You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ignite.apache.org by ni...@apache.org on 2021/08/25 09:22:44 UTC
[ignite] branch master updated: IGNITE-15358 Fix client node
reconnect with enabled security (#9348)
This is an automated email from the ASF dual-hosted git repository.
nizhikov pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ignite.git
The following commit(s) were added to refs/heads/master by this push:
new 94154ac IGNITE-15358 Fix client node reconnect with enabled security (#9348)
94154ac is described below
commit 94154acfc5f5c400ea5abcaf9ca54b7b250e20ee
Author: Nikolay <ni...@apache.org>
AuthorDate: Wed Aug 25 12:22:14 2021 +0300
IGNITE-15358 Fix client node reconnect with enabled security (#9348)
---
.../apache/ignite/internal/IgniteEventsImpl.java | 1 -
.../ignite/internal/IgniteSchedulerImpl.java | 34 ++---
.../managers/communication/GridIoManager.java | 6 +-
.../managers/discovery/GridDiscoveryManager.java | 6 +-
.../processors/security/IgniteSecurity.java | 3 +
.../security/IgniteSecurityProcessor.java | 159 +++++++--------------
.../security/NoOpIgniteSecurityProcessor.java | 11 +-
.../security/OperationSecurityContext.java | 8 +-
.../security/thread/SecurityAwareCallable.java | 5 +-
.../security/thread/SecurityAwareRunnable.java | 8 +-
.../discovery/tcp/internal/TcpDiscoveryNode.java | 2 +-
.../security/client/ClientReconnectTest.java | 87 +++++++++++
.../security/impl/TestSecurityProcessor.java | 4 -
.../spi/discovery/tcp/TestReconnectProcessor.java | 4 +-
.../ignite/testsuites/SecurityTestSuite.java | 2 +
.../zk/internal/ZookeeperClusterNode.java | 2 +-
16 files changed, 193 insertions(+), 149 deletions(-)
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/IgniteEventsImpl.java b/modules/core/src/main/java/org/apache/ignite/internal/IgniteEventsImpl.java
index 4e5a7bb..9067bc1 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/IgniteEventsImpl.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/IgniteEventsImpl.java
@@ -191,7 +191,6 @@ public class IgniteEventsImpl extends AsyncSupportAdapter<IgniteEvents> implemen
final UUID subjId = ctx.security().securityContext().subject().id();
return new SecurityAwarePredicate<>(subjId, res);
-
}
return res;
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/IgniteSchedulerImpl.java b/modules/core/src/main/java/org/apache/ignite/internal/IgniteSchedulerImpl.java
index 6930d5c..51e46b9 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/IgniteSchedulerImpl.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/IgniteSchedulerImpl.java
@@ -68,7 +68,7 @@ public class IgniteSchedulerImpl implements IgniteScheduler, Externalizable {
guard();
try {
- return new IgniteFutureImpl<>(ctx.closure().runLocalSafe(securityRunnable(r), false));
+ return new IgniteFutureImpl<>(ctx.closure().runLocalSafe(localSecureRunnable(r), false));
}
finally {
unguard();
@@ -83,7 +83,7 @@ public class IgniteSchedulerImpl implements IgniteScheduler, Externalizable {
guard();
try {
- return ctx.timeout().schedule(securityRunnable(r), timeUnit.toMillis(delay), -1);
+ return ctx.timeout().schedule(localSecureRunnable(r), timeUnit.toMillis(delay), -1);
}
finally {
unguard();
@@ -97,7 +97,7 @@ public class IgniteSchedulerImpl implements IgniteScheduler, Externalizable {
guard();
try {
- return new IgniteFutureImpl<>(ctx.closure().callLocalSafe(securityCallable(c), false));
+ return new IgniteFutureImpl<>(ctx.closure().callLocalSafe(localSecureCallable(c), false));
}
finally {
unguard();
@@ -111,7 +111,7 @@ public class IgniteSchedulerImpl implements IgniteScheduler, Externalizable {
guard();
try {
- return ctx.schedule().schedule(securityRunnable(job), ptrn);
+ return ctx.schedule().schedule(localSecureRunnable(job), ptrn);
}
finally {
unguard();
@@ -125,7 +125,7 @@ public class IgniteSchedulerImpl implements IgniteScheduler, Externalizable {
guard();
try {
- return ctx.schedule().schedule(securityCallable(job), ptrn);
+ return ctx.schedule().schedule(localSecureCallable(job), ptrn);
}
finally {
unguard();
@@ -166,20 +166,20 @@ public class IgniteSchedulerImpl implements IgniteScheduler, Externalizable {
return ctx.grid().scheduler();
}
- /**
- * @return Security aware runnable.
