ignite-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stepachev Maksim (Jira)" <j...@apache.org>
Subject [jira] [Updated] (IGNITE-13112) The current security context should be obtained using the IgniteSecurity interface only.
Date Wed, 23 Jun 2021 07:23:00 GMT

     [ https://issues.apache.org/jira/browse/IGNITE-13112?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Stepachev Maksim updated IGNITE-13112:
--------------------------------------
    Reviewer: Slava Koptilin  (was: Stepachev Maksim)

> The current security context should be obtained using the IgniteSecurity interface only.
> ----------------------------------------------------------------------------------------
>
>                 Key: IGNITE-13112
>                 URL: https://issues.apache.org/jira/browse/IGNITE-13112
>             Project: Ignite
>          Issue Type: Bug
>          Components: cache, security
>    Affects Versions: 2.8.1
>            Reporter: Denis Garus
>            Assignee: Denis Garus
>            Priority: Major
>              Labels: iep-41
>          Time Spent: 7h
>  Remaining Estimate: 0h
>
> For getting the current security context, we have to use the IgniteSecurity interface
only. 
>  We need to get rid of all other ways to transfer a security subject id.
> h4. Suggested implementation
> If Ignite Security (IS) is enabled, then executors, accessed through the {{PoolProcessor}},
are wrapped to a security-aware implementation. Security-aware implementation sets proper
security context for tasks that the executor performs.
> The field subject id was deleted from communication requests for cache and compute operations;
a remote node gets the subject id that initiates the ignite operation from {{GridIoSecurityAwareMessage}}.
{{IgniteSecurity}} uses this id to set a proper security context during the execution of the
request.
> Remove {{GridTaskThreadContextKey#TC_SUBJ_ID}}, {{GridCacheContext#subjectIdPerCall}};
a consumer has to obtain a current security subject id through {{IgniteSecurity}} or the set
of {{SecurityUtils}} methods.
> For all events that include the subject id field, are set the following rule. If IS is
enabled, this field must contain a subject id that initiates an ignite operation, otherwise
null.
> Implement {{SecurityAwareCustomMessageWrapper}} for discovery requests that act as {{GridIoSecurityAwareMessage}}
for communication requests. It allows setting proper context during the discovery message
execution.
> Implement {{SecurityAwareGridRestCommandHandler}} to allow {{GridRestProcessor}} to execute
all client requests with the proper security context.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message