From dev-return-46662-archive-asf-public=cust-asf.ponee.io@ignite.apache.org Wed Jul 17 14:08:41 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 13E3918060E for ; Wed, 17 Jul 2019 16:08:40 +0200 (CEST) Received: (qmail 96985 invoked by uid 500); 17 Jul 2019 14:08:40 -0000 Mailing-List: contact dev-help@ignite.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ignite.apache.org Delivered-To: mailing list dev@ignite.apache.org Received: (qmail 96964 invoked by uid 99); 17 Jul 2019 14:08:36 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Jul 2019 14:08:36 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 47C1CC0D59 for ; Wed, 17 Jul 2019 14:08:36 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.8 X-Spam-Level: * X-Spam-Status: No, score=1.8 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-ec2-va.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id SvukrjaLWagK for ; Wed, 17 Jul 2019 14:08:33 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.208.175; helo=mail-lj1-f175.google.com; envelope-from=maksim.stepachev@gmail.com; receiver= Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTPS id 6A5F7BC7AD for ; Wed, 17 Jul 2019 14:08:33 +0000 (UTC) Received: by mail-lj1-f175.google.com with SMTP id d24so23778795ljg.8 for ; Wed, 17 Jul 2019 07:08:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=gDJcfFe72J9TimJXaoooJSBsXPUC7qKhCnGaJRiemc4=; b=JuY8LqnpA3AuB9ShmsnyEXypJw0h3iFNmT73eqTIHFqV9ZRNEgjdBWroNBnAmWr4bJ FrYbl4SpJl39iE+jX6A7PGKIDqYemm15d8KyJo0OK37zODg7tl8isVlcqFDe2Z2qsLQ6 9QgoeO6XegGprhSliyTGVPt316jCdwv6NlQgNX+2OyNGCO5GjfmVjsyYN5/UUairbPgy VGmeojGBpEkJnJJNCW56cwhCDU0bGRMssgoxjv2LxNXdW5fjMWKVoAo9shc2lGeN0Eaj MsemRINbrZQodfIm66yBYVlYOfAd9xC7C6MA7iM/5BNlgs0GWnUQuTYBrrlmdZV/i/Qe IU1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=gDJcfFe72J9TimJXaoooJSBsXPUC7qKhCnGaJRiemc4=; b=qu3bsr99wjvAwIF3WDM3fwWb9WzomvloQALAk8qrert+OED3iXbSNVoLXnHf8n7I9J ym4mkbMt02DcjhWivlHtK7M1WFLJBO2v9ivQAoyziJ//N204bLi3iLSxuh8/vQCfgmuW /nKgMfwDZe9ZPvgeSKZ4AMNh8jZ8AxF0o4ZYsTKP9bub8nDhIKzUdo08DPonb2PTA7sK XegmybtR2irg+kGro+5NJWxJegOShh7ZEy0RCMuJi3M88IHAgduW6ncQwlap6sV5mYlX ZUm/9epRJUWv1iZG8ES8gKu0KIQyhgdUAMpbK65rnHt9JDYgR8/UFgTil+olLsBbNtMp g7Mw== X-Gm-Message-State: APjAAAVfkDuJncKXndpaM4RFKIAx2K50JmgknRnAy0MiZi1lRBvr4Pip Vi15sVOHgXVKzKxIXoW3Mm0fHbhSMyMWalJCF2a/wk3Y X-Google-Smtp-Source: APXvYqy31oSlWxKJoqrtcBdjjAXHziugmk0HgpwvcyxXHAkWAkPqdo+w5qQ9ilRWM89fQS/rS/Ve2HkQOLKBTg2XQTE= X-Received: by 2002:a2e:9758:: with SMTP id f24mr21184063ljj.58.1563372505656; Wed, 17 Jul 2019 07:08:25 -0700 (PDT) MIME-Version: 1.0 From: Maksim Stepachev Date: Wed, 17 Jul 2019 17:08:14 +0300 Message-ID: Subject: Improvements for new security approach. To: dev@ignite.apache.org, garus.d.g@gmail.com Content-Type: multipart/alternative; boundary="000000000000d9f1d8058de10624" --000000000000d9f1d8058de10624 Content-Type: text/plain; charset="UTF-8" Hello, Igniters. The main idea of the new security is propagation security context to other nodes and does action with initial permission. The solution looks fine but has imperfections. 1. ZookeaperDiscoveryImpl doesn't implement security into itself. As a result: Caused by: class org.apache.ignite.spi.IgniteSpiException: Security context isn't certain. 2. The visor tasks lost permission. The method VisorQueryUtils#scheduleQueryStart makes a new thread and loses context. 3. The GridRestProcessor does tasks outside "withContext" section. As result context loses. 4. The GridRestProcessor isn't client, we can't read security subject from node attribute. We should transmit secCtx for fake nodes and secSubjId for real. 5. NoOpIgniteSecurityProcessor should include a disabled processor and validate it too if it is not null. It is important for a client node. For example: Into IgniteKernal#securityProcessor method createComponent return a GridSecurityProcessor. For server nodes are enabled, but for clients aren't. The clients aren't able to pass validation for this reason. 6. ATTR_SECURITY_SUBJECT was removed. It broke compatibility. I going to fix it. --000000000000d9f1d8058de10624--