You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by Kurt Semba <ks...@extremenetworks.com> on 2019/09/16 07:43:53 UTC
Authentication
Hi all,
I used the web-console to auto-generate some code and then extended the ServerNodeCodeStartup.java class according to the documentation to enable authentication (which requires to enable persistence) like this:
public static void main(String[] args) throws Exception {
IgniteConfiguration cfg = ServerConfigurationFactory.createConfiguration();
// Ignite persistence configuration.
DataStorageConfiguration storageCfg = new DataStorageConfiguration();
// Enabling the persistence.
storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);
// Applying settings.
cfg.setDataStorageConfiguration(storageCfg);
// Enable authentication
cfg.setAuthenticationEnabled(true);
Ignite ignite = Ignition.start(cfg);
// Activate the cluster.
// This is required only if the cluster is still inactive.
ignite.cluster().active(true);
// Get all server nodes that are already up and running.
Collection<ClusterNode> nodes = ignite.cluster().forServers().nodes();
// Set the baseline topology that is represented by these nodes.
ignite.cluster().setBaselineTopology(nodes);
}
But when I run this, the output shows “authentication=off” and I can also connect a client without providing any user+pass…
[…]
[08:57:13] Security status [authentication=off, tls/ssl=off]
[…]
[08:57:16] Ignite node started OK (id=1f668071, instance name=ImportedCluster6)
[08:57:16] Topology snapshot [ver=1, locNode=1f668071, servers=1, clients=0, state=INACTIVE, CPUs=4, offheap=2.3GB, heap=2.6GB]
[08:57:16] ^-- Baseline [id=0, size=1, online=1, offline=0]
[08:57:16] ^-- All baseline nodes are online, will start auto-activation
[08:57:16] Ignite node stopped in the middle of checkpoint. Will restore memory state and finish checkpoint on node start.
[08:57:16] Both Ignite native persistence and CacheStore are configured for cache 'NsdevicesCache'. This configuration does not guarantee strict consistency between CacheStore and Ignite data storage upon restarts. Consult documentation for more details.
Any idea what I’m doing wrong?
I will also look into enabling TLS but wanted to start with user+pass auth.
Thanks
Kurt
RE: Authentication
Posted by Kurt Semba <ks...@extremenetworks.com>.
Hi Andrei,
thank you for the details.
Kurt
From: Andrei Aleksandrov <ae...@gmail.com>
Sent: Tuesday, September 17, 2019 10:50 AM
To: user@ignite.apache.org
Subject: Re: Authentication
External Email: Use caution in opening links or attachments.
Hi Kurt,
Yes, you can create new users via SQL as was mentioned here:
https://apacheignite-sql.readme.io/docs/create-user<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite-sql.readme.io%2Fdocs%2Fcreate-user&data=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136788183&sdata=hARdwcTRJQ3702kvmOl9ZYi5HUm2fH9NETvRoRSt7S4%3D&reserved=0>
https://apacheignite-sql.readme.io/docs/alter-user<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite-sql.readme.io%2Fdocs%2Falter-user&data=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136798178&sdata=ZJayo8DSvIm3UmEC1BFg4Vs6LQnPTZLS%2Fx5l9vlOhgk%3D&reserved=0>
https://apacheignite-sql.readme.io/docs/drop-user<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite-sql.readme.io%2Fdocs%2Fdrop-user&data=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136798178&sdata=9Q6I2hmKWS6egum1IMP1eCRzzr0KSFQdhJSk1G6CpRU%3D&reserved=0>
By default user "ignite" will be created. Password will be "ignite" too. Current SQL could be executed in Java via https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/cache/query/SqlFieldsQuery.html<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fignite.apache.org%2Freleases%2Flatest%2Fjavadoc%2Forg%2Fapache%2Fignite%2Fcache%2Fquery%2FSqlFieldsQuery.html&data=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136798178&sdata=W98ycq8xwX%2BTlkJfsl2B1CmbUEYeKLnypBjPsDqA660%3D&reserved=0>
To provide auth for:
1) JDBC: just add "user" and "password" parameters to jdbc connection string:
https://apacheignite-sql.readme.io/docs/jdbc-driver#section-parameters
<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite-sql.readme.io%2Fdocs%2Fjdbc-driver%23section-parameters&data=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136808175&sdata=bdmgFDrSltt6ZMeYUeKUv3O6skEeMqc8VWIlVE8guWc%3D&reserved=0>
2)Thick java nodes: Implement your own plugin for security
I see the answer from Evgenii here about it:
https://stackoverflow.com/questions/46150920/custom-security-plugin-for-apache-ignite<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F46150920%2Fcustom-security-plugin-for-apache-ignite&data=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136808175&sdata=TJ8p%2BdRvJFTJUP3Q0zeImvPJiTXX8yq92uu6CG5VxQY%3D&reserved=0>
BR,
Andrei
9/16/2019 1:26 PM, Kurt Semba пишет:
Hi Andrei,
good to know – thank you.
