ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maksim Stepachev <maksim.stepac...@gmail.com>
Subject Improvements for new security approach.
Date Wed, 17 Jul 2019 14:08:14 GMT
Hello, Igniters.

    The main idea of the new security is propagation security context to
other nodes and does action with initial permission. The solution looks
fine but has imperfections.

1. ZookeaperDiscoveryImpl doesn't implement security into itself.
  As a result: Caused by: class org.apache.ignite.spi.IgniteSpiException:
Security context isn't certain.
2. The visor tasks lost permission.
The method VisorQueryUtils#scheduleQueryStart makes a new thread and loses
context.
3. The GridRestProcessor does tasks outside "withContext" section.  As
result context loses.
4. The GridRestProcessor isn't client, we can't read security subject from
node attribute.
We should transmit secCtx for fake nodes and secSubjId for real.
5. NoOpIgniteSecurityProcessor should include a disabled processor and
validate it too if it is not null. It is important for a client node.
For example:
Into IgniteKernal#securityProcessor method createComponent return a
GridSecurityProcessor. For server nodes are enabled, but for clients
aren't.  The clients aren't able to pass validation for this reason.

6. ATTR_SECURITY_SUBJECT was removed. It broke compatibility.

I going to fix it.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message