- */
- private Runnable securityRunnable(Runnable original) {
- return ctx.security().enabled() ?
- new SecurityAwareClosure<Void>(ctx.security().securityContext().subject().id(), original) : original;
+ /** @return Security aware runnable. */
+ private Runnable localSecureRunnable(Runnable original) {
+ if (!ctx.security().enabled() || ctx.security().isDefaultContext())
+ return original;
+
+ return new SecurityAwareClosure<Void>(ctx.security().securityContext().subject().id(), original);
}
- /**
- * @return Security aware callable.
- */
- private <T> Callable<T> securityCallable(Callable<T> original) {
- return ctx.security().enabled() ?
- new SecurityAwareClosure<>(ctx.security().securityContext().subject().id(), original) : original;
+ /** @return Security aware callable. */
+ private <T> Callable<T> localSecureCallable(Callable<T> original) {
+ if (!ctx.security().enabled() || ctx.security().isDefaultContext())
+ return original;
+
+ return new SecurityAwareClosure<>(ctx.security().securityContext().subject().id(), original);
}
/** */
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/managers/communication/GridIoManager.java b/modules/core/src/main/java/org/apache/ignite/internal/managers/communication/GridIoManager.java
index 3f59707..e534c08 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/managers/communication/GridIoManager.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/managers/communication/GridIoManager.java
@@ -2138,10 +2138,8 @@ public class GridIoManager extends GridManagerAdapter<CommunicationSpi<Serializa
if (ctx.security().enabled()) {
UUID secSubjId = null;
- UUID curSecSubjId = ctx.security().securityContext().subject().id();
-
- if (!locNodeId.equals(curSecSubjId))
- secSubjId = curSecSubjId;
+ if (!ctx.security().isDefaultContext())
+ secSubjId = ctx.security().securityContext().subject().id();
return new GridIoSecurityAwareMessage(secSubjId, plc, topic, topicOrd, msg, ordered, timeout, skipOnTimeout);
}
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/managers/discovery/GridDiscoveryManager.java b/modules/core/src/main/java/org/apache/ignite/internal/managers/discovery/GridDiscoveryManager.java
index fb5592d..a412d23 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/managers/discovery/GridDiscoveryManager.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/managers/discovery/GridDiscoveryManager.java
@@ -796,6 +796,8 @@ public class GridDiscoveryManager extends GridManagerAdapter<DiscoverySpi> {
discoWrk.discoCache = discoCache;
if (!isLocDaemon && !ctx.clientDisconnected()) {
+ ctx.security().onLocalJoin();
+
ctx.cache().context().versions().onLocalJoin(topVer);
ctx.cache().context().coordinators().onLocalJoin(discoEvt, discoCache);
@@ -806,8 +808,6 @@ public class GridDiscoveryManager extends GridManagerAdapter<DiscoverySpi> {
ctx.encryption().onLocalJoin();
- ctx.security().onLocalJoin();
-
ctx.cluster().onLocalJoin();
}
@@ -856,6 +856,8 @@ public class GridDiscoveryManager extends GridManagerAdapter<DiscoverySpi> {
assert locNode.isClient() : locNode;
assert node.isClient() : node;
+ ctx.security().onLocalJoin();
+
boolean clusterRestarted = gridStartTime != getSpi().getGridStartTime();
gridStartTime = getSpi().getGridStartTime();
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurity.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurity.java
index 73f294d..3cecd8a 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurity.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurity.java
@@ -61,6 +61,9 @@ public interface IgniteSecurity {
*/
public OperationSecurityContext withContext(UUID nodeId);
+ /** @return {@code True} if current thread executed in default security context. */
+ public boolean isDefaultContext();
+
/**
* @return SecurityContext of holder {@link OperationSecurityContext}.
*/
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java
index 0f7814d..72cc546 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java
@@ -25,17 +25,14 @@ import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicInteger;
import org.apache.ignite.IgniteCheckedException;
-import org.apache.ignite.IgniteException;
import org.apache.ignite.IgniteLogger;
import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.internal.GridKernalContext;
import org.apache.ignite.internal.IgniteInternalFuture;
-import org.apache.ignite.internal.NodeStoppingException;
import org.apache.ignite.internal.processors.GridProcessor;
import org.apache.ignite.internal.processors.security.sandbox.AccessControllerSandbox;
import org.apache.ignite.internal.processors.security.sandbox.IgniteSandbox;
import org.apache.ignite.internal.processors.security.sandbox.NoOpSandbox;
-import org.apache.ignite.internal.util.future.GridFutureAdapter;
import org.apache.ignite.internal.util.typedef.F;
import org.apache.ignite.internal.util.typedef.internal.U;
import org.apache.ignite.lang.IgniteFuture;
@@ -87,8 +84,8 @@ public class IgniteSecurityProcessor implements IgniteSecurity, GridProcessor {
return SANDBOXED_NODES_COUNTER.get() > 0;
}
- /** Current security context. */
- private final ThreadLocal<SecurityContext> curSecCtx = ThreadLocal.withInitial(this::localSecurityContext);
+ /** Current security context if differs from {@link #dfltSecCtx}. */
+ private final ThreadLocal<SecurityContext> curSecCtx = new ThreadLocal<>();
/** Grid kernal context. */
private final GridKernalContext ctx;
@@ -108,8 +105,15 @@ public class IgniteSecurityProcessor implements IgniteSecurity, GridProcessor {
/** Instance of IgniteSandbox. */
private IgniteSandbox sandbox;
- /** Node local security context ready future. */
- private final GridFutureAdapter<SecurityContext> nodeSecCtxReadyFut = new GridFutureAdapter<>();
+ /** Default security context. */
+ private volatile SecurityContext dfltSecCtx;
+
+ /** Default operation security context for the case when current and new contexts are default. */
+ private final OperationSecurityContext dfltOpCtx = new OperationSecurityContext(this, null) {
+ @Override public void close() {
+ // No-op.
+ }
+ };
/**
* @param ctx Grid kernal context.
@@ -130,11 +134,18 @@ public class IgniteSecurityProcessor implements IgniteSecurity, GridProcessor {
@Override public OperationSecurityContext withContext(SecurityContext secCtx) {
assert secCtx != null;
- SecurityContext old = curSecCtx.get();
+ SecurityContext dflt = dfltSecCtx;
+ SecurityContext cur = curSecCtx.get();
+
+ boolean isNewCtxDflt = secCtx == dflt;
+ boolean isCurCtxDflt = cur == null;
+
+ if (isCurCtxDflt && isNewCtxDflt)
+ return dfltOpCtx;
- curSecCtx.set(secCtx);
+ curSecCtx.set(isNewCtxDflt ? null : secCtx);
- return new OperationSecurityContext(this, old);
+ return new OperationSecurityContext(this, isCurCtxDflt ? null : cur);
}
/** {@inheritDoc} */
@@ -143,34 +154,44 @@ public class IgniteSecurityProcessor implements IgniteSecurity, GridProcessor {
ClusterNode node = Optional.ofNullable(ctx.discovery().node(subjId))
.orElseGet(() -> ctx.discovery().historicalNode(subjId));
- SecurityContext res = node != null ? secCtxs.computeIfAbsent(subjId,
- uuid -> nodeSecurityContext(marsh, U.resolveClassLoader(ctx.config()), node))
