org.apache.ignite.internal.processors.authentication

Class IgniteAuthenticationProcessor

java.lang.Object

org.apache.ignite.internal.processors.GridProcessorAdapter

org.apache.ignite.internal.processors.authentication.IgniteAuthenticationProcessor

All Implemented Interfaces:

GridComponent, PartitionsExchangeAware, MetastorageLifecycleListener, GridProcessor, GridSecurityProcessor

public class IgniteAuthenticationProcessor
extends GridProcessorAdapter
implements GridSecurityProcessor, MetastorageLifecycleListener, PartitionsExchangeAware

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.ignite.internal.GridComponent

GridComponent.DiscoveryDataExchangeType

Field Summary

Fields inherited from class org.apache.ignite.internal.processors.GridProcessorAdapter

ctx, diagnosticLog, log

Constructor Summary

Constructors

Constructor and Description
IgniteAuthenticationProcessor(GridKernalContext ctx)

Method Summary

Modifier and Type	Method and Description
void	alterUser(String login, char[] passwd) Alters password of user with the specified login.
SecurityContext	authenticate(AuthenticationContext authCtx) Authenticates subject via underlying Authenticator.
SecuritySubject	authenticatedSubject(UUID subjId) Gets authenticated node subject.
Collection<SecuritySubject>	authenticatedSubjects() Gets collection of authenticated nodes.
SecurityContext	authenticateNode(ClusterNode node, SecurityCredentials cred) Authenticates grid node with it's attributes via underlying Authenticator.
void	authorize(String name, SecurityPermission perm, SecurityContext securityCtx) Authorizes grid operation.
void	checkUserOperation(UserManagementOperation op)
void	collectGridNodeData(DiscoveryDataBag dataBag) Collects discovery data on nodes already in grid on receiving TcpDiscoveryNodeAddedMessage.
void	createUser(String login, char[] passwd) Creates user with the specified login and password.
@Nullable GridComponent.DiscoveryDataExchangeType	discoveryDataType() Gets unique component type to distinguish components providing discovery data.
void	dropUser(String login) Drops user with the specified login.
boolean	enabled()
boolean	isGlobalNodeAuthentication() Gets flag indicating whether all nodes or coordinator only should run the authentication for joining node.
void	onDisconnected(IgniteFuture reconnectFut) Client disconnected callback.
void	onDoneBeforeTopologyUnlock(GridDhtPartitionsExchangeFuture fut) Callback from exchange process completion; called before topology is unlocked.
void	onGridDataReceived(DiscoveryDataBag.GridDiscoveryData data) Receives discovery data object from remote nodes (called on new node during discovery process).
void	onKernalStop(boolