You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ignite.apache.org by "Vyacheslav Koptilin (Jira)" <ji...@apache.org> on 2021/09/08 06:47:00 UTC

[jira] [Updated] (IGNITE-13112) The current security context should be obtained using the IgniteSecurity interface only.

     [ https://issues.apache.org/jira/browse/IGNITE-13112?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vyacheslav Koptilin updated IGNITE-13112:
-----------------------------------------
    Reviewer:   (was: Slava Koptilin)

> The current security context should be obtained using the IgniteSecurity interface only.
> ----------------------------------------------------------------------------------------
>
>                 Key: IGNITE-13112
>                 URL: https://issues.apache.org/jira/browse/IGNITE-13112
>             Project: Ignite
>          Issue Type: Bug
>          Components: cache, security
>    Affects Versions: 2.8.1
>            Reporter: Denis Garus
>            Assignee: Denis Garus
>            Priority: Major
>              Labels: iep-41
>          Time Spent: 7h
>  Remaining Estimate: 0h
>
> For getting the current security context, we have to use the IgniteSecurity interface only. 
>  We need to get rid of all other ways to transfer a security subject id.
> h4. Suggested implementation
> If Ignite Security (IS) is enabled, then executors, accessed through the {{PoolProcessor}}, are wrapped to a security-aware implementation. Security-aware implementation sets proper security context for tasks that the executor performs.
> The field subject id was deleted from communication requests for cache and compute operations; a remote node gets the subject id that initiates the ignite operation from {{GridIoSecurityAwareMessage}}. {{IgniteSecurity}} uses this id to set a proper security context during the execution of the request.
> Remove {{GridTaskThreadContextKey#TC_SUBJ_ID}}, {{GridCacheContext#subjectIdPerCall}}; a consumer has to obtain a current security subject id through {{IgniteSecurity}} or the set of {{SecurityUtils}} methods.
> For all events that include the subject id field, are set the following rule. If IS is enabled, this field must contain a subject id that initiates an ignite operation, otherwise null.
> Implement {{SecurityAwareCustomMessageWrapper}} for discovery requests that act as {{GridIoSecurityAwareMessage}} for communication requests. It allows setting proper context during the discovery message execution.
> Implement {{SecurityAwareGridRestCommandHandler}} to allow {{GridRestProcessor}} to execute all client requests with the proper security context.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)