You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by Sankar Ramiah <sa...@kp.org> on 2019/11/06 10:26:17 UTC
Not able to start second server node due to authentication failure
I have implemented custom authentication and authorization through a plugin.
/public class MyPlugin implements GridSecurityProcessor, IgnitePlugin {/
Implemented authenticateNode method which bypasses authentication for server
nodes and returns a security context instance. validateNode is returning
null always. When I start the second server node, authenticateNode is being
invoked and it goes through code which bypasses authentication but the
startup fails after that with Authentication Failed error. validateNode
doesn't seem to be invoked.
ERROR: org.apache.ignite.internal.IgniteKernal - Got exception while
starting (will rollback startup
routine).org.apache.ignite.IgniteCheckedException: Failed to start manager:
GridManagerAdapter [enabled=true,
name=org.apache.ignite.internal.managers.discovery.GridDiscoveryManager]
at
org.apache.ignite.internal.IgniteKernal.startManager(IgniteKernal.java:1687)
~[ignite-core-2.7.0.jar!/:2.7.0] at
org.apache.ignite.internal.IgniteKernal.start(IgniteKernal.java:1066)
[ignite-core-2.7.0.jar!/:2.7.0] at
org.apache.ignite.internal.IgnitionEx$IgniteNamedInstance.start0(IgnitionEx.java:2038)
[ignite-core-2.7.0.jar!/:2.7.0]Caused by:
org.apache.ignite.IgniteCheckedException: Failed to start SPI:
TcpDiscoverySpi [addrRslvr=null, sockTimeout=5000, ackTimeout=5000,
marsh=JdkMarshaller
[clsFilter=org.apache.ignite.marshaller.MarshallerUtils$1@5b51df3f],
reconCnt=10, reconDelay=2000, maxAckTimeout=600000, forceSrvMode=false,
clientReconnectDisabled=false, internalLsnr=null] at
org.apache.ignite.internal.managers.GridManagerAdapter.startSpi(GridManagerAdapter.java:300)
~[ignite-core-2.7.0.jar!/:2.7.0] at
org.apache.ignite.internal.managers.discovery.GridDiscoveryManager.start(GridDiscoveryManager.java:939)
~[ignite-core-2.7.0.jar!/:2.7.0] at
org.apache.ignite.internal.IgniteKernal.startManager(IgniteKernal.java:1682)
~[ignite-core-2.7.0.jar!/:2.7.0] ... 66 moreCaused by:
org.apache.ignite.spi.IgniteSpiException: Authentication failed
[nodeId=e3ab993e-0acf-4e55-86a7-473989e0fdca, addr=0.0.0.0] at
org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi.authenticationFailedError(TcpDiscoverySpi.java:1935)
~[ignite-core-2.7.0.jar!/:2.7.0] at
org.apache.ignite.spi.discovery.tcp.ServerImpl.joinTopology(ServerImpl.java:967)
~[ignite-core-2.7.0.jar!/:2.7.0] at
org.apache.ignite.spi.discovery.tcp.ServerImpl.spiStart(ServerImpl.java:391)
~[ignite-core-2.7.0.jar!/:2.7.0] at
org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi.spiStart(TcpDiscoverySpi.java:2020)
~[ignite-core-2.7.0.jar!/:2.7.0] at
org.apache.ignite.internal.managers.GridManagerAdapter.startSpi(GridManagerAdapter.java:297)
~[ignite-core-2.7.0.jar!/:2.7.0]
I have spent quiet sometime with this error. The first node starts without
any issues. Multiple server start fine without the security plugin in place.
Any help in this regard would be highly appreciated. Thanks.
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: Not able to start second server node due to authentication
failure
Posted by Andrei Aleksandrov <ae...@gmail.com>.
Hi,
It's correct that SecurityContext is null in your case:
SecurityContext subj = spi.nodeAuth.authenticateNode(node, cred);
if (subj == null) {
// Node has not pass authentication.
LT.warn(log, "Authentication failed [nodeId=" + node.id() +
", addrs=" + U.addressesAsString(node) + ']');
This subject should be returned from security processor (here spi is
DiscoverySPI):
spi.setAuthenticator(new DiscoverySpiNodeAuthenticator() {
@Override public SecurityContext
authenticateNode(ClusterNode node, SecurityCredentials cred) {
try {
return ctx.security().authenticateNode(node, cred);
}
catch (IgniteCheckedException e) {
throw U.convertException(e);
}
}
@Override public boolean isGlobalNodeAuthentication() {
return ctx.security().isGlobalNodeAuthentication();
}
});
From ctx.security().authenticateNode(node, cred); method.
But there is no security processor by default in Ignite. However, looks
like you should re-implement your DiscoverySPI and setAuthenticator method:
https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/spi/discovery/DiscoverySpi.html#setAuthenticator-org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator-
BR,
Andei
11/6/2019 1:26 PM, Sankar Ramiah пишет:
> I have implemented custom authentication and authorization through a
> plugin.
