You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ignite.apache.org by il...@apache.org on 2020/07/09 09:24:01 UTC
[ignite] branch master updated: IGNITE-13180 Added subject address
to AuthenticationContext when subject is IgniteClient - Fixes #7960.
This is an automated email from the ASF dual-hosted git repository.
ilyak pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ignite.git
The following commit(s) were added to refs/heads/master by this push:
new c0ed2f6 IGNITE-13180 Added subject address to AuthenticationContext when subject is IgniteClient - Fixes #7960.
c0ed2f6 is described below
commit c0ed2f616c7d5d8caa370b77d52926f2cf1bf080
Author: Ryzhov Sergei <s....@gmail.com>
AuthorDate: Thu Jul 9 12:23:33 2020 +0300
IGNITE-13180 Added subject address to AuthenticationContext when subject is IgniteClient - Fixes #7960.
Signed-off-by: Ilya Kasnacheev <il...@gmail.com>
---
.../ClientListenerAbstractConnectionContext.java | 11 ++-
.../odbc/jdbc/JdbcConnectionContext.java | 2 +-
.../odbc/odbc/OdbcConnectionContext.java | 2 +-
.../platform/client/ClientConnectionContext.java | 2 +-
.../IgniteClientContainSubjectAddressTest.java | 101 +++++++++++++++++++++
.../ignite/testsuites/SecurityTestSuite.java | 2 +
6 files changed, 112 insertions(+), 8 deletions(-)
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java
index 7cc8859..3682596 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java
@@ -17,7 +17,6 @@
package org.apache.ignite.internal.processors.odbc;
-import java.security.cert.Certificate;
import java.util.Collections;
import java.util.Map;
import java.util.UUID;
@@ -26,6 +25,7 @@ import org.apache.ignite.internal.GridKernalContext;
import org.apache.ignite.internal.processors.authentication.AuthorizationContext;
import org.apache.ignite.internal.processors.authentication.IgniteAccessControlException;
import org.apache.ignite.internal.processors.security.SecurityContext;
+import org.apache.ignite.internal.util.nio.GridNioSession;
import org.apache.ignite.internal.util.typedef.F;
import org.apache.ignite.plugin.security.AuthenticationContext;
import org.apache.ignite.plugin.security.SecurityCredentials;
@@ -91,10 +91,10 @@ public abstract class ClientListenerAbstractConnectionContext implements ClientL
* @return Auth context.
* @throws IgniteCheckedException If failed.
*/
- protected AuthorizationContext authenticate(Certificate[] certificates, String user, String pwd)
+ protected AuthorizationContext authenticate(GridNioSession ses, String user, String pwd)
throws IgniteCheckedException {
if (ctx.security().enabled())
- authCtx = authenticateExternal(certificates, user, pwd).authorizationContext();
+ authCtx = authenticateExternal(ses, user, pwd).authorizationContext();
else if (ctx.authentication().enabled()) {
if (F.isEmpty(user))
throw new IgniteAccessControlException("Unauthenticated sessions are prohibited.");
@@ -113,7 +113,7 @@ public abstract class ClientListenerAbstractConnectionContext implements ClientL
/**
* Do 3-rd party authentication.
*/
- private AuthenticationContext authenticateExternal(Certificate[] certificates, String user, String pwd)
+ private AuthenticationContext authenticateExternal(GridNioSession ses, String user, String pwd)
throws IgniteCheckedException {
SecurityCredentials cred = new SecurityCredentials(user, pwd);
@@ -123,7 +123,8 @@ public abstract class ClientListenerAbstractConnectionContext implements ClientL
authCtx.subjectId(UUID.randomUUID());
authCtx.nodeAttributes(F.isEmpty(userAttrs) ? Collections.emptyMap() : userAttrs);
authCtx.credentials(cred);
- authCtx.certificates(certificates);
+ authCtx.address(ses.remoteAddress());
+ authCtx.certificates(ses.certificates());
secCtx = ctx.security().authenticate(authCtx);
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java
index 0f8fdc1..2359e98 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java
@@ -203,7 +203,7 @@ public class JdbcConnectionContext extends ClientListenerAbstractConnectionConte
throw new IgniteCheckedException("Handshake error: " + e.getMessage(), e);
}
- actx = authenticate(ses.certificates(), user, passwd);
+ actx = authenticate(ses, user, passwd);
}
protoCtx = new JdbcProtocolContext(ver, features, true);
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java
index 9401ce1..0cc22d1 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java
@@ -149,7 +149,7 @@ public class OdbcConnectionContext extends ClientListenerAbstractConnectionConte
nestedTxMode = NestedTxMode.fromByte(nestedTxModeVal);
}
- AuthorizationContext actx = authenticate(ses.certificates(), user, passwd);
+ AuthorizationContext actx = authenticate(ses, user, passwd);
ClientListenerResponseSender sender = new ClientListenerResponseSender() {
@Override public void send(ClientListenerResponse resp) {
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java
index a9d38c4..aea4a7c 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java
@@ -214,7 +214,7 @@ public class ClientConnectionContext extends ClientListenerAbstractConnectionCon
}
}
