ignite-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrey Mashenkov <andrey.mashen...@gmail.com>
Subject Re: How can I get Ignite security plugin to work with JDBC thin client?
Date Mon, 30 Oct 2017 13:17:43 GMT
Hi Caleb,

JDBC thin client have no support security plugin for now.

If you don't need full permissions support for sql objects (i mean "GRANT"
operation),
but just restrict unauthorized access to grid, then you can wait for
IGNITE-6625 [1] and try JDBC via SSL.


[1] https://issues.apache.org/jira/browse/IGNITE-6625


On Thu, Oct 26, 2017 at 12:30 AM, calebs <caleb.shei@gmail.com> wrote:

> Version: Ignite 2.3-SNAPSHOT from ignite-2.3 branch.
>
> A jar that contains our custom security plugin for the security named
> ACSPluginProvider & ACSSecurityProcessor is placed in $IGNITE_HOME/libs
> folder.
>
> Run ignite.sh to start the single data node and see
> ACSSecurityProcessor.start method is called.
>
> 10-23 20:46:16.567 [main ] INFO
> apache.ignite.internal.IgniteKernal%cdev_cluster - Configured caches [in
> 'sysMemPlc' memoryPolicy: ['ignite-sys-cache']]
> 10-23 20:46:16.601 [main ] INFO
> apache.ignite.internal.IgniteKernal%cdev_cluster - 3-rd party licenses can
> be found at: /opt/ignite/libs/licenses
> 10-23 20:46:16.663 [main ] INFO
> internal.processors.plugin.IgnitePluginProcessor - Configured plugins:
> 10-23 20:46:16.664 [main ] INFO
> internal.processors.plugin.IgnitePluginProcessor -   ^-- ACSPluginProvider
> 1.0.0
> 10-23 20:46:16.664 [main ] INFO
> internal.processors.plugin.IgnitePluginProcessor -   ^-- MaxPoint
> 10-23 20:46:16.664 [main ] INFO
> internal.processors.plugin.IgnitePluginProcessor -
> 10-23 20:46:16.673 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor
> -
> start
> 10-23 20:46:16.726 [main ] INFO  spi.communication.tcp.TcpCommunicationSpi
> -
> Successfully bound communication NIO server to TCP port [port=47100,
> locHost=0.0.0.0/0.0.0.0, selectorsCnt=4, selectorSpins=0,
> pairedConn=false]
>
> Use Ignite JDBC thin driver to connect to the cluster with user & password
> properties. Then I see ACSSecurityProcessor - authenticate as shown below.
> But the login is null. Also, I can see ACSSecurityProcessor.authorize is
> called for CACHE_PUT when I execute INSERT or DELETE statements, but I do
> not see ACSSecurityProcessor.authorize is called for CACHE_READ.
>
> /opt/ignite/log$ grep platform.auth.ignite ignite.log
> 10-25 14:56:35.182 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor
> -
> start
> 10-25 14:56:35.779 [main ] INFO  platform.auth.ignite.ACSPluginProvider
>  -
> start
> 10-25 14:56:35.810 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor
> -
> authenticateNode: id=cdb8bd19-d1b0-4d54-a982-01abdc83761a, hosts=[shei1],
> address=[0:0:0:0:0:0:0:1%lo, 127.0.0.1, 172.16.128.96]
> 10-25 14:56:35.858 [main ] INFO  platform.auth.ignite.ACSSecurityProcessor
> -
> onKernalStart(false)
> 10-25 14:56:35.891 [main ] INFO  platform.auth.ignite.ACSPluginProvider
>  -
> onIgniteStart
> 10-25 14:57:09.417 [rest-#44%cdev_cluster%] INFO
> platform.auth.ignite.ACSSecurityProcessor - authenticate:
> id=b5052d01-5a1c-47ea-9bb1-0ee89519bde7, login=null
> 10-25 15:01:21.862 [client-connector-#79%cdev_cluster%] WARN
> platform.auth.ignite.ACSSecurityProcessor - authorize:
> name=SQL_PUBLIC_TEST1, permission=CACHE_PUT
> 10-25 15:01:55.818 [client-connector-#80%cdev_cluster%] WARN
> platform.auth.ignite.ACSSecurityProcessor - authorize:
> name=SQL_PUBLIC_TEST1, permission=CACHE_PUT
>
> The code for ACSSecurityProcessor.authenticate is
>
>      @Override
>     public SecurityContext authenticate(AuthenticationContext authCtx)
> throws IgniteCheckedException {
>         ACSSecuritySubject subject =
> (ACSSecuritySubject)userMap.get(authCtx.subjectId());
>         if(subject == null) {
>             subject = new ACSSecuritySubject(authCtx.subjectId(),
> authCtx.credentials(), authCtx.address());
>             if(logger.isInfoEnabled()) {
>                 logger.info("authenticate: id=" + subject.id() + ",
> login="
> + subject.login());
>             }
>             userMap.put(authCtx.subjectId(), subject);
>         }
>         return new ACSSecurityContext(subject);
>     }
>
> where subject.login() will return null if authCtx.credentials() is null.
>
> So here, I have two questions:
> 1. How can I get authCtx.credentials() to return the not null credentials
> when I use the thin driver with user/password properties?
> 2. How can I get ACSSecurityProcessor.authorize invoked for CACHE_READ for
> any SELECT query?
>
>
>
>
> --
> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>



-- 
Best regards,
Andrey V. Mashenkov

Mime
View raw message