custom plugin question - jdbc client

[wt <wa...@gmail.com>]

i have finally managed to get a plugin working for a white list on ignite
2.6. I am now going to start working on an authorization for users
connecting to the cluster. 

How can i get clients pass through a kerberos ticket to the cluster? I think
i need to override the authorization context class but that would mean that
i need to do it both on the server and the clients for odbc\jdbc etc. 



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: custom plugin question - jdbc client

[wt <wa...@gmail.com>]

Hi Taras

I am slightly confused. You are mentioning sslcontext and looking at those
related classes it doesn't appear to offer authentication and authorization. 



Here is where i currently am with this project.

I have a white list plugin that i will apply to server nodes when they join.
I have yet to implement a check to see if the node is a client or a server
so my assumption at this point is all nodes (clients and servers) will be
validated against the white list. 

The next step is to add user authentication (not the ignite built-in
version) and also authorization to lock down what users can access and do. 

my current additional classes are:

WhiteListPluginConfiguration implements PluginConfiguration

WhiteListPluginProvider implements
PluginProvider<WhiteListPluginConfiguration>

WhiteListSecurityProcessor
        implements DiscoverySpiNodeAuthenticator,
        GridSecurityProcessor,
        IgnitePlugin


Can you please advise on my next steps such as:

1) what classes i need to override and implement for authentication and
authorization
2) do i need a new plugin or can i extend the one i have written
3) once i have implemented the new classes, where to i override to call into
them
4) do i need to change the code in the odbc and jdbc code base to include my
authentication and authorization

My goal here is to be able to 

1) prevent a vanilla client from connecting without implementing my security
2) enforce odbc and jdbc and java\.net clients authentication and
authorization


I really appreciate any guidance here as there is no documentation to
support doing this. 

Thanks
Wayne



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: custom plugin question - jdbc client

[Taras Ledkov <tl...@gridgain.com>]

Hi,

You are absolutely right.
In case you use thin JDBC driver (recommended):
1. You have to define SSLContext factory for client connector for Ignite 
node [1]

2. And setup SSL socket factory for Ignite thin JDBC driver [2]

If you are going to use JDBCv2 driver please keep in mind that the 
JDBCv2 driver starts
the Ignite client node to connect to Ignite cluster and  read the 
documentation [3]

[1] 
org.apache.ignite.configuration.ClientConnectorConfiguration#setSslContextFactory 
(https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/configuration/ClientConnectorConfiguration.html)
[2] See `sslFactory` property: 
https://apacheignite-sql.readme.io/docs/jdbc-driver#jdbc-thin-driver
[3] https://apacheignite-sql.readme.io/docs/jdbc-client-driver

On 28.08.2018 12:39, wt wrote:
> i have finally managed to get a plugin working for a white list on ignite
> 2.6. I am now going to start working on an authorization for users
> connecting to the cluster.
>
> How can i get clients pass through a kerberos ticket to the cluster? I think
> i need to override the authorization context class but that would mean that
> i need to do it both on the server and the clients for odbc\jdbc etc.
>
>
>
> --
> Sent from: http://apache-ignite-users.70518.x6.nabble.com/

-- 
Taras Ledkov
Mail-To: tledkov@gridgain.com