniteCheckedException(org.apache.ignite.IgniteCheckedException) OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext) SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext) GridRestAuthenticationRequest(org.apache.ignite.internal.processors.rest.request.GridRestAuthenticationRequest) SecurityException(org.apache.ignite.plugin.security.SecurityException) GridRestNodeStateBeforeStartRequest(org.apache.ignite.internal.processors.rest.request.GridRestNodeStateBeforeStartRequest) OperationSecurityContext(org.apache.ignite.internal.processors.security.OperationSecurityContext) GridFinishedFuture(org.apache.ignite.internal.util.future.GridFinishedFuture)

Aggregations

SecurityException (org.apache.ignite.plugin.security.SecurityException)10 IgniteCheckedException (org.apache.ignite.IgniteCheckedException)4 SecurityContext (org.apache.ignite.internal.processors.security.SecurityContext)3 IgniteException (org.apache.ignite.IgniteException)2 OperationSecurityContext (org.apache.ignite.internal.processors.security.OperationSecurityContext)2 IgniteNodeValidationResult (org.apache.ignite.spi.IgniteNodeValidationResult)2 Nullable (org.jetbrains.annotations.Nullable)2 AccessControlContext (java.security.AccessControlContext)1 PrivilegedActionException (java.security.PrivilegedActionException)1 CacheException (javax.cache.CacheException)1 CacheWriterException (javax.cache.integration.CacheWriterException)1 Ignite (org.apache.ignite.Ignite)1 IgniteAuthenticationException (org.apache.ignite.IgniteAuthenticationException)1 IgniteIllegalStateException (org.apache.ignite.IgniteIllegalStateException)1 CachePartialUpdateException (org.apache.ignite.cache.CachePartialUpdateException)1 CacheServerNotFoundException (org.apache.ignite.cache.CacheServerNotFoundException)1 QueryEntity (org.apache.ignite.cache.QueryEntity)1 FieldsQueryCursor (org.apache.ignite.cache.query.FieldsQueryCursor)1 IgniteConfiguration (org.apache.ignite.configuration.IgniteConfiguration)1 FailureContext (org.apache.ignite.failure.FailureContext)1