So we need to distinguish between auth for
1. thin clients like JDBC clients and
2. thick clients (Java client that wants to join the cluster (as server or client))
I will look at GridSecurityProcessor for item 2 but in the meantime: I saw the CREATE command to create new SQL users on a freshly started cluster. How would you execute that using Java code? Would the app need to start the cluster, then use the Ignite JDBC driver to connect to the (PUBLIC) schema of that cluster, then run the CREATE SQL command and then exit?
Kurt
From: Andrei Aleksandrov <ae...@gmail.com>
Sent: Monday, September 16, 2019 12:13 PM
To: user@ignite.apache.org<ma...@ignite.apache.org>
Subject: Re: Authentication
External Email: Use caution in opening links or attachments.
Hi,
I guess that here Ignite has some documentation gap. Advanced security out of the box will work only with thin connections like webconsole, ODBC/JDBC, etc.
To get cluster node authentication you should add GridSecurityProcessor implementation:
https://apacheignite.readme.io/docs/advanced-security#section-enable-authentication<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite.readme.io%2Fdocs%2Fadvanced-security%23section-enable-authentication&data=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136818167&sdata=4y5bH3wgqOqDxZ%2FTrswsSU1hL8dM9j5aWcDj2WzRbXY%3D&reserved=0>
I created ticket on documentation:
https://issues.apache.org/jira/browse/IGNITE-12170<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FIGNITE-12170&data=02%7C01%7Cksemba%40extremenetworks.com%7C1f29f6282342405ec62408d73b4c0c93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637043070136818167&sdata=ANJ8pSNUNTTtZcvDNP830w%2BYm7orlBkdhv64rHuNouE%3D&reserved=0>
BR,
Andrei
9/16/2019 10:43 AM, Kurt Semba пишет:
Hi all,
I used the web-console to auto-generate some code and then extended the ServerNodeCodeStartup.java class according to the documentation to enable authentication (which requires to enable persistence) like this:
public static void main(String[] args) throws Exception {
IgniteConfiguration cfg = ServerConfigurationFactory.createConfiguration();
// Ignite persistence configuration.
DataStorageConfiguration storageCfg = new DataStorageConfiguration();
// Enabling the persistence.
storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);
// Applying settings.
cfg.setDataStorageConfiguration(storageCfg);
// Enable authentication
cfg.setAuthenticationEnabled(true);
Ignite ignite = Ignition.start(cfg);
// Activate the cluster.
// This is required only if the cluster is still inactive.
ignite.cluster().active(true);
// Get all server nodes that are already up and running.
Collection<ClusterNode> nodes = ignite.cluster().forServers().nodes();
// Set the baseline topology that is represented by these nodes.
ignite.cluster().setBaselineTopology(nodes);
}
But when I run this, the output shows “authentication=off” and I can also connect a client without providing any user+pass…
[…]
[08:57:13] Security status [authentication=off, tls/ssl=off]
[…]
[08:57:16] Ignite node started OK (id=1f668071, instance name=ImportedCluster6)
[08:57:16] Topology snapshot [ver=1, locNode=1f668071, servers=1, clients=0, state=INACTIVE, CPUs=4, offheap=2.3GB, heap=2.6GB]
[08:57:16] ^-- Baseline [id=0, size=1, online=1, offline=0]
[08:57:16] ^-- All baseline nodes are online, will start auto-activation
[08:57:16] Ignite node stopped in the middle of checkpoint. Will restore memory state and finish checkpoint on node start.
