You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ignite.apache.org by "Vyacheslav Koptilin (Jira)" <ji...@apache.org> on 2021/09/08 06:47:00 UTC
[jira] [Updated] (IGNITE-13112) The current security context should
be obtained using the IgniteSecurity interface only.
[ https://issues.apache.org/jira/browse/IGNITE-13112?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vyacheslav Koptilin updated IGNITE-13112:
-----------------------------------------
Reviewer: (was: Slava Koptilin)
> The current security context should be obtained using the IgniteSecurity interface only.
> ----------------------------------------------------------------------------------------
>
> Key: IGNITE-13112
> URL: https://issues.apache.org/jira/browse/IGNITE-13112
> Project: Ignite
> Issue Type: Bug
> Components: cache, security
> Affects Versions: 2.8.1
> Reporter: Denis Garus
> Assignee: Denis Garus
> Priority: Major
> Labels: iep-41
> Time Spent: 7h
> Remaining Estimate: 0h
>
> For getting the current security context, we have to use the IgniteSecurity interface only.
> We need to get rid of all other ways to transfer a security subject id.
> h4. Suggested implementation
> If Ignite Security (IS) is enabled, then executors, accessed through the {{PoolProcessor}}, are wrapped to a security-aware implementation. Security-aware implementation sets proper security context for tasks that the executor performs.
> The field subject id was deleted from communication requests for cache and compute operations; a remote node gets the subject id that initiates the ignite operation from {{GridIoSecurityAwareMessage}}. {{IgniteSecurity}} uses this id to set a proper security context during the execution of the request.
> Remove {{GridTaskThreadContextKey#TC_SUBJ_ID}}, {{GridCacheContext#subjectIdPerCall}}; a consumer has to obtain a current security subject id through {{IgniteSecurity}} or the set of {{SecurityUtils}} methods.
> For all events that include the subject id field, are set the following rule. If IS is enabled, this field must contain a subject id that initiates an ignite operation, otherwise null.
> Implement {{SecurityAwareCustomMessageWrapper}} for discovery requests that act as {{GridIoSecurityAwareMessage}} for communication requests. It allows setting proper context during the discovery message execution.
> Implement {{SecurityAwareGridRestCommandHandler}} to allow {{GridRestProcessor}} to execute all client requests with the proper security context.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)