use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.
the class ValidationOnNodeJoinUtils method validateNode.
/**
* Checks a joining node to configuration consistency.
*
* @param node Node.
* @param discoData Disco data.
* @param marsh Marsh.
* @param ctx Context.
* @param cacheDescProvider Cache descriptor provider.
*/
@Nullable
static IgniteNodeValidationResult validateNode(ClusterNode node, DiscoveryDataBag.JoiningNodeDiscoveryData discoData, Marshaller marsh, GridKernalContext ctx, Function<String, DynamicCacheDescriptor> cacheDescProvider) {
if (discoData.hasJoiningNodeData() && discoData.joiningNodeData() instanceof CacheJoinNodeDiscoveryData) {
CacheJoinNodeDiscoveryData nodeData = (CacheJoinNodeDiscoveryData) discoData.joiningNodeData();
boolean isGridActive = ctx.state().clusterState().active();
StringBuilder errorMsg = new StringBuilder();
if (!node.isClient()) {
validateRmtRegions(node, ctx).forEach(error -> {
if (errorMsg.length() > 0)
errorMsg.append("\n");
errorMsg.append(error);
});
}
SecurityContext secCtx = null;
if (ctx.security().enabled()) {
try {
secCtx = nodeSecurityContext(marsh, U.resolveClassLoader(ctx.config()), node);
} catch (SecurityException se) {
errorMsg.append(se.getMessage());
}
}
for (CacheJoinNodeDiscoveryData.CacheInfo cacheInfo : nodeData.caches().values()) {
if (secCtx != null && cacheInfo.cacheType() == CacheType.USER) {
try (OperationSecurityContext s = ctx.security().withContext(secCtx)) {
GridCacheProcessor.authorizeCacheCreate(ctx.security(), cacheInfo.cacheData().config());
} catch (SecurityException ex) {
if (errorMsg.length() > 0)
errorMsg.append("\n");
errorMsg.append(ex.getMessage());
}
}
DynamicCacheDescriptor locDesc = cacheDescProvider.apply(cacheInfo.cacheData().config().getName());
if (locDesc == null)
continue;
String joinedSchema = cacheInfo.cacheData().config().getSqlSchema();
Collection<QueryEntity> joinedQryEntities = cacheInfo.cacheData().queryEntities();
String locSchema = locDesc.cacheConfiguration().getSqlSchema();
// QuerySchema is empty and schema name is null (when indexing enabled dynamically).
if (!F.eq(joinedSchema, locSchema) && (locSchema != null || !locDesc.schema().isEmpty()) && (joinedSchema != null || !F.isEmpty(joinedQryEntities))) {
errorMsg.append(String.format(SQL_SCHEMA_CONFLICTS_MESSAGE, locDesc.cacheName(), joinedSchema, locSchema));
}
QuerySchemaPatch schemaPatch = locDesc.makeSchemaPatch(joinedQryEntities);
if (schemaPatch.hasConflicts() || (isGridActive && !schemaPatch.isEmpty())) {
if (errorMsg.length() > 0)
errorMsg.append("\n");
if (schemaPatch.hasConflicts()) {
errorMsg.append(String.format(MERGE_OF_CONFIG_CONFLICTS_MESSAGE, locDesc.cacheName(), schemaPatch.getConflictsMessage()));
} else
errorMsg.append(String.format(MERGE_OF_CONFIG_REQUIRED_MESSAGE, locDesc.cacheName()));
}
// This check must be done on join, otherwise group encryption key will be
// written to metastore regardless of validation check and could trigger WAL write failures.
boolean locEnc = locDesc.cacheConfiguration().isEncryptionEnabled();
boolean rmtEnc = cacheInfo.cacheData().config().isEncryptionEnabled();
if (locEnc != rmtEnc) {
if (errorMsg.length() > 0)
errorMsg.append("\n");
// Message will be printed on remote node, so need to swap local and remote.
errorMsg.append(String.format(ENCRYPT_MISMATCH_MESSAGE, locDesc.cacheName(), rmtEnc, locEnc));
}
}
if (errorMsg.length() > 0) {
String msg = errorMsg.toString();
return new IgniteNodeValidationResult(node.id(), msg);
}
}
return null;
}
use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.
the class ClientCacheSqlFieldsQueryRequest method process.
