Re: Security Subject of thin client on remote nodes

Sun, 15 Mar 2020 07:14:21 -0700 

Denis Garus,

I've looked at the IEP proposed by you and currently I'm thinking it's not
immediately required.

The problem of missing SecurityContexts of thin clients can be solved much
easily.

Below is the stub of a fix, it requires correct implementation of
method 
org.apache.ignite.internal.processors.security.IgniteSecurityProcessor#authenticatedSubject
by GridSecurityProcessor:

/** {@inheritDoc} */
    @Override public OperationSecurityContext withContext(UUID nodeId) {
        try {
            SecurityContext ctx0 = secCtxs.get(nodeId);

            if (ctx0 == null) {
                ClusterNode node =
Optional.ofNullable(ctx.discovery().node(nodeId))
                        .orElseGet(() ->
ctx.discovery().historicalNode(nodeId));

                // This is a cluster node.
                if (node != null)
                    ctx0 = nodeSecurityContext(marsh,
U.resolveClassLoader(ctx.config()), findNode(nodeId));
                else {
                    // This is already authenticated thin client.
                    SecuritySubject subj = authenticatedSubject(nodeId);

                    assert subj != null : "Subject is null " + nodeId;

                    AuthenticationContext actx = new
AuthenticationContext();
                    actx.subject(subj);

                    ctx0 = secPrc.authenticate(actx);
                }
            }

            secCtxs.putIfAbsent(nodeId, ctx0);

            return withContext(ctx0);
        } catch (IgniteCheckedException e) {
            throw new IgniteException(e);
        }

The idea is to create a thin client SecurityContext on a node not having a
local context using existing SecuritySubject data.

Method 
org.apache.ignite.internal.processors.security.GridSecurityProcessor#authenticate
should check for not null SecuritySubject field and just recreate
SecurityContext using passed info (because it's already authenticated).

We have all necessary information in SecuritySubject returned by
org.apache.ignite.internal.processors.security.IgniteSecurityProcessor#authenticatedSubject
by GridSecurityProcessor method.

Because it is internal API,  we may not care about compatibility at all,
but nevertheless it is possible to add compatibility check in the method
above. If a feature is not supported the operations from thin clients
should be forbidden.

You proposal has the similar problem: if GridSecurityProcessor does not
support retriving context for thin clients, such clients will not be able
to proceed with operation.

Still, the cleanup of security API is necessary and should be done in 3.0



чт, 12 мар. 2020 г. в 16:48, VeenaMithare <v.mith...@cmcmarkets.com>:

> HI ,
>
> Created this jira :
> https://issues.apache.org/jira/browse/IGNITE-12781
>
> regards,
> Veena.
>
>
>
> --
> Sent from: http://apache-ignite-developers.2346864.n4.nabble.com/
>


-- 

Best regards,
Alexei Scherbakov

Reply via email to