From dev-return-47686-archive-asf-public=cust-asf.ponee.io@ignite.apache.org Fri Sep 27 05:38:39 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id EA459180638 for ; Fri, 27 Sep 2019 07:38:38 +0200 (CEST) Received: (qmail 17289 invoked by uid 500); 27 Sep 2019 05:38:37 -0000 Mailing-List: contact dev-help@ignite.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ignite.apache.org Delivered-To: mailing list dev@ignite.apache.org Received: (qmail 17274 invoked by uid 99); 27 Sep 2019 05:38:37 -0000 Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.42) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Sep 2019 05:38:37 +0000 Received: from mail-io1-f43.google.com (mail-io1-f43.google.com [209.85.166.43]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 87D605A6D for ; Fri, 27 Sep 2019 05:38:37 +0000 (UTC) Received: by mail-io1-f43.google.com with SMTP id b136so13176316iof.3 for ; Thu, 26 Sep 2019 22:38:37 -0700 (PDT) X-Gm-Message-State: APjAAAU0kp/6eir50ygRgLZXW7e1WnJ04Clw5d6q/XCrYdqprCubcn7w z95ozmxff5al+SW6SDFVuHGgE7p94k7MnIOhjRU= X-Google-Smtp-Source: APXvYqz2MKP0kDtQZ0mASd3oXFi4OdSxUNosczLBiSEWD2TZOBroZJspwuD5Ru9ZG8uS+944/9OBZ4c8u7WkvMutAQI= X-Received: by 2002:a6b:8b08:: with SMTP id n8mr6590522iod.190.1569562717203; Thu, 26 Sep 2019 22:38:37 -0700 (PDT) MIME-Version: 1.0 References: <00840131-c3df-268c-c693-c86a9a6eecd7@gmail.com> In-Reply-To: From: Anton Vinogradov Date: Fri, 27 Sep 2019 08:38:26 +0300 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Improvements for new security approach. To: Maksim Stepachev Cc: dev@ignite.apache.org, Ivan Rakov , Denis Garus Content-Type: multipart/alternative; boundary="0000000000003632ce0593824c2e" --0000000000003632ce0593824c2e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Maksim >> I want to fix 2-3-4 points under one ticket. Please let me know once it's become ready to be reviewed. On Thu, Sep 26, 2019 at 5:18 PM Maksim Stepachev wrote: > Hi. > > Anton Vinogradov, > > I want to fix 2-3-4 points under one ticket. > > The first was fixed in the ticket: > https://issues.apache.org/jira/browse/IGNITE-11094 > Also, I aggry with you that 5-6 isn't required to ignite. > > Denis Garus, > I made reproducer for point 3. Looks at the test from my pull-request: > JettyRestPropagationSecurityContextTest > > https://github.com/apache/ignite/pull/6918 > > For point 2 you should apply GridRestProcessor from pr and set debug into > VisorQueryUtils#scheduleQueryStart between > ignite.context().closure().runLocalSafe and call: > ignite.context().security().securityContext() > > > For point 3, do action above and call: > ignite.context().discovery().node(ignite.context().security().securityCon= text().subject().id()) > > It returns null because this subject was created from the rest. It's the > reason why subject id isn't enough and we should transmit subject inside > message for this case. > > =D1=87=D1=82, 18 =D0=B8=D1=8E=D0=BB. 2019 =D0=B3. =D0=B2 12:45, Anton Vin= ogradov : > >> Maksim, >> >> Could you please split IGNITE-11992 to subtasks with proper descriptions= ? >> This will allow us to relocate discussion to the issues to solve each >> problem properly. >> >> On Thu, Jul 18, 2019 at 11:57 AM Denis Garus wrote= : >> >> > Hello, Maksim! >> > Thanks for your analysis! >> > >> > I have a few questions about your proposals. >> > >> > GridRestProcessor. >> > AFAIK, when GridRestProcessor handle client request >> > (GridRestProcessor#handleRequest) >> > it process authentication (GridRestProcessor#authenticate) >> > and then authorization of request (GridRestProcessor#authorize) inside >> > client context. >> > Can you give additional info about issues with GridRestProcessor from = 3 >> and >> > 4? Maybe you have a reproducer for the problem? >> > >> > NoOpIgniteSecurityProcessor. >> > I think the case that you describe in 5 is not a bug. >> > All nodes (client and server) must have security enabled or disabled. >> > I can't imagine the case when it is not. >> > >> > ATTR_SECURITY_SUBJECT. >> > I don't think that compatibility is needed here. If you will use node >> with >> > propagation security context to remote node and older nodes >> > you can get subtle errors. >> > >> > =D1=87=D1=82, 18 =D0=B8=D1=8E=D0=BB. 2019 =D0=B3. =D0=B2 11:12, Maksim= Stepachev < >> maksim.stepachev@gmail.com >> > >: >> > >> > > Hi, Ivan. >> > > >> > > Yes, I have. >> > > https://issues.apache.org/jira/browse/IGNITE-11992 >> > > >> > > I'm waiting for a visa. >> > > >> > > >> > > =D1=87=D1=82, 18 =D0=B8=D1=8E=D0=BB. 2019 =D0=B3. =D0=B2 11:09, Ivan= Rakov : >> > > >> > >> Hello Max, >> > >> >> > >> Thanks for your analysis! >> > >> >> > >> Have you created a JIRA issue for discovered defects? >> > >> >> > >> Best Regards, >> > >> Ivan Rakov >> > >> >> > >> On 17.07.2019 17:08, Maksim Stepachev wrote: >> > >> > Hello, Igniters. >> > >> > >> > >> > The main idea of the new security is propagation security >> context >> > >> to >> > >> > other nodes and does action with initial permission. The solution >> > looks >> > >> > fine but has imperfections. >> > >> > >> > >> > 1. ZookeaperDiscoveryImpl doesn't implement security into itself. >> > >> > As a result: Caused by: class >> > >> org.apache.ignite.spi.IgniteSpiException: >> > >> > Security context isn't certain. >> > >> > 2. The visor tasks lost permission. >> > >> > The method VisorQueryUtils#scheduleQueryStart makes a new thread >> and >> > >> loses >> > >> > context. >> > >> > 3. The GridRestProcessor does tasks outside "withContext" >> section. As >> > >> > result context loses. >> > >> > 4. The GridRestProcessor isn't client, we can't read security >> subject >> > >> from >> > >> > node attribute. >> > >> > We should transmit secCtx for fake nodes and secSubjId for real. >> > >> > 5. NoOpIgniteSecurityProcessor should include a disabled processo= r >> and >> > >> > validate it too if it is not null. It is important for a client >> node. >> > >> > For example: >> > >> > Into IgniteKernal#securityProcessor method createComponent return= a >> > >> > GridSecurityProcessor. For server nodes are enabled, but for >> clients >> > >> > aren't. The clients aren't able to pass validation for this >> reason. >> > >> > >> > >> > 6. ATTR_SECURITY_SUBJECT was removed. It broke compatibility. >> > >> > >> > >> > I going to fix it. >> > >> > >> > >> >> > > >> > >> > --0000000000003632ce0593824c2e--