>
> /public class MyPlugin implements GridSecurityProcessor, IgnitePlugin {/
>
> Implemented authenticateNode method which bypasses authentication for
> server nodes and returns a security context instance. validateNode is
> returning null always. When I start the second server node,
> authenticateNode is being invoked and it goes through code which
> bypasses authentication but the startup fails after that with
> Authentication Failed error. validateNode doesn't seem to be invoked.
> ERROR: org.apache.ignite.internal.IgniteKernal - Got exception while
> starting (will rollback startup routine).
> org.apache.ignite.IgniteCheckedException: Failed to start manager:
> GridManagerAdapter [enabled=true,
> name=org.apache.ignite.internal.managers.discovery.GridDiscoveryManager]
> at
> org.apache.ignite.internal.IgniteKernal.startManager(IgniteKernal.java:1687)
> ~[ignite-core-2.7.0.jar!/:2.7.0] at
> org.apache.ignite.internal.IgniteKernal.start(IgniteKernal.java:1066)
> [ignite-core-2.7.0.jar!/:2.7.0] at
> org.apache.ignite.internal.IgnitionEx$IgniteNamedInstance.start0(IgnitionEx.java:2038)
> [ignite-core-2.7.0.jar!/:2.7.0] Caused by:
> org.apache.ignite.IgniteCheckedException: Failed to start SPI:
> TcpDiscoverySpi [addrRslvr=null, sockTimeout=5000, ackTimeout=5000,
> marsh=JdkMarshaller
> [clsFilter=org.apache.ignite.marshaller.MarshallerUtils$1@5b51df3f],
> reconCnt=10, reconDelay=2000, maxAckTimeout=600000,
> forceSrvMode=false, clientReconnectDisabled=false, internalLsnr=null]
> at
> org.apache.ignite.internal.managers.GridManagerAdapter.startSpi(GridManagerAdapter.java:300)
> ~[ignite-core-2.7.0.jar!/:2.7.0] at
> org.apache.ignite.internal.managers.discovery.GridDiscoveryManager.start(GridDiscoveryManager.java:939)
> ~[ignite-core-2.7.0.jar!/:2.7.0] at
> org.apache.ignite.internal.IgniteKernal.startManager(IgniteKernal.java:1682)
> ~[ignite-core-2.7.0.jar!/:2.7.0] ... 66 more Caused by:
> org.apache.ignite.spi.IgniteSpiException: Authentication failed
> [nodeId=e3ab993e-0acf-4e55-86a7-473989e0fdca, addr=0.0.0.0] at
> org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi.authenticationFailedError(TcpDiscoverySpi.java:1935)
> ~[ignite-core-2.7.0.jar!/:2.7.0] at
> org.apache.ignite.spi.discovery.tcp.ServerImpl.joinTopology(ServerImpl.java:967)
> ~[ignite-core-2.7.0.jar!/:2.7.0] at
> org.apache.ignite.spi.discovery.tcp.ServerImpl.spiStart(ServerImpl.java:391)
> ~[ignite-core-2.7.0.jar!/:2.7.0] at
> org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi.spiStart(TcpDiscoverySpi.java:2020)
> ~[ignite-core-2.7.0.jar!/:2.7.0] at
> org.apache.ignite.internal.managers.GridManagerAdapter.startSpi(GridManagerAdapter.java:297)
> ~[ignite-core-2.7.0.jar!/:2.7.0]
>
>
> I have spent quiet sometime with this error. The first node starts
> without any issues. Multiple server start fine without the security
> plugin in place. Any help in this regard would be highly appreciated.
> Thanks.
> ------------------------------------------------------------------------
> Sent from the Apache Ignite Users mailing list archive
> <http://apache-ignite-users.70518.x6.nabble.com/> at Nabble.com.
Re: Not able to start second server node due to authentication failure
Posted by Maksim Stepachev <ma...@gmail.com>.
Hi,
Look at the parent of DataStreamerPermissionCheckTest. This code contains a
test implementation of
security: org.apache.ignite.internal.processors.security.impl.*
ср, 13 нояб. 2019 г. в 15:24, Sankar Ramiah <sa...@kp.org>:
> Thank you Andei and Zaheer for your response.
>
> I have tried setting a security subject with defaultAllowAll true for the
> server node but there is no change in the output. It is going through
> authenticateNode of my plugin (that implements GridSecurityProcessor),
> creates security subject, sets it to my security context and return the
> same. It still throws the same Authentication Failed error (as given in my
> previous post) after executing authenticateNode.
>
> The another thing that bothers me is that validateNode is not being invoked
> when the second server node is started. I am still stuck with this issue.
>
>
>
> --
> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>
Re: Not able to start second server node due to authentication
failure
Posted by Sankar Ramiah <sa...@kp.org>.
Thank you Andei and Zaheer for your response.