/**
* {@inheritDoc}
*/
@Override
public ClientResponse process(ClientConnectionContext ctx) {
qry.setPartitions(partitions);
if (updateBatchSize != null)
qry.setUpdateBatchSize(updateBatchSize);
ctx.incrementCursors();
try {
qry.setQueryInitiatorId(ctx.clientDescriptor());
// If cacheId is provided, we must check the cache for existence.
if (cacheId() != 0) {
DynamicCacheDescriptor desc = cacheDescriptor(ctx);
if (qry.getSchema() == null) {
String schema = QueryUtils.normalizeSchemaName(desc.cacheName(), desc.cacheConfiguration().getSqlSchema());
qry.setSchema(schema);
}
}
List<FieldsQueryCursor<List<?>>> curs = ctx.kernalContext().query().querySqlFields(qry, true, true);
assert curs.size() == 1;
FieldsQueryCursor cur = curs.get(0);
ClientCacheFieldsQueryCursor cliCur = new ClientCacheFieldsQueryCursor(cur, qry.getPageSize(), ctx);
long cursorId = ctx.resources().put(cliCur);
cliCur.id(cursorId);
return new ClientCacheSqlFieldsQueryResponse(requestId(), cliCur, cur, includeFieldNames);
} catch (Exception e) {
ctx.decrementCursors();
SecurityException securityEx = X.cause(e, SecurityException.class);
if (securityEx != null) {
throw new IgniteClientException(ClientStatus.SECURITY_VIOLATION, "Client is not authorized to perform this operation", securityEx);
}
throw e;
}
}
use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.
the class IgniteServiceProcessor method validateNode.
/**
* {@inheritDoc}
*/
@Override
@Nullable
public IgniteNodeValidationResult validateNode(ClusterNode node, DiscoveryDataBag.JoiningNodeDiscoveryData data) {
if (data.joiningNodeData() == null || !ctx.security().enabled())
return null;
List<ServiceInfo> svcs = ((ServiceProcessorJoinNodeDiscoveryData) data.joiningNodeData()).services();
SecurityException err = checkDeployPermissionDuringJoin(node, svcs);
if (err != null)
return new IgniteNodeValidationResult(node.id(), err.getMessage());
return null;
}
use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.
the class AccessControllerSandbox method execute.
/**
* {@inheritDoc}
*/
@Override
public <T> T execute(Callable<T> c) throws IgniteException {
Objects.requireNonNull(c);
if (!hasSecurityManager())
throw new SecurityException("SecurityManager was, but it disappeared!");
final SecurityContext secCtx = security.securityContext();
assert secCtx != null;
final AccessControlContext acc = AccessController.doPrivileged((PrivilegedAction<AccessControlContext>) () -> new AccessControlContext(AccessController.getContext(), new IgniteDomainCombiner(secCtx.subject().sandboxPermissions())));
if (log.isDebugEnabled())
log.debug("Executing the action inside the sandbox [subjId=" + secCtx.subject().id() + ']');
try {
return AccessController.doPrivileged((PrivilegedExceptionAction<T>) c::call, acc);
} catch (PrivilegedActionException e) {
throw new IgniteException(e.getException());
}
}
use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.
the class GridRestProcessor method handleRequest.
/**
* @param req Request.
* @return Future.
*/
private IgniteInternalFuture<GridRestResponse> handleRequest(final GridRestRequest req) {
if (req instanceof GridRestNodeStateBeforeStartRequest) {
if (startLatch.getCount() == 0)
return new GridFinishedFuture<>(new IgniteCheckedException("Node has already started."));
} else if (!(req instanceof GridRestAuthenticationRequest) && startLatch.getCount() > 0) {
try {
startLatch.await();
} catch (InterruptedException e) {
return new GridFinishedFuture<>(new IgniteCheckedException("Failed to handle request " + "(protocol handler was interrupted when awaiting grid start).", e));
}
}
if (log.isDebugEnabled())
log.debug("Received request from client: " + req);
if (securityEnabled) {
Session ses;
try {
ses = session(req);
} catch (IgniteAuthenticationException e) {
return new GridFinishedFuture<>(new GridRestResponse(STATUS_AUTH_FAILED, e.getMessage()));
} catch (IgniteCheckedException e) {
return new GridFinishedFuture<>(new GridRestResponse(STATUS_FAILED, e.getMessage()));
}
assert ses != null;
req.clientId(ses.clientId);
req.sessionToken(U.uuidToBytes(ses.sesId));
if (log.isDebugEnabled())
log.debug("Next clientId and sessionToken were extracted according to request: " + "[clientId=" + req.clientId() + ", sesTok=" + Arrays.toString(req.sessionToken()) + "]");
SecurityContext secCtx0 = ses.secCtx;
try {
if (secCtx0 == null || ses.isTokenExpired(sesTokTtl))
ses.secCtx = secCtx0 = authenticate(req, ses);
try (OperationSecurityContext s = ctx.security().withContext(secCtx0)) {
authorize(req);
return handleRequest0(req);
}
} catch (SecurityException e) {
assert secCtx0 != null;
return new GridFinishedFuture<>(new GridRestResponse(STATUS_SECURITY_CHECK_FAILED, e.getMessage()));
} catch (IgniteCheckedException e) {
return new GridFinishedFuture<>(new GridRestResponse(STATUS_AUTH_FAILED, e.getMessage()));
}
} else
return handleRequest0(req);
}
Aggregations