You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by Vishwas Bm <bm...@gmail.com> on 2020/11/26 07:00:20 UTC
Fwd: Issue with custom security plugin and thin clients
Hi,
I was facing an issue with a custom security plugin and thin remote client.
I am using Ignite 2.9.0 version and I am hitting below issue
https://cwiki.apache.org/confluence/display/IGNITE/IEP-41%3A+Security+Context+of+thin+client+on+remote+nodes
I had asked the question in the user listing but unfortunately I did not
get any reply.
So I am posting this question here:
http://apache-ignite-users.70518.x6.nabble.com/Query-on-implementing-GridSecurityProcessor-td34672.html
*Thanks & Regards,*
*Vishwas *
Re: Issue with custom security plugin and thin clients
Posted by Denis Garus <ga...@gmail.com>.
Hello!
I afraid these changes will not be included in the 2.10 version.
сб, 19 дек. 2020 г. в 06:03, Vishwas Bm <bm...@gmail.com>:
> Hi Denis,
>
> Thanks for the feedback.
>
> I had also put a comment in one of your PR regarding iep-41.
> https://github.com/apache/ignite/pull/8038#issuecomment-742230009
>
>
> It will be great if you can provide input on this.
>
>
> Regards,
> Vishwas
>
> On Fri, 18 Dec, 2020, 21:39 Denis Garus, <ga...@gmail.com> wrote:
>
> > Hi!
> > I don't understand why you do something related to thin clients inside
> > onDisconnected method?
> > The rest looks good to me.
> >
> > ср, 9 дек. 2020 г. в 17:00, vbm <bm...@gmail.com>:
> >
> > > Hi Denis,
> > >
> > > Any thoughts on the approach mentioned above ?
> > >
> > >
> > > Regards,
> > > Vishwas
> > >
> > >
> > >
> > > --
> > > Sent from: http://apache-ignite-developers.2346864.n4.nabble.com/
> > >
> >
>
Re: Issue with custom security plugin and thin clients
Posted by Vishwas Bm <bm...@gmail.com>.
Hi Denis,
Thanks for the feedback.
I had also put a comment in one of your PR regarding iep-41.
https://github.com/apache/ignite/pull/8038#issuecomment-742230009
It will be great if you can provide input on this.
Regards,
Vishwas
On Fri, 18 Dec, 2020, 21:39 Denis Garus, <ga...@gmail.com> wrote:
> Hi!
> I don't understand why you do something related to thin clients inside
> onDisconnected method?
> The rest looks good to me.
>
> ср, 9 дек. 2020 г. в 17:00, vbm <bm...@gmail.com>:
>
> > Hi Denis,
> >
> > Any thoughts on the approach mentioned above ?
> >
> >
> > Regards,
> > Vishwas
> >
> >
> >
> > --
> > Sent from: http://apache-ignite-developers.2346864.n4.nabble.com/
> >
>
Re: Issue with custom security plugin and thin clients
Posted by Denis Garus <ga...@gmail.com>.
Hi!
I don't understand why you do something related to thin clients inside
onDisconnected method?
The rest looks good to me.
ср, 9 дек. 2020 г. в 17:00, vbm <bm...@gmail.com>:
> Hi Denis,
>
> Any thoughts on the approach mentioned above ?
>
>
> Regards,
> Vishwas
>
>
>
> --
> Sent from: http://apache-ignite-developers.2346864.n4.nabble.com/
>
Re: Issue with custom security plugin and thin clients
Posted by vbm <bm...@gmail.com>.
Hi Denis,
Any thoughts on the approach mentioned above ?
Regards,
Vishwas
--
Sent from: http://apache-ignite-developers.2346864.n4.nabble.com/
Re: Issue with custom security plugin and thin clients
Posted by Vishwas Bm <bm...@gmail.com>.
Hi Denis,
Thanks for the suggestion.
I was trying to implement the approach of using the cache to store the thin
clients security context.
Below is the approach, I wanted to follow:
1) Add the thin client secCtx to cache during authentication time.
2) Retrieve the thin client secCtx using subjId in the new method to be
overridden:
GridSecurityProcessor.securityContext(UUID subjId) method,
3) Remove the entry from the cache during the onSessionExpired method call.
4) Remove the entry from the cache during the onDisconnected() method call.
** I am not sure if I have to handle anything extra for onReconnected(),
as I see again the authenticate method gets called.
Can you please let me know if the above steps are OK or do I need to handle
any other case ?
*Thanks & Regards,*
*Vishwas *
On Mon, Nov 30, 2020 at 2:11 PM Denis Garus <ga...@gmail.com> wrote:
> Hi!
