[
https://issues.apache.org/jira/browse/IGNITE-18862?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vladimir Steshin updated IGNITE-18862:
--------------------------------------
Description:
{code:java}
org.apache.ignite.plugin.security.SecurityPermission
{code}
has some visor-related permission:
{code:java}
/** Visor admin operations permissions. */
ADMIN_OPS
{code}
This permission should be deprecated and replaced with correct certain ones
like 'CLUSTER_ACTIVATE, CLUSTER_DEACTIVATE, BASELINE_ADD, BASELINE_REMOVE' as
an example. These new permissions should be checked regardless of operation
invocation type.
Motivation:
1) Visor has been removed in IGNITE-18301.
2) The permission is actually requested to change baseline with `control.sh` or
the through `REST API`, to change cluster state with `control.sh` and through
the `REST API` and to mange client connections with `ClientProcessorMXBean`.
These tools aren't Visor. So, the javadocs are wrong.
3) One can change baseline or cluster state with client node, server node or
thin client without these permissions. Such behavior looks not correct.
was:
{code:java}
org.apache.ignite.plugin.security.SecurityPermission
{code}
has some visor-related permission:
{code:java}
/** Visor admin operations permissions. */
ADMIN_OPS
{code}
This permission should be deprecated and replaced with correct certain ones
like 'CLUSTER_ACTIVATE, CLUSTER_DEACTIVATE, BASELINE_ADD, BASELINE_REMOVE' as
an example. These new permissions should be checked regardless of operation
invocation type.
Motivation:
1) Visor has been removed in IGNITE-18301.
2) The permission is actually requested to change baseline with `control.sh` or
the through `REST API`, to change cluster state with `control.sh` and through
the `REST API` and to mange client connections with `ClientProcessorMXBean`.
These tools aren't Visor. So, the javadocs are wrong.
3) One can change baseline or cluster state with client node or thin client
withou these permissions. Such behavior looks not correct.
> Deprecate and replace ADMIN_OPS permission.
> -------------------------------------------
>
> Key: IGNITE-18862
> URL: https://issues.apache.org/jira/browse/IGNITE-18862
> Project: Ignite
> Issue Type: Improvement
> Reporter: Vladimir Steshin
> Priority: Major
>
> {code:java}
> org.apache.ignite.plugin.security.SecurityPermission
> {code}
> has some visor-related permission:
> {code:java}
> /** Visor admin operations permissions. */
> ADMIN_OPS
> {code}
> This permission should be deprecated and replaced with correct certain ones
> like 'CLUSTER_ACTIVATE, CLUSTER_DEACTIVATE, BASELINE_ADD, BASELINE_REMOVE' as
> an example. These new permissions should be checked regardless of operation
> invocation type.
> Motivation:
> 1) Visor has been removed in IGNITE-18301.
> 2) The permission is actually requested to change baseline with `control.sh`
> or the through `REST API`, to change cluster state with `control.sh` and
> through the `REST API` and to mange client connections with
> `ClientProcessorMXBean`. These tools aren't Visor. So, the javadocs are wrong.
> 3) One can change baseline or cluster state with client node, server node or
> thin client without these permissions. Such behavior looks not correct.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
