use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.
the class ClientRequestHandler method handle.
/**
* {@inheritDoc}
*/
@Override
public ClientListenerResponse handle(ClientListenerRequest req) {
try {
if (req instanceof ClientTxAwareRequest) {
ClientTxAwareRequest req0 = (ClientTxAwareRequest) req;
if (req0.isTransactional()) {
int txId = req0.txId();
ClientTxContext txCtx = ctx.txContext(txId);
if (txCtx != null) {
try {
txCtx.acquire(true);
return ((ClientRequest) req).process(ctx);
} catch (IgniteCheckedException e) {
throw new IgniteClientException(ClientStatus.FAILED, e.getMessage(), e);
} finally {
try {
txCtx.release(true);
} catch (Exception e) {
log.warning("Failed to release client transaction context", e);
}
}
}
}
}
return ((ClientRequest) req).process(ctx);
} catch (SecurityException ex) {
throw new IgniteClientException(ClientStatus.SECURITY_VIOLATION, "Client is not authorized to perform this operation", ex);
}
}
use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.
the class IgniteServiceProcessor method onLocalJoin.
/**
* Callback for local join events for which the regular events are not generated.
* <p/>
* Local join event is expected in cases of joining to topology or client reconnect.
*
* @param evt Discovery event.
* @param discoCache Discovery cache.
*/
public void onLocalJoin(DiscoveryEvent evt, DiscoCache discoCache) {
assert ctx.localNodeId().equals(evt.eventNode().id());
assert evt.type() == EVT_NODE_JOINED;
if (isLocalNodeCoordinator()) {
// First node start, method onGridDataReceived(DiscoveryDataBag.GridDiscoveryData) has not been called.
ArrayList<ServiceInfo> staticServicesInfo = staticallyConfiguredServices(false);
if (ctx.security().enabled()) {
SecurityException err = checkDeployPermissionDuringJoin(evt.node(), staticServicesInfo);
if (err != null)
throw err;
}
staticServicesInfo.forEach(this::registerService);
}
ServiceDeploymentActions depActions = null;
if (!registeredServices.isEmpty()) {
depActions = new ServiceDeploymentActions();
depActions.servicesToDeploy(new HashMap<>(registeredServices));
}
depMgr.onLocalJoin(evt, discoCache, depActions);
}
use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.
the class SecurityUtils method nodeSecurityContext.
/**
* Gets the node's security context.
*
* @param marsh Marshaller.
* @param ldr Class loader.
* @param node Node.
* @return Node's security context.
*/
public static SecurityContext nodeSecurityContext(Marshaller marsh, ClassLoader ldr, ClusterNode node) {
A.notNull(node, "Cluster node");
byte[] subjBytes = node.attribute(IgniteNodeAttributes.ATTR_SECURITY_SUBJECT_V2);
if (subjBytes == null)
throw new SecurityException("Security context isn't certain.");
try {
return U.unmarshal(marsh, subjBytes, ldr);
} catch (IgniteCheckedException e) {
throw new SecurityException("Failed to get security context.", e);
}
}
use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.
the class GridRestProcessor method handleRequest.
/**
* @param req Request.
* @return Future.
*/
private IgniteInternalFuture<GridRestResponse> handleRequest(final GridRestRequest req) {
if (req instanceof GridRestNodeStateBeforeStartRequest) {
if (startLatch.getCount() == 0)
return new GridFinishedFuture<>(new IgniteCheckedException("Node has already started."));
} else if (!(req instanceof GridRestAuthenticationRequest) && startLatch.getCount() > 0) {
try {
startLatch.await();
} catch (InterruptedException e) {
return new GridFinishedFuture<>(new IgniteCheckedException("Failed to handle request " + "(protocol handler was interrupted when awaiting grid start).", e));
}
}
if (log.isDebugEnabled())
log.debug("Received request from client: " + req);
if (securityEnabled) {
Session ses;
try {
ses = session(req);
} catch (IgniteAuthenticationException e) {
return new GridFinishedFuture<>(new GridRestResponse(STATUS_AUTH_FAILED, e.getMessage()));
} catch (IgniteCheckedException e) {
return new GridFinishedFuture<>(new GridRestResponse(STATUS_FAILED, e.getMessage()));
}
assert ses != null;
req.clientId(ses.clientId);
req.sessionToken(U.uuidToBytes(ses.sesId));
if (log.isDebugEnabled())
log.debug("Next clientId and sessionToken were extracted according to request: " + "[clientId=" + req.clientId() + ", sesTok=" + Arrays.toString(req.sessionToken()) + "]");
SecurityContext secCtx0 = ses.secCtx;
try {
if (secCtx0 == null || ses.isTokenExpired(sesTokTtl))
ses.secCtx = secCtx0 = authenticate(req, ses);
try (OperationSecurityContext s = ctx.security().withContext(secCtx0)) {
authorize(req);
return handleRequest0(req);
}
} catch (SecurityException e) {
assert secCtx0 != null;
return new GridFinishedFuture<>(new GridRestResponse(STATUS_SECURITY_CHECK_FAILED, e.getMessage()));
} catch (IgniteCheckedException e) {
return new GridFinishedFuture<>(new GridRestResponse(STATUS_AUTH_FAILED, e.getMessage()));
}
} else
return handleRequest0(req);
}
use of org.apache.ignite.plugin.security.SecurityException in project ignite by apache.
the class ServiceAuthorizationTest method configuration.
/**
* @return Ignite node configuration.
*/
private IgniteConfiguration configuration(int idx, SecurityPermission... perms) throws Exception {
String name = getTestIgniteInstanceName(idx);
IgniteConfiguration cfg = getConfiguration(name, new TestSecurityPluginProvider(name, "", create().defaultAllowAll(false).appendSystemPermissions(JOIN_AS_SERVER).appendCachePermissions(DEFAULT_CACHE_NAME, CACHE_CREATE).appendTaskPermissions("org.apache.ignite.internal.processors.affinity.GridAffinityUtils$AffinityJob", TASK_EXECUTE, TASK_CANCEL).appendServicePermissions(TEST_SERVICE_NAME, perms).build(), null, false)).setClientMode(isClient);
if (authErrLatch != null) {
cfg.setFailureHandler(new FailureHandler() {
@Override
public boolean onFailure(Ignite ignite, FailureContext failureCtx) {
assertTrue(failureCtx.error() instanceof SecurityException);
assertTrue(failureCtx.error().getMessage().startsWith("Authorization failed [perm=SERVICE_DEPLOY, name=test-service-name"));
authErrLatch.countDown();
return true;
}
});
}
return cfg;
}
Aggregations