>
> Node attributes can't be used to spread a thin client's security context.
> For this purpose, you can use a cache of Ignite, a third-party database,
> or other tools appropriate to your case.
>
> сб, 28 нояб. 2020 г. в 06:16, Vishwas Bm <bm...@gmail.com>:
>
> > Hi Denis,
> >
> >
> > Thanks for the reply.
> > Yes I was looking for a way to spread the security context to all cluster
> > nodes when a thin client(sqlline) gets authenticated.
> > I tried to see if I can use node attributes or user attributes to pass
> the
> > information to other nodes. When a cluster of ignite server is already
> > formed, this will not help as attributes will not be available on remote
> > nodes.
> >
> > The node attributes cannot be changed at run time and the attributes will
> > be available to remote nodes only when they join the cluster.
> >
> > So I wanted to know, if there is any other way to do this ?
> > I checked your poc PR for reference,
> > https://github.com/apache/ignite/pull/7375
> >
> > In thin client case authenticate node will not be called but authenticate
> > method is getting called.
> >
> >
> > Regards,
> > Vishwas
> >
> >
> > On Fri, 27 Nov, 2020, 14:29 Denis Garus, <ga...@gmail.com> wrote:
> >
> > > Hello!
> > >
> > >
> > > If I understood your problem correctly, you need to make a thin
> client's
> > > security context allowed on a remote node.
> > >
> > > When a security plugin does authenticate a thin client, it should
> spread
> > > the thin client's security context on the cluster.
> > >
> > > How a security context will be transmitted to a remote node is up to
> the
> > > plugin's developers.
> > >
> > > Also, you have to implement the
> > GridSecurityProcessor.securityContext(UUID
> > > subjId) method,
> > >
> > > the way this method is used in Ignite can see in the task description
> > [1].
> > >
> > >
> > >
> > >
> > > 1. https://issues.apache.org/jira/browse/IGNITE-12759
> > >
> > >
> > > чт, 26 нояб. 2020 г. в 10:01, Vishwas Bm <bm...@gmail.com>:
> > >
> > > > Hi,
> > > >
> > > > I was facing an issue with a custom security plugin and thin remote
> > > client.
> > > > I am using Ignite 2.9.0 version and I am hitting below issue
> > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/IGNITE/IEP-41%3A+Security+Context+of+thin+client+on+remote+nodes
> > > >
> > > >
> > > > I had asked the question in the user listing but unfortunately I did
> > not
> > > > get any reply.
> > > > So I am posting this question here:
> > > >
> > > >
> > > >
> > >
> >
> http://apache-ignite-users.70518.x6.nabble.com/Query-on-implementing-GridSecurityProcessor-td34672.html
> > > >
> > > >
> > > > *Thanks & Regards,*
> > > >
> > > > *Vishwas *
> > > >
> > >
> >
>
Re: Issue with custom security plugin and thin clients
Posted by Denis Garus <ga...@gmail.com>.
Hi!
Node attributes can't be used to spread a thin client's security context.
For this purpose, you can use a cache of Ignite, a third-party database,
or other tools appropriate to your case.
сб, 28 нояб. 2020 г. в 06:16, Vishwas Bm <bm...@gmail.com>:
> Hi Denis,
>
>
> Thanks for the reply.
> Yes I was looking for a way to spread the security context to all cluster
> nodes when a thin client(sqlline) gets authenticated.
> I tried to see if I can use node attributes or user attributes to pass the
> information to other nodes. When a cluster of ignite server is already
> formed, this will not help as attributes will not be available on remote
> nodes.
>
> The node attributes cannot be changed at run time and the attributes will
> be available to remote nodes only when they join the cluster.
>
> So I wanted to know, if there is any other way to do this ?
> I checked your poc PR for reference,
> https://github.com/apache/ignite/pull/7375
>
> In thin client case authenticate node will not be called but authenticate
> method is getting called.
>
>
> Regards,
> Vishwas
>
>
> On Fri, 27 Nov, 2020, 14:29 Denis Garus, <ga...@gmail.com> wrote:
>
> > Hello!
> >
> >
> > If I understood your problem correctly, you need to make a thin client's
> > security context allowed on a remote node.
> >
> > When a security plugin does authenticate a thin client, it should spread
> > the thin client's security context on the cluster.
> >
> > How a security context will be transmitted to a remote node is up to the
> > plugin's developers.
> >
> > Also, you have to implement the
> GridSecurityProcessor.securityContext(UUID
> > subjId) method,
> >
> > the way this method is used in Ignite can see in the task description
> [1].
