You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by conor <co...@mastercard.com> on 2017/03/06 12:25:21 UTC
Authentication
Hi, I'm trying to implement authentication for an ignite cluster. I've read
the blog post mentioned in other posts here but it's incomplete and also
quite old so I was hoping for some guidance. (blog post:
http://smartkey.co.uk/development/securing-an-apache-ignite-cluster/)
The authentication mechanism I'm intending to use is to check for a common
password shared by nodes. So when a node starts up by itself, it obtains
the shared password from the local system using a library call. So I need
to do two things.
* when a node starts up it needs to fetch the local password and store it
in it's own configuration
* when a node joins the cluster other nodes need to compare the provided
password with the one they have locally
So I tried setting the credentials locally as follows:
TcpDiscoverySpi spi = new TcpDiscoverySpi();
SecurityCredentials securityCredentials = new
SecurityCredentials(getModuleName(), passwordService.getPassword());
Map<String, Object> nodeAttributes = new HashMap<>();
nodeAttributes.put("org.apache.ignite.security.cred",
securityCredentials);
IgniteProductVersion igniteProductVersion = new
IgniteProductVersion();
spi.setNodeAttributes(nodeAttributes, igniteProductVersion);
However I run into an issue here because when setNodeAttributes is called on
TcpDiscoverySpi I get a NullPointerException. The exception is thrown in
line 963 which is shown below.
959 @Override public void setNodeAttributes(Map<String, Object> attrs,
IgniteProductVersion ver) {
960 assert locNodeAttrs == null;
961 assert locNodeVer == null;
962
963 if (log.isDebugEnabled()) {
964 log.debug("Node attributes to set: " + attrs);
965 log.debug("Node version to set: " + ver);
966 }
967
968 locNodeAttrs = attrs;
969 locNodeVer = ver;
970 }
The instance of IgniteLogger named 'log' is null when this method is called.
This seems like a bug to me but if it's not, am I doing something wrong? Is
there another way I should be fetching and setting this property on my local
node?
--
View this message in context: http://apache-ignite-users.70518.x6.nabble.com/Authentication-tp11037.html
Sent from the Apache Ignite Users mailing list archive at Nabble.com.
Re: Authentication
Posted by franck102 <fr...@yahoo.com>.
Hi all,
I am reviving this thread because as far as I can tell the initial question
was not answered, and I am hitting the same problem:
"* when a node starts up it needs to fetch the local password and store it
in it's own configuration "
... and I can't figure out how to do that?? The only place where the TCP SPI
reads credentials from when creating its join request is from the
org.apache.ignite.security.cred, which as mentioned cannot be set because
the key name is reserved??
Franck
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: Authentication
Posted by Andrey Mashenkov <an...@gmail.com>.
Hi,
It looks like you need to implement *DiscoverySpiNodeAuthenticator*.
You can use *ClusterNode *attribute to authenticate node inside '
*DiscoverySpiNodeAuthenticator.authenticateNode()'* method.
You can find in source code how *IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS
*attribute passed to *DiscoverySpiNodeAuthenticator.authenticateNode()* as
*SecurityCredentials*.
On Mon, Mar 6, 2017 at 3:25 PM, conor <co...@mastercard.com> wrote:
> Hi, I'm trying to implement authentication for an ignite cluster. I've
> read
> the blog post mentioned in other posts here but it's incomplete and also
> quite old so I was hoping for some guidance. (blog post:
> http://smartkey.co.uk/development/securing-an-apache-ignite-cluster/)
>
> The authentication mechanism I'm intending to use is to check for a common
> password shared by nodes. So when a node starts up by itself, it obtains
> the shared password from the local system using a library call. So I need
> to do two things.
> * when a node starts up it needs to fetch the local password and store it
> in it's own configuration
> * when a node joins the cluster other nodes need to compare the provided
> password with the one they have locally
>
> So I tried setting the credentials locally as follows:
>
> TcpDiscoverySpi spi = new TcpDiscoverySpi();
> SecurityCredentials securityCredentials = new
> SecurityCredentials(getModuleName(), passwordService.getPassword());
> Map<String, Object> nodeAttributes = new HashMap<>();
> nodeAttributes.put("org.apache.ignite.security.cred",
> securityCredentials);
> IgniteProductVersion igniteProductVersion = new
> IgniteProductVersion();
> spi.setNodeAttributes(nodeAttributes, igniteProductVersion);
>
> However I run into an issue here because when setNodeAttributes is called
> on
> TcpDiscoverySpi I get a NullPointerException. The exception is thrown in
> line 963 which is shown below.
>
> 959 @Override public void setNodeAttributes(Map<String, Object> attrs,
> IgniteProductVersion ver) {
> 960 assert locNodeAttrs == null;
> 961 assert locNodeVer == null;
> 962
> 963 if (log.isDebugEnabled()) {
> 964 log.debug("Node attributes to set: " + attrs);
> 965 log.debug("Node version to set: " + ver);
> 966 }
> 967
> 968 locNodeAttrs = attrs;
> 969 locNodeVer = ver;
> 970 }
>
> The instance of IgniteLogger named 'log' is null when this method is
> called.
> This seems like a bug to me but if it's not, am I doing something wrong?
> Is
> there another way I should be fetching and setting this property on my
> local
> node?
>
>
>
>
> --
> View this message in context: http://apache-ignite-users.
> 70518.x6.nabble.com/Authentication-tp11037.html
> Sent from the Apache Ignite Users mailing list archive at Nabble.com.
>
--
Best regards,
Andrey V. Mashenkov
Re: NullPointerException for @LoggerResource
Posted by vkulichenko <va...@gmail.com>.
Just use different name, the one that doesn't start with 'org.apache.ignite'.
-Val
--
View this message in context: http://apache-ignite-users.70518.x6.nabble.com/NullPointerException-for-LoggerResource-tp11037p11051.html
Sent from the Apache Ignite Users mailing list archive at Nabble.com.
Re: NullPointerException for @LoggerResource
Posted by conor <co...@mastercard.com>.
Ah I see, OK. So I tried it just now as follows:
IgniteConfiguration cfg = new IgniteConfiguration();
// Set user attributes
cfg.setUserAttributes(getUserAttributes());
private Map<String, Object> getUserAttributes() {
Map<String, Object> userAttributes = new HashMap<>();
SecurityCredentials securityCredentials = new
SecurityCredentials(getModuleName(), passwordService.getPassword());
userAttributes.put("org.apache.ignite.security.cred",
securityCredentials);
return userAttributes;
}
But I get the following error:
Caused by: org.apache.ignite.IgniteCheckedException: User attribute has
illegal name: 'org.apache.ignite.security.cred'. Note that all names
starting with 'org.apache.ignite' are reserved for internal use.
How can I set the security credentials for the local node?
--
View this message in context: http://apache-ignite-users.70518.x6.nabble.com/NullPointerException-for-LoggerResource-tp11037p11050.html
Sent from the Apache Ignite Users mailing list archive at Nabble.com.
Re: NullPointerException for @LoggerResource
Posted by vkulichenko <va...@gmail.com>.
setNodeAttributes is an SPI interface method and therefore is supposed to be
invoked only by Ignite, not by your code. To add attributes to a node, use
IgniteConfiguration#setUserAttributes.
-Val
--
View this message in context: http://apache-ignite-users.70518.x6.nabble.com/NullPointerException-for-LoggerResource-tp11037p11049.html
Sent from the Apache Ignite Users mailing list archive at Nabble.com.