[08:57:16] Both Ignite native persistence and CacheStore are configured for cache 'NsdevicesCache'. This configuration does not guarantee strict consistency between CacheStore and Ignite data storage upon restarts. Consult documentation for more details.
Any idea what I’m doing wrong?
I will also look into enabling TLS but wanted to start with user+pass auth.
Thanks
Kurt
Re: Authentication
Posted by Andrei Aleksandrov <ae...@gmail.com>.
Hi Kurt,
Yes, you can create new users via SQL as was mentioned here:
https://apacheignite-sql.readme.io/docs/create-user
https://apacheignite-sql.readme.io/docs/alter-user
https://apacheignite-sql.readme.io/docs/drop-user
By default user "ignite" will be created. Password will be "ignite" too.
Current SQL could be executed in Java via
https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/cache/query/SqlFieldsQuery.html
To provide auth for:
1) JDBC: just add "user" and "password" parameters to jdbc connection
string:
https://apacheignite-sql.readme.io/docs/jdbc-driver#section-parameters
2)Thick java nodes: Implement your own plugin for security
I see the answer from Evgenii here about it:
https://stackoverflow.com/questions/46150920/custom-security-plugin-for-apache-ignite
BR,
Andrei
9/16/2019 1:26 PM, Kurt Semba пишет:
>
> Hi Andrei,
>
> good to know – thank you.
>
> So we need to distinguish between auth for
>
> 1. thin clients like JDBC clients and
> 2. thick clients (Java client that wants to join the cluster (as
> server or client))
>
> I will look at GridSecurityProcessorfor item 2 but in the meantime: I
> saw the CREATE command to create new SQL users on a freshly started
> cluster. How would you execute that using Java code? Would the app
> need to start the cluster, then use the Ignite JDBC driver to connect
> to the (PUBLIC) schema of that cluster, then run the CREATE SQL
> command and then exit?
>
> Kurt
>
> *From:*Andrei Aleksandrov <ae...@gmail.com>
> *Sent:* Monday, September 16, 2019 12:13 PM
> *To:* user@ignite.apache.org
> *Subject:* Re: Authentication
>
> *External Email:*Use caution in opening links or attachments.
>
> Hi,
>
> I guess that here Ignite has some documentation gap. Advanced security
> out of the box will work only with thin connections like webconsole,
> ODBC/JDBC, etc.
>
> To get cluster node authentication you should add
> GridSecurityProcessor implementation:
>
> https://apacheignite.readme.io/docs/advanced-security#section-enable-authentication
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite.readme.io%2Fdocs%2Fadvanced-security%23section-enable-authentication&data=02%7C01%7Cksemba%40extremenetworks.com%7C596f2dd5794c4f2ac42008d73a8e6e93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637042255736541107&sdata=JvE0yIHv2EDyVKKfGPZYe7XFe1cR797GnxGkrR8SSeY%3D&reserved=0>
>
> I created ticket on documentation:
>
> https://issues.apache.org/jira/browse/IGNITE-12170
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FIGNITE-12170&data=02%7C01%7Cksemba%40extremenetworks.com%7C596f2dd5794c4f2ac42008d73a8e6e93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637042255736551100&sdata=okrAhi7i44OewjWQxYQqUdECIEqpFxBPBA%2F13%2F%2FvMBI%3D&reserved=0>
>
> BR,
> Andrei
>
> 9/16/2019 10:43 AM, Kurt Semba пишет:
>
> Hi all,
>
> I used the web-console to auto-generate some code and then
> extended the ServerNodeCodeStartup.java class according to the
> documentation to enable authentication (which requires to enable
> persistence) like this:
>
> publicstaticvoidmain(String[] args) throwsException {
>
> IgniteConfigurationcfg =
> ServerConfigurationFactory.createConfiguration();
>
> // Ignite persistence configuration.
>
> DataStorageConfigurationstorageCfg = newDataStorageConfiguration();
>
> // Enabling the persistence.
>
> storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);
>
> // Applying settings.
>
> cfg.setDataStorageConfiguration(storageCfg);
>
> // Enable authentication
>
> cfg.setAuthenticationEnabled(true);
>
> Igniteignite = Ignition.start(cfg);
>
> // Activate the cluster.
>
> // This is required only if the cluster is still inactive.
>
> ignite.cluster().active(true);
>
> // Get all server nodes that are already up and running.