> >
> >
> >
> >
> > 1. https://issues.apache.org/jira/browse/IGNITE-12759
> >
> >
> > чт, 26 нояб. 2020 г. в 10:01, Vishwas Bm <bm...@gmail.com>:
> >
> > > Hi,
> > >
> > > I was facing an issue with a custom security plugin and thin remote
> > client.
> > > I am using Ignite 2.9.0 version and I am hitting below issue
> > >
> > >
> >
> https://cwiki.apache.org/confluence/display/IGNITE/IEP-41%3A+Security+Context+of+thin+client+on+remote+nodes
> > >
> > >
> > > I had asked the question in the user listing but unfortunately I did
> not
> > > get any reply.
> > > So I am posting this question here:
> > >
> > >
> > >
> >
> http://apache-ignite-users.70518.x6.nabble.com/Query-on-implementing-GridSecurityProcessor-td34672.html
> > >
> > >
> > > *Thanks & Regards,*
> > >
> > > *Vishwas *
> > >
> >
>
Re: Issue with custom security plugin and thin clients
Posted by Vishwas Bm <bm...@gmail.com>.
Hi Denis,
Thanks for the reply.
Yes I was looking for a way to spread the security context to all cluster
nodes when a thin client(sqlline) gets authenticated.
I tried to see if I can use node attributes or user attributes to pass the
information to other nodes. When a cluster of ignite server is already
formed, this will not help as attributes will not be available on remote
nodes.
The node attributes cannot be changed at run time and the attributes will
be available to remote nodes only when they join the cluster.
So I wanted to know, if there is any other way to do this ?
I checked your poc PR for reference,
https://github.com/apache/ignite/pull/7375
In thin client case authenticate node will not be called but authenticate
method is getting called.
Regards,
Vishwas
On Fri, 27 Nov, 2020, 14:29 Denis Garus, <ga...@gmail.com> wrote:
> Hello!
>
>
> If I understood your problem correctly, you need to make a thin client's
> security context allowed on a remote node.
>
> When a security plugin does authenticate a thin client, it should spread
> the thin client's security context on the cluster.
>
> How a security context will be transmitted to a remote node is up to the
> plugin's developers.
>
> Also, you have to implement the GridSecurityProcessor.securityContext(UUID
> subjId) method,
>
> the way this method is used in Ignite can see in the task description [1].
>
>
>
>
> 1. https://issues.apache.org/jira/browse/IGNITE-12759
>
>
> чт, 26 нояб. 2020 г. в 10:01, Vishwas Bm <bm...@gmail.com>:
>
> > Hi,
> >
> > I was facing an issue with a custom security plugin and thin remote
> client.
> > I am using Ignite 2.9.0 version and I am hitting below issue
> >
> >
> https://cwiki.apache.org/confluence/display/IGNITE/IEP-41%3A+Security+Context+of+thin+client+on+remote+nodes
> >
> >
> > I had asked the question in the user listing but unfortunately I did not
> > get any reply.
> > So I am posting this question here:
> >
> >
> >
> http://apache-ignite-users.70518.x6.nabble.com/Query-on-implementing-GridSecurityProcessor-td34672.html
> >
> >
> > *Thanks & Regards,*
> >
> > *Vishwas *
> >
>
Re: Issue with custom security plugin and thin clients
Posted by Denis Garus <ga...@gmail.com>.
Hello!
If I understood your problem correctly, you need to make a thin client's
security context allowed on a remote node.
When a security plugin does authenticate a thin client, it should spread
the thin client's security context on the cluster.
How a security context will be transmitted to a remote node is up to the
plugin's developers.
Also, you have to implement the GridSecurityProcessor.securityContext(UUID
subjId) method,
the way this method is used in Ignite can see in the task description [1].
1. https://issues.apache.org/jira/browse/IGNITE-12759
чт, 26 нояб. 2020 г. в 10:01, Vishwas Bm <bm...@gmail.com>:
> Hi,
>
> I was facing an issue with a custom security plugin and thin remote client.
> I am using Ignite 2.9.0 version and I am hitting below issue
>
> https://cwiki.apache.org/confluence/display/IGNITE/IEP-41%3A+Security+Context+of+thin+client+on+remote+nodes
>
>
> I had asked the question in the user listing but unfortunately I did not
> get any reply.
> So I am posting this question here:
>
>
> http://apache-ignite-users.70518.x6.nabble.com/Query-on-implementing-GridSecurityProcessor-td34672.html
>
>
> *Thanks & Regards,*
>
> *Vishwas *
>