- : secPrc.securityContext(subjId);
+ SecurityContext res;
+
+ if (node == null)
+ res = secPrc.securityContext(subjId);
+ else if (dfltSecCtx.subject().id().equals(subjId))
+ res = dfltSecCtx;
+ else
+ res = secCtxs.computeIfAbsent(subjId, uuid -> nodeSecurityContext(marsh, U.resolveClassLoader(ctx.config()), node));
+
+ if (res == null) {
+ throw new IllegalStateException("Failed to find security context " +
+ "for subject with given ID : " + subjId);
+ }
- if (res != null)
- return withContext(res);
+ return withContext(res);
}
catch (Throwable e) {
log.error(FAILED_OBTAIN_SEC_CTX_MSG, e);
throw e;
}
+ }
- IllegalStateException error = new IllegalStateException("Failed to find security context " +
- "for subject with given ID : " + subjId);
-
- log.error(FAILED_OBTAIN_SEC_CTX_MSG, error);
+ /** Restores local node context for the current thread. */
+ void restoreDefaultContext() {
+ curSecCtx.set(null);
+ }
- throw error;
+ /** {@inheritDoc} */
+ @Override public boolean isDefaultContext() {
+ return curSecCtx.get() == null;
}
/** {@inheritDoc} */
@Override public SecurityContext securityContext() {
SecurityContext res = curSecCtx.get();
- assert res != null;
-
- return res;
+ return res == null ? dfltSecCtx : res;
}
/** {@inheritDoc} */
@@ -206,7 +227,7 @@ public class IgniteSecurityProcessor implements IgniteSecurity, GridProcessor {
/** {@inheritDoc} */
@Override public void authorize(String name, SecurityPermission perm) throws SecurityException {
- SecurityContext secCtx = curSecCtx.get();
+ SecurityContext secCtx = securityContext();
assert secCtx != null;
@@ -299,11 +320,6 @@ public class IgniteSecurityProcessor implements IgniteSecurity, GridProcessor {
/** {@inheritDoc} */
@Override public void onKernalStop(boolean cancel) {
- if (!nodeSecCtxReadyFut.isDone()) {
- nodeSecCtxReadyFut.onDone(new NodeStoppingException(
- "Failed to wait for local node security context initialization (grid is stopping)."));
- }
-
secPrc.onKernalStop(cancel);
}
@@ -380,37 +396,10 @@ public class IgniteSecurityProcessor implements IgniteSecurity, GridProcessor {
/** {@inheritDoc} */
@Override public void onLocalJoin() {
- try {
- SecurityContext secCtx = nodeSecurityContext(
- marsh,
- U.resolveClassLoader(ctx.config()),
- ctx.discovery().localNode());
-
- nodeSecCtxReadyFut.onDone(secCtx);
- }
- catch (Throwable e) {
- nodeSecCtxReadyFut.onDone(e);
-
- throw e;
- }
- }
-
- /**
- * Getting local node's security context.
- *
- * @return Security context of local node.
- */
- private SecurityContext localSecurityContext() {
- if (nodeSecCtxReadyFut.isDone()) {
- try {
- return nodeSecCtxReadyFut.get();
- }
- catch (IgniteCheckedException e) {
- throw new IgniteException(e);
- }
- }
-
- return new DeferredSecurityContext(nodeSecCtxReadyFut);
+ dfltSecCtx = nodeSecurityContext(
+ marsh,
+ U.resolveClassLoader(ctx.config()),
+ ctx.discovery().localNode());
}
/**
@@ -436,54 +425,4 @@ public class IgniteSecurityProcessor implements IgniteSecurity, GridProcessor {
public GridSecurityProcessor securityProcessor() {
return secPrc;
}
-
- /**
- * Represents {@link SecurityContext} wrapper that blocks all interface methods until security context becomes
- * available. The main reason of such implementation is that local node security context is undefined until node
- * joins the topology.