>
> Collection<ClusterNode> nodes = ignite.cluster().forServers().nodes();
>
> // Set the baseline topology that is represented by these nodes.
>
> ignite.cluster().setBaselineTopology(nodes);
>
> }
>
> But when I run this, the output shows “authentication=off” and I
> can also connect a client without providing any user+pass…
>
> /[…]/
>
> /[08:57:13] Security status [authentication=off, tls/ssl=off]/
>
> /[…] /
>
> /[08:57:16] Ignite node started OK (id=1f668071, instance
> name=ImportedCluster6)/
>
> /[08:57:16] Topology snapshot [ver=1, locNode=1f668071, servers=1,
> clients=0, state=INACTIVE, CPUs=4, offheap=2.3GB, heap=2.6GB]/
>
> /[08:57:16] ^-- Baseline [id=0, size=1, online=1, offline=0]/
>
> /[08:57:16] ^-- All baseline nodes are online, will start
> auto-activation/
>
> /[08:57:16] Ignite node stopped in the middle of checkpoint. Will
> restore memory state and finish checkpoint on node start./
>
> /[08:57:16] Both Ignite native persistence and CacheStore are
> configured for cache 'NsdevicesCache'. This configuration does not
> guarantee strict consistency between CacheStore and Ignite data
> storage upon restarts. Consult documentation for more details./
>
> Any idea what I’m doing wrong?
>
> I will also look into enabling TLS but wanted to start with
> user+pass auth.
>
> Thanks
>
> Kurt
>
RE: Authentication
Posted by Kurt Semba <ks...@extremenetworks.com>.
Hi Andrei,
good to know – thank you.
So we need to distinguish between auth for
1. thin clients like JDBC clients and
2. thick clients (Java client that wants to join the cluster (as server or client))
I will look at GridSecurityProcessor for item 2 but in the meantime: I saw the CREATE command to create new SQL users on a freshly started cluster. How would you execute that using Java code? Would the app need to start the cluster, then use the Ignite JDBC driver to connect to the (PUBLIC) schema of that cluster, then run the CREATE SQL command and then exit?
Kurt
From: Andrei Aleksandrov <ae...@gmail.com>
Sent: Monday, September 16, 2019 12:13 PM
To: user@ignite.apache.org
Subject: Re: Authentication
External Email: Use caution in opening links or attachments.
Hi,
I guess that here Ignite has some documentation gap. Advanced security out of the box will work only with thin connections like webconsole, ODBC/JDBC, etc.
To get cluster node authentication you should add GridSecurityProcessor implementation:
https://apacheignite.readme.io/docs/advanced-security#section-enable-authentication<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapacheignite.readme.io%2Fdocs%2Fadvanced-security%23section-enable-authentication&data=02%7C01%7Cksemba%40extremenetworks.com%7C596f2dd5794c4f2ac42008d73a8e6e93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637042255736541107&sdata=JvE0yIHv2EDyVKKfGPZYe7XFe1cR797GnxGkrR8SSeY%3D&reserved=0>
I created ticket on documentation:
https://issues.apache.org/jira/browse/IGNITE-12170<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FIGNITE-12170&data=02%7C01%7Cksemba%40extremenetworks.com%7C596f2dd5794c4f2ac42008d73a8e6e93%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C637042255736551100&sdata=okrAhi7i44OewjWQxYQqUdECIEqpFxBPBA%2F13%2F%2FvMBI%3D&reserved=0>
BR,
Andrei
9/16/2019 10:43 AM, Kurt Semba пишет:
Hi all,
I used the web-console to auto-generate some code and then extended the ServerNodeCodeStartup.java class according to the documentation to enable authentication (which requires to enable persistence) like this:
public static void main(String[] args) throws Exception {
IgniteConfiguration cfg = ServerConfigurationFactory.createConfiguration();
// Ignite persistence configuration.
DataStorageConfiguration storageCfg = new DataStorageConfiguration();
// Enabling the persistence.
storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);
// Applying settings.
cfg.setDataStorageConfiguration(storageCfg);
// Enable authentication
cfg.setAuthenticationEnabled(true);
Ignite ignite = Ignition.start(cfg);
// Activate the cluster.
// This is required only if the cluster is still inactive.
ignite.cluster().active(true);
// Get all server nodes that are already up and running.
