You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by Denis Garus <ga...@gmail.com> on 2021/04/06 17:14:15 UTC
Review for IGNITE-13112 The current security context should be
obtained using the IgniteSecurity interface only.
Hello, Igniters!
I've raised the PR [1] for the issue [2].
Could somebody review it?
Suggested implementation
If Ignite Security (IS) is enabled, then executors, accessed through the
PoolProcessor,
are wrapped to a security-aware implementation. Security-aware
implementation sets proper
security context for tasks that the executor performs.
The field subject id was deleted from communication requests for cache and
compute operations;
a remote node gets the subject id that initiates the ignite operation from
GridIoSecurityAwareMessage.
IgniteSecurity uses this id to set a proper security context during the
execution of the request.
Remove GridTaskThreadContextKey#TC_SUBJ_ID,
GridCacheContext#subjectIdPerCall;
a consumer has to obtain a current security subject id through
IgniteSecurity
or the set of SecurityUtils methods.
For all events that include the subject id field, are set the following
rule.
If IS is enabled, this field must contain a subject id that initiates
an ignite operation, otherwise null.
Implement SecurityAwareCustomMessageWrapper for discovery requests that act
as
GridIoSecurityAwareMessage for communication requests. It allows setting
proper
context during the discovery message execution.
Implement SecurityAwareGridRestCommandHandler to allow GridRestProcessor
to execute all client requests with the proper security context.
1. https://github.com/apache/ignite/pull/8038
2. https://issues.apache.org/jira/browse/IGNITE-13112
Re: Review for IGNITE-13112 The current security context should be
obtained using the IgniteSecurity interface only.
Posted by Denis Garus <ga...@gmail.com>.
Maksim, ok.
Let me know if you have any questions.
ср, 21 апр. 2021 г. в 17:51, Maksim Stepachev <ma...@gmail.com>:
> Please wait. I'm watching your review.
>
> вт, 6 апр. 2021 г. в 20:14, Denis Garus <ga...@gmail.com>:
>
> > Hello, Igniters!
> >
> > I've raised the PR [1] for the issue [2].
> > Could somebody review it?
> >
> > Suggested implementation
> >
> > If Ignite Security (IS) is enabled, then executors, accessed through the
> > PoolProcessor,
> > are wrapped to a security-aware implementation. Security-aware
> > implementation sets proper
> > security context for tasks that the executor performs.
> >
> > The field subject id was deleted from communication requests for cache
> and
> > compute operations;
> > a remote node gets the subject id that initiates the ignite operation
> from
> > GridIoSecurityAwareMessage.
> > IgniteSecurity uses this id to set a proper security context during the
> > execution of the request.
> >
> > Remove GridTaskThreadContextKey#TC_SUBJ_ID,
> > GridCacheContext#subjectIdPerCall;
> > a consumer has to obtain a current security subject id through
> > IgniteSecurity
> > or the set of SecurityUtils methods.
> >
> > For all events that include the subject id field, are set the following
> > rule.
> > If IS is enabled, this field must contain a subject id that initiates
> > an ignite operation, otherwise null.
> >
> > Implement SecurityAwareCustomMessageWrapper for discovery requests that
> act
> > as
> > GridIoSecurityAwareMessage for communication requests. It allows setting
> > proper
> > context during the discovery message execution.
> >
> > Implement SecurityAwareGridRestCommandHandler to allow GridRestProcessor
> > to execute all client requests with the proper security context.
> >
> > 1. https://github.com/apache/ignite/pull/8038
> > 2. https://issues.apache.org/jira/browse/IGNITE-13112
> >
>
Re: Review for IGNITE-13112 The current security context should be
obtained using the IgniteSecurity interface only.
Posted by Maksim Stepachev <ma...@gmail.com>.
Please wait. I'm watching your review.
вт, 6 апр. 2021 г. в 20:14, Denis Garus <ga...@gmail.com>:
> Hello, Igniters!
>
> I've raised the PR [1] for the issue [2].
> Could somebody review it?
>
> Suggested implementation
>
> If Ignite Security (IS) is enabled, then executors, accessed through the
> PoolProcessor,
> are wrapped to a security-aware implementation. Security-aware
> implementation sets proper
> security context for tasks that the executor performs.
>
> The field subject id was deleted from communication requests for cache and
> compute operations;
> a remote node gets the subject id that initiates the ignite operation from
> GridIoSecurityAwareMessage.
> IgniteSecurity uses this id to set a proper security context during the
> execution of the request.
>
> Remove GridTaskThreadContextKey#TC_SUBJ_ID,
> GridCacheContext#subjectIdPerCall;
> a consumer has to obtain a current security subject id through
> IgniteSecurity
> or the set of SecurityUtils methods.
>
> For all events that include the subject id field, are set the following
> rule.
> If IS is enabled, this field must contain a subject id that initiates
> an ignite operation, otherwise null.
>
> Implement SecurityAwareCustomMessageWrapper for discovery requests that act
> as
> GridIoSecurityAwareMessage for communication requests. It allows setting
> proper
> context during the discovery message execution.
>
> Implement SecurityAwareGridRestCommandHandler to allow GridRestProcessor
> to execute all client requests with the proper security context.
>
> 1. https://github.com/apache/ignite/pull/8038
> 2. https://issues.apache.org/jira/browse/IGNITE-13112
>