- */
- public static class DeferredSecurityContext implements SecurityContext {
- /** */
- private final GridFutureAdapter<SecurityContext> fut;
-
- /** */
- public DeferredSecurityContext(GridFutureAdapter<SecurityContext> fut) {
- this.fut = fut;
- }
-
- /** {@inheritDoc} */
- @Override public SecuritySubject subject() {
- return delegate().subject();
- }
-
- /** {@inheritDoc} */
- @Override public boolean taskOperationAllowed(String taskClsName, SecurityPermission perm) {
- return delegate().taskOperationAllowed(taskClsName, perm);
- }
-
- /** {@inheritDoc} */
- @Override public boolean cacheOperationAllowed(String cacheName, SecurityPermission perm) {
- return delegate().cacheOperationAllowed(cacheName, perm);
- }
-
- /** {@inheritDoc} */
- @Override public boolean serviceOperationAllowed(String srvcName, SecurityPermission perm) {
- return delegate().serviceOperationAllowed(srvcName, perm);
- }
-
- /** {@inheritDoc} */
- @Override public boolean systemOperationAllowed(SecurityPermission perm) {
- return delegate().systemOperationAllowed(perm);
- }
-
- /** */
- public SecurityContext delegate() {
- try {
- return fut.get();
- }
- catch (IgniteCheckedException e) {
- throw new IgniteException(e);
- }
- }
- }
}
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/NoOpIgniteSecurityProcessor.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/NoOpIgniteSecurityProcessor.java
index 8205fc2..bb079dc 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/NoOpIgniteSecurityProcessor.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/NoOpIgniteSecurityProcessor.java
@@ -46,7 +46,11 @@ public class NoOpIgniteSecurityProcessor extends GridProcessorAdapter implements
public static final String SECURITY_DISABLED_ERROR_MSG = "Operation cannot be performed: Ignite security disabled.";
/** No operation security context. */
- private final OperationSecurityContext opSecCtx = new OperationSecurityContext(this, null);
+ private final OperationSecurityContext opSecCtx = new OperationSecurityContext(this, null) {
+ @Override public void close() {
+ // No-op.
+ }
+ };
/** Instance of IgniteSandbox. */
private final IgniteSandbox sandbox = new NoOpSandbox();
@@ -69,6 +73,11 @@ public class NoOpIgniteSecurityProcessor extends GridProcessorAdapter implements
}
/** {@inheritDoc} */
+ @Override public boolean isDefaultContext() {
+ return true;
+ }
+
+ /** {@inheritDoc} */
@Override public SecurityContext securityContext() {
return null;
}
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/OperationSecurityContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/OperationSecurityContext.java
index 3fdac47..7f65d94 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/OperationSecurityContext.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/OperationSecurityContext.java
@@ -32,15 +32,15 @@ public class OperationSecurityContext implements AutoCloseable {
* @param secCtx Security context.