- AuthorizationContext authCtx = authenticate(ses.certificates(), user, pwd);
+ AuthorizationContext authCtx = authenticate(ses, user, pwd);
handler = new ClientRequestHandler(this, authCtx, currentProtocolContext);
parser = new ClientMessageParser(this, currentProtocolContext);
diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/IgniteClientContainSubjectAddressTest.java b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/IgniteClientContainSubjectAddressTest.java
new file mode 100644
index 0000000..cc40e12
--- /dev/null
+++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/IgniteClientContainSubjectAddressTest.java
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security.client;
+
+import java.security.Permissions;
+import java.util.Arrays;
+import java.util.Collection;
+import org.apache.ignite.IgniteCheckedException;
+import org.apache.ignite.Ignition;
+import org.apache.ignite.client.IgniteClient;
+import org.apache.ignite.internal.GridKernalContext;
+import org.apache.ignite.internal.processors.security.GridSecurityProcessor;
+import org.apache.ignite.internal.processors.security.SecurityContext;
+import org.apache.ignite.internal.processors.security.impl.TestAdditionalSecurityPluginProvider;
+import org.apache.ignite.internal.processors.security.impl.TestAdditionalSecurityProcessor;
+import org.apache.ignite.internal.processors.security.impl.TestSecurityData;
+import org.apache.ignite.plugin.PluginProvider;
+import org.apache.ignite.plugin.security.AuthenticationContext;
+import org.apache.ignite.plugin.security.SecurityPermissionSet;
+import org.junit.Assert;
+import org.junit.Test;
+
+import static org.apache.ignite.cluster.ClusterState.ACTIVE;
+import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALLOW_ALL;
+
+/**
+ * Test AuthenticationContext contain subject address when subject is IgniteClient.
+ */
+public class IgniteClientContainSubjectAddressTest extends CommonSecurityCheckTest {
+ /** */
+ private boolean containsAddr = false;
+
+ /** */
+ @Test
+ public void testAuthenticate() throws Exception {
+ startGrid();
+
+ try (IgniteClient client = Ignition.startClient(getClientConfiguration())) {
+ client.cluster().state(ACTIVE);
+ }
+
+ Assert.assertTrue(containsAddr);
+ }
+
+ /** {@inheritDoc} */
+ @Override protected PluginProvider<?> getPluginProvider(String name) {
+ return new TestSubjectAddressSecurityPluginProvider(name, null, ALLOW_ALL,
+ globalAuth, true, clientData());
+ }
+
+ /** */
+ private class TestSubjectAddressSecurityPluginProvider extends TestAdditionalSecurityPluginProvider {
+ /** */
+ public TestSubjectAddressSecurityPluginProvider(String login, String pwd,
+ SecurityPermissionSet perms, boolean globalAuth, boolean checkAddPass,
+ TestSecurityData... clientData) {
+ super(login, pwd, perms, globalAuth, checkAddPass, clientData);
+ }
+
+ /** {@inheritDoc} */
+ @Override protected GridSecurityProcessor securityProcessor(GridKernalContext ctx) {
+ return new TestSubjectAddressSecurityProcessor(ctx,
+ new TestSecurityData(login, pwd, perms, new Permissions()),
+ Arrays.asList(clientData), globalAuth, checkAddPass);
+ }
+ }
+
+ /** */
+ private class TestSubjectAddressSecurityProcessor extends TestAdditionalSecurityProcessor {
+ /** */
+ public TestSubjectAddressSecurityProcessor(GridKernalContext ctx,
+ TestSecurityData nodeSecData,
+ Collection<TestSecurityData> predefinedAuthData, boolean globalAuth, boolean checkSslCerts) {
+ super(ctx, nodeSecData, predefinedAuthData, globalAuth, checkSslCerts);
+ }
+
+ /** {@inheritDoc} */
+ @Override public SecurityContext authenticate(AuthenticationContext authCtx) throws IgniteCheckedException {
+ SecurityContext secCtx = super.authenticate(authCtx);
+
+ containsAddr = secCtx.subject().address() != null;
+
+ return secCtx;
+ }
+ }
+}
diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
index ccd009c..2f20f89 100644
--- a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
+++ b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
@@ -32,6 +32,7 @@ import org.apache.ignite.internal.processors.security.cache.closure.ScanQueryRem
import org.apache.ignite.internal.processors.security.client.AdditionalSecurityCheckTest;
import org.apache.ignite.internal.processors.security.client.AdditionalSecurityCheckWithGlobalAuthTest;
import org.apache.ignite.internal.processors.security.client.AttributeSecurityCheckTest;
+import org.apache.ignite.internal.processors.security.client.IgniteClientContainSubjectAddressTest;
import org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckSecurityTest;
import org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckTest;
import org.apache.ignite.internal.processors.security.client.ThinClientSecurityContextOnRemoteNodeTest;
@@ -73,6 +74,7 @@ import org.junit.runners.Suite;
ThinClientPermissionCheckTest.class,
ThinClientPermissionCheckSecurityTest.class,
ContinuousQueryPermissionCheckTest.class,
+ IgniteClientContainSubjectAddressTest.class,
DistributedClosureRemoteSecurityContextCheckTest.class,
ComputeTaskRemoteSecurityContextCheckTest.class,