Hi, guys! The change suggested by Denis looks robust to me: it covers security subject handling by all kinds of clients/nodes at once. As for ATTR_SECURITY_SUBJECT_V2 attribute, it is really better to move it to plugin implementations to support backward compatibility with peer nodes of older versions. Obviously, cluster with security disabled will not suffer from attribute removal. Ignite core should know nothing about the specific way of security context propagation.
Denis, could you please create Jira issue for your change? чт, 20 февр. 2020 г. в 17:01, Denis Garus <garus....@gmail.com>: > > I just transmitted security subjects for rest requests. > > SecurityContext has an unlimited size so we can get significant overhead. > And we do not solve problems with other thin clients. > > >If you remove ATTR_SECURITY_SUBJECT_V2, it breaks compatibility between > old > versions and new. > > I suggest removing ATTR_SECURITY_SUBJECT_V2 from Ignite's codebase, but for > compatibility, it can be used by a security plugin like in PoC. > > чт, 20 февр. 2020 г. в 16:47, Maksim Stepachev <maksim.stepac...@gmail.com > >: > > > Yes, I said about it at 07.19. > > > > > http://apache-ignite-developers.2346864.n4.nabble.com/Improvements-for-new-security-approach-td42698.html#a42708 > > And in my solution, I just transmitted security subjects for rest > requests. > > > > If you remove ATTR_SECURITY_SUBJECT_V2, it breaks compatibility between > old > > versions and new. > > > > чт, 20 февр. 2020 г. в 15:56, Denis Garus <garus....@gmail.com>: > > > > > Hi, Igniters! > > > > > > > > > At present, a security subject id is assumed to be node id. > > > > > > But when we are dealing with thin client, JDBC or REST subject id is > > random > > > UUID. In this case, we cannot get the subject information on a remote > > node, > > > and we get problems like these [1], [2]. > > > > > > To fix the problem, we should spread the client session to the whole > > > cluster. > > > > > > > > > I want to suggest a solution to the problem. > > > > > > > > > First, we should get subject information using GridSecurityProcessor. > > > > > > How GridSecurityProcessor will retrieve a subject data, it is up to > > plugin > > > developers. > > > > > > > > > Second, we should get rid of the assumption that a subject id is a node > > id > > > and remove the ATTR_SECURITY_SUBJECT_V2 attribute. > > > > > > > > > I have prepared PoC PR [3] that: > > > > > > - places the existing logic of spreading security context to > > > GridSecurityProcessor; > > > > > > - uses GridSecurityProcessor to get SecurityContext. > > > > > > > > > > > > 1. > > > > > > > > > http://apache-ignite-developers.2346864.n4.nabble.com/JDBC-thin-client-incorrect-security-context-td45929.html > > > 2. https://issues.apache.org/jira/browse/IGNITE-12589 > > > 3. https://github.com/apache/ignite/pull/7375 > > > > > > -- Best regards, Andrey Kuznetsov.