*/
OperationSecurityContext(IgniteSecurity proc, SecurityContext secCtx) {
- assert proc != null;
- assert secCtx != null || !proc.enabled();
-
this.proc = proc;
this.secCtx = secCtx;
}
/** {@inheritDoc} */
@Override public void close() {
- proc.withContext(secCtx);
+ if (secCtx == null)
+ ((IgniteSecurityProcessor)proc).restoreDefaultContext();
+ else
+ proc.withContext(secCtx);
}
}
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/thread/SecurityAwareCallable.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/thread/SecurityAwareCallable.java
index 049403b..ce39802 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/thread/SecurityAwareCallable.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/thread/SecurityAwareCallable.java
@@ -45,11 +45,14 @@ public class SecurityAwareCallable<T> implements Callable<T> {
this.delegate = delegate;
this.security = security;
- secCtx = security.securityContext();
+ secCtx = security.isDefaultContext() ? null : security.securityContext();
}
/** {@inheritDoc} */
@Override public T call() throws Exception {
+ if (secCtx == null)
+ return delegate.call();
+
try (OperationSecurityContext ignored = security.withContext(secCtx)) {
return delegate.call();
}
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/thread/SecurityAwareRunnable.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/thread/SecurityAwareRunnable.java
index a5cb861..c74769c 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/thread/SecurityAwareRunnable.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/thread/SecurityAwareRunnable.java
@@ -42,11 +42,17 @@ public class SecurityAwareRunnable implements Runnable {
this.delegate = delegate;
this.security = security;
- secCtx = security.securityContext();
+ secCtx = security.isDefaultContext() ? null : security.securityContext();
}
/** {@inheritDoc} */
@Override public void run() {
+ if (secCtx == null) {
+ delegate.run();
+
+ return;
+ }
+
try (OperationSecurityContext ignored = security.withContext(secCtx)) {
delegate.run();
}
diff --git a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/internal/TcpDiscoveryNode.java b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/internal/TcpDiscoveryNode.java
index 97edb64..b333e4d 100644
--- a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/internal/TcpDiscoveryNode.java
+++ b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/internal/TcpDiscoveryNode.java
@@ -63,7 +63,7 @@ public class TcpDiscoveryNode extends GridMetadataAwareAdapter implements Ignite
private static final long serialVersionUID = 0L;
/** Node ID. */
- private UUID id;
+ private volatile UUID id;
/** Consistent ID. */
@GridToStringInclude
diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/ClientReconnectTest.java b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/ClientReconnectTest.java
new file mode 100644
index 0000000..5de6c11
--- /dev/null
+++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/ClientReconnectTest.java
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security.client;
+
+import java.util.UUID;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+import org.apache.ignite.cluster.ClusterNode;
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.internal.GridKernalContext;
+import org.apache.ignite.internal.IgniteEx;
+import org.apache.ignite.internal.processors.security.GridSecurityProcessor;
+import org.apache.ignite.internal.processors.security.SecurityContext;
+import org.apache.ignite.plugin.security.SecurityCredentials;
+import org.apache.ignite.spi.discovery.DiscoverySpi;
+import org.apache.ignite.spi.discovery.TestReconnectSecurityPluginProvider;
+import org.apache.ignite.spi.discovery.tcp.TestReconnectProcessor;
+import org.apache.ignite.spi.discovery.tcp.internal.TcpDiscoveryNode;
+import org.apache.ignite.testframework.junits.common.GridCommonAbstractTest;
+import org.junit.Test;
+
+import static org.apache.ignite.events.EventType.EVT_CLIENT_NODE_RECONNECTED;
+
+/**
+ * Tests client node can reconnect cluster based only on node id which changed on disconnect.
+ * @see TcpDiscoveryNode#onClientDisconnected(UUID)
+ */
+public class ClientReconnectTest extends GridCommonAbstractTest {
+ /** {@inheritDoc} */
+ @Override protected IgniteConfiguration getConfiguration(String igniteInstanceName) throws Exception {
+ return super.getConfiguration(igniteInstanceName).setPluginProviders(new TestReconnectSecurityPluginProvider() {
+ @Override protected GridSecurityProcessor securityProcessor(GridKernalContext ctx) {
+ return new TestReconnectProcessor(ctx) {
+ @Override public SecurityContext securityContext(UUID subjId) {
+ if (ctx.localNodeId().equals(subjId))
+ return ctx.security().securityContext();
+
+ fail("Unexpected subjId[subjId=" + subjId + ", localNodeId=" + ctx.localNodeId() + ']');