Collection<ClusterNode> nodes = ignite.cluster().forServers().nodes();
// Set the baseline topology that is represented by these nodes.
ignite.cluster().setBaselineTopology(nodes);
}
But when I run this, the output shows “authentication=off” and I can also connect a client without providing any user+pass…
[…]
[08:57:13] Security status [authentication=off, tls/ssl=off]
[…]
[08:57:16] Ignite node started OK (id=1f668071, instance name=ImportedCluster6)
[08:57:16] Topology snapshot [ver=1, locNode=1f668071, servers=1, clients=0, state=INACTIVE, CPUs=4, offheap=2.3GB, heap=2.6GB]
[08:57:16] ^-- Baseline [id=0, size=1, online=1, offline=0]
[08:57:16] ^-- All baseline nodes are online, will start auto-activation
[08:57:16] Ignite node stopped in the middle of checkpoint. Will restore memory state and finish checkpoint on node start.
[08:57:16] Both Ignite native persistence and CacheStore are configured for cache 'NsdevicesCache'. This configuration does not guarantee strict consistency between CacheStore and Ignite data storage upon restarts. Consult documentation for more details.
Any idea what I’m doing wrong?
I will also look into enabling TLS but wanted to start with user+pass auth.
Thanks
Kurt
Re: Authentication
Posted by Andrei Aleksandrov <ae...@gmail.com>.
Hi,
I guess that here Ignite has some documentation gap. Advanced security
out of the box will work only with thin connections like webconsole,
ODBC/JDBC, etc.
To get cluster node authentication you should add GridSecurityProcessor
implementation:
https://apacheignite.readme.io/docs/advanced-security#section-enable-authentication
I created ticket on documentation:
https://issues.apache.org/jira/browse/IGNITE-12170
BR,
Andrei
9/16/2019 10:43 AM, Kurt Semba пишет:
>
> Hi all,
>
> I used the web-console to auto-generate some code and then extended
> the ServerNodeCodeStartup.java class according to the documentation to
> enable authentication (which requires to enable persistence) like this:
>
> publicstaticvoidmain(String[] args) throwsException {
>
> IgniteConfigurationcfg = ServerConfigurationFactory.createConfiguration();
>
> // Ignite persistence configuration.
>
> DataStorageConfigurationstorageCfg = newDataStorageConfiguration();
>
> // Enabling the persistence.
>
> storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);
>
> // Applying settings.
>
> cfg.setDataStorageConfiguration(storageCfg);
>
> // Enable authentication
>
> cfg.setAuthenticationEnabled(true);
>
> Igniteignite = Ignition.start(cfg);
>
> // Activate the cluster.
>
> // This is required only if the cluster is still inactive.
>
> ignite.cluster().active(true);
>
> // Get all server nodes that are already up and running.
>
> Collection<ClusterNode> nodes = ignite.cluster().forServers().nodes();
>
> // Set the baseline topology that is represented by these nodes.
>
> ignite.cluster().setBaselineTopology(nodes);
>
> }
>
> But when I run this, the output shows “authentication=off” and I can
> also connect a client without providing any user+pass…
>
> /[…]/
>
> /[08:57:13] Security status [authentication=off, tls/ssl=off]/
>
> /[…] /
>
> /[08:57:16] Ignite node started OK (id=1f668071, instance
> name=ImportedCluster6)/
>
> /[08:57:16] Topology snapshot [ver=1, locNode=1f668071, servers=1,
> clients=0, state=INACTIVE, CPUs=4, offheap=2.3GB, heap=2.6GB]/
>
> /[08:57:16] ^-- Baseline [id=0, size=1, online=1, offline=0]/
>
> /[08:57:16] ^-- All baseline nodes are online, will start
> auto-activation/
>
> /[08:57:16] Ignite node stopped in the middle of checkpoint. Will
> restore memory state and finish checkpoint on node start./
>
> /[08:57:16] Both Ignite native persistence and CacheStore are
> configured for cache 'NsdevicesCache'. This configuration does not
> guarantee strict consistency between CacheStore and Ignite data
> storage upon restarts. Consult documentation for more details./
>
> Any idea what I’m doing wrong?
>
> I will also look into enabling TLS but wanted to start with user+pass
> auth.
>
> Thanks
>
> Kurt
>