ignite-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From calebs <caleb.s...@gmail.com>
Subject How can I get Ignite security plugin to work with JDBC thin client?
Date Wed, 25 Oct 2017 21:30:38 GMT
Version: Ignite 2.3-SNAPSHOT from ignite-2.3 branch. 

A jar that contains our custom security plugin for the security named
ACSPluginProvider & ACSSecurityProcessor is placed in $IGNITE_HOME/libs
folder.

Run ignite.sh to start the single data node and see
ACSSecurityProcessor.start method is called.

10-23 20:46:16.567 [main ] INFO 
apache.ignite.internal.IgniteKernal%cdev_cluster - Configured caches [in
'sysMemPlc' memoryPolicy: ['ignite-sys-cache']]
10-23 20:46:16.601 [main ] INFO 
apache.ignite.internal.IgniteKernal%cdev_cluster - 3-rd party licenses can
be found at: /opt/ignite/libs/licenses
10-23 20:46:16.663 [main ] INFO 
internal.processors.plugin.IgnitePluginProcessor - Configured plugins:
10-23 20:46:16.664 [main ] INFO 
internal.processors.plugin.IgnitePluginProcessor -   ^-- ACSPluginProvider
1.0.0
10-23 20:46:16.664 [main ] INFO 
internal.processors.plugin.IgnitePluginProcessor -   ^-- MaxPoint
10-23 20:46:16.664 [main ] INFO 
internal.processors.plugin.IgnitePluginProcessor -
10-23 20:46:16.673 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor -
start
10-23 20:46:16.726 [main ] INFO  spi.communication.tcp.TcpCommunicationSpi -
Successfully bound communication NIO server to TCP port [port=47100,
locHost=0.0.0.0/0.0.0.0, selectorsCnt=4, selectorSpins=0, pairedConn=false]

Use Ignite JDBC thin driver to connect to the cluster with user & password
properties. Then I see ACSSecurityProcessor - authenticate as shown below.
But the login is null. Also, I can see ACSSecurityProcessor.authorize is
called for CACHE_PUT when I execute INSERT or DELETE statements, but I do
not see ACSSecurityProcessor.authorize is called for CACHE_READ. 

/opt/ignite/log$ grep platform.auth.ignite ignite.log 
10-25 14:56:35.182 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor -
start
10-25 14:56:35.779 [main ] INFO  platform.auth.ignite.ACSPluginProvider   -
start
10-25 14:56:35.810 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor -
authenticateNode: id=cdb8bd19-d1b0-4d54-a982-01abdc83761a, hosts=[shei1],
address=[0:0:0:0:0:0:0:1%lo, 127.0.0.1, 172.16.128.96]
10-25 14:56:35.858 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor -
onKernalStart(false)
10-25 14:56:35.891 [main ] INFO  platform.auth.ignite.ACSPluginProvider   -
onIgniteStart
10-25 14:57:09.417 [rest-#44%cdev_cluster%] INFO 
platform.auth.ignite.ACSSecurityProcessor - authenticate:
id=b5052d01-5a1c-47ea-9bb1-0ee89519bde7, login=null
10-25 15:01:21.862 [client-connector-#79%cdev_cluster%] WARN 
platform.auth.ignite.ACSSecurityProcessor - authorize:
name=SQL_PUBLIC_TEST1, permission=CACHE_PUT
10-25 15:01:55.818 [client-connector-#80%cdev_cluster%] WARN 
platform.auth.ignite.ACSSecurityProcessor - authorize:
name=SQL_PUBLIC_TEST1, permission=CACHE_PUT

The code for ACSSecurityProcessor.authenticate is

     @Override
    public SecurityContext authenticate(AuthenticationContext authCtx)
throws IgniteCheckedException {
        ACSSecuritySubject subject =
(ACSSecuritySubject)userMap.get(authCtx.subjectId());
        if(subject == null) {
            subject = new ACSSecuritySubject(authCtx.subjectId(),
authCtx.credentials(), authCtx.address());
            if(logger.isInfoEnabled()) {
                logger.info("authenticate: id=" + subject.id() + ", login="
+ subject.login());
            }
            userMap.put(authCtx.subjectId(), subject);
        }
        return new ACSSecurityContext(subject);
    }

where subject.login() will return null if authCtx.credentials() is null. 

So here, I have two questions:
1. How can I get authCtx.credentials() to return the not null credentials
when I use the thin driver with user/password properties?
2. How can I get ACSSecurityProcessor.authorize invoked for CACHE_READ for
any SELECT query? 




--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Mime
View raw message