+
+ return null;
+ }
+
+ @Override public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) {
+ return new TestSecurityContext(new TestSecuritySubject(node.id()));
+ }
+ };
+ }
+ });
+ }
+
+ /** */
+ @Test
+ public void testClientNodeReconnected() throws Exception {
+ startGrids(2);
+
+ IgniteEx cli = startClientGrid(2);
+
+ CountDownLatch latch = new CountDownLatch(1);
+
+ cli.events().localListen(evt -> {
+ latch.countDown();
+
+ return true;
+ }, EVT_CLIENT_NODE_RECONNECTED);
+
+ DiscoverySpi discoverySpi = ignite(0).configuration().getDiscoverySpi();
+
+ discoverySpi.failNode(nodeId(2), null);
+
+ assertTrue(latch.await(getTestTimeout(), TimeUnit.MILLISECONDS));
+ }
+}
diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java
index d7113bf..2cdf349 100644
--- a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java
+++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java
@@ -32,7 +32,6 @@ import org.apache.ignite.internal.GridKernalContext;
import org.apache.ignite.internal.IgniteNodeAttributes;
import org.apache.ignite.internal.processors.GridProcessorAdapter;
import org.apache.ignite.internal.processors.security.GridSecurityProcessor;
-import org.apache.ignite.internal.processors.security.IgniteSecurityProcessor.DeferredSecurityContext;
import org.apache.ignite.internal.processors.security.SecurityContext;
import org.apache.ignite.internal.util.typedef.F;
import org.apache.ignite.plugin.security.AuthenticationContext;
@@ -153,9 +152,6 @@ public class TestSecurityProcessor extends GridProcessorAdapter implements GridS
/** {@inheritDoc} */
@Override public void authorize(String name, SecurityPermission perm, SecurityContext securityCtx)
throws SecurityException {
- if (securityCtx instanceof DeferredSecurityContext)
- securityCtx = ((DeferredSecurityContext)securityCtx).delegate();
-
if (!((TestSecurityContext)securityCtx).operationAllowed(name, perm))
throw new SecurityException("Authorization failed [perm=" + perm +
", name=" + name +
diff --git a/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java
index 6a8dfeb..41befe9 100644
--- a/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java
+++ b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java
@@ -109,7 +109,7 @@ public class TestReconnectProcessor extends GridProcessorAdapter implements Grid
/**
*
*/
- private static class TestSecuritySubject implements SecuritySubject {
+ public static class TestSecuritySubject implements SecuritySubject {
/** Id. */
private final UUID id;
@@ -150,7 +150,7 @@ public class TestReconnectProcessor extends GridProcessorAdapter implements Grid
/**
*
*/
- private static class TestSecurityContext implements SecurityContext, Serializable {
+ public static class TestSecurityContext implements SecurityContext, Serializable {
/** Serial version uid. */
private static final long serialVersionUID = 0L;
diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
index 46bcf92..d9e3583 100644
--- a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
+++ b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
@@ -32,6 +32,7 @@ import org.apache.ignite.internal.processors.security.cache.closure.ScanQueryRem
import org.apache.ignite.internal.processors.security.client.AdditionalSecurityCheckTest;
import org.apache.ignite.internal.processors.security.client.AdditionalSecurityCheckWithGlobalAuthTest;
import org.apache.ignite.internal.processors.security.client.AttributeSecurityCheckTest;
+import org.apache.ignite.internal.processors.security.client.ClientReconnectTest;
import org.apache.ignite.internal.processors.security.client.IgniteClientContainSubjectAddressTest;
import org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckSecurityTest;
import org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckTest;
@@ -83,6 +84,7 @@ import org.junit.runners.Suite;
ThinClientPermissionCheckSecurityTest.class,
ContinuousQueryPermissionCheckTest.class,
IgniteClientContainSubjectAddressTest.class,
+ ClientReconnectTest.class,
SnapshotPermissionCheckTest.class,
DistributedClosureRemoteSecurityContextCheckTest.class,
diff --git a/modules/zookeeper/src/main/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperClusterNode.java b/modules/zookeeper/src/main/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperClusterNode.java
index 39eed37..264a315 100644
--- a/modules/zookeeper/src/main/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperClusterNode.java
+++ b/modules/zookeeper/src/main/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperClusterNode.java
@@ -54,7 +54,7 @@ public class ZookeeperClusterNode implements IgniteClusterNode, Externalizable,
private static final byte CLIENT_NODE_MASK = 0x01;
/** */
- private UUID id;
+ private volatile UUID id;
/** */
private Serializable consistentId;