I have tried setting a security subject with defaultAllowAll true for the
server node but there is no change in the output. It is going through
authenticateNode of my plugin (that implements GridSecurityProcessor),
creates security subject, sets it to my security context and return the
same. It still throws the same Authentication Failed error (as given in my
previous post) after executing authenticateNode.
The another thing that bothers me is that validateNode is not being invoked
when the second server node is started. I am still stuck with this issue.
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: Not able to start second server node due to authentication
failure
Posted by Zaheer <za...@gmail.com>.
Hi Sankar,
What Andei said is correct. We need to return a security subject. I faced
this problem and solved it like this :
*1. Create your own SecurityPermissionSet class that implements
org.apache.ignite.plugin.security.SecurityPermissionSet .*
/public class TestSecurityPermissionSet implements SecurityPermissionSet,
Serializable {
private boolean defaultAllowAll;
private Map<String, Collection<SecurityPermission>> taskPermissions;
private Map<String, Collection<SecurityPermission>> cachePermissions;
private Map<String, Collection<SecurityPermission>>
servicePermissions;
private Collection<SecurityPermission> systemPermissions;
public TestSecurityPermissionSet(boolean defaultAllowAll, Map<String,
Collection<SecurityPermission>> taskPermissions, Map<String,
Collection<SecurityPermission>> cachePermissions, Map<String,
Collection<SecurityPermission>> servicePermissions,
Collection<SecurityPermission> systemPermissions) {
this.defaultAllowAll = defaultAllowAll;
this.taskPermissions = taskPermissions;
this.cachePermissions = cachePermissions;
this.servicePermissions = servicePermissions;
this.systemPermissions = systemPermissions;
}
public boolean defaultAllowAll() {
return defaultAllowAll;
}
public Map<String, Collection<SecurityPermission>> taskPermissions()
{
return taskPermissions;
}
public Map<String, Collection<SecurityPermission>> cachePermissions()
{
return cachePermissions;
}
public Map<String, Collection<SecurityPermission>>
servicePermissions() {
return servicePermissions;
}
@Nullable
public Collection<SecurityPermission> systemPermissions() {
return systemPermissions;
}
}/
*2. Create your own security subject (say TestSecuritySubject) class that
implements org.apache.ignite.plugin.security.SecuritySubject.*
/public class TestSecuritySubject implements SecuritySubject, Serializable
{
private SecuritySubjectType subjectType;
private UUID uuid;
private Object login;
private TestSecurityPermissionSet securityPermissionSet;
public TestSecuritySubject(SecuritySubjectType subjectType, UUID uuid,
Object login, TestSecurityPermissionSet securityPermissionSet) {
this.subjectType = subjectType;
this.uuid = uuid;
this.login = login;
this.securityPermissionSet = securityPermissionSet;
}
public UUID id() {
return uuid;
}
public SecuritySubjectType type() {
return subjectType;
}
public Object login() {
return login;
}
public InetSocketAddress address() {
return null;
}
public TestSecurityPermissionSet permissions() {
return securityPermissionSet;
}
}/
*3. Create your own security context class that implements
org.apache.ignite.internal.processors.security.SecurityContext , with a
TestSecuritySubject field in the class.*
/public class TestSecurityContext implements SecurityContext, Serializable {
private TestSecuritySubject securitySubject;
public TestSecurityContext(TestSecuritySubject securitySubject) {
this.securitySubject = securitySubject;
}
public SecuritySubject subject() {
return securitySubject;
}
public boolean taskOperationAllowed(String taskClsName,
SecurityPermission perm) {
//Check if the security subject task permissions contain the given
taskClsName and given perm and return true/false accordingly
}
public boolean cacheOperationAllowed(String cacheName,
SecurityPermission perm) {
//Check if the security subject cache permissions contain the given
cacheName and given perm and return true/false accordingly
}
public boolean serviceOperationAllowed(String srvcName,
SecurityPermission perm) {
//Check if the security subject service permissions contain the given
srvcName and given perm and return true/false accordingly
}
public boolean systemOperationAllowed(SecurityPermission perm) {
//Check if the security subject system permissions contain the given
perm and return true/false accordingly
}
}/
*4. In the authenticateNode method, create an instance of your
SecuritySubject and set it in your SecurityContext instance and return it*.
/public SecurityContext authenticateNode(ClusterNode node,
SecurityCredentials cred) throws IgniteCheckedException {
TestSecurityPermissionSet permissionSet = new
TestSecurityPermissionSet(true, null, null, null, null);
TestSecuritySubject securitySubject = new
TestSecuritySubject(SecuritySubjectType.REMOTE_NODE, node.id(), "",
permissionSet);
return new TestSecurityContext(securitySubject);
}/
*In the above snippet, I gave
TestSecurityPermissionSet(true,null,null,null,null) ==> That is default
allow all is true. This way, you returned a security context with proper
subject and proper permissions.*
Let me know if you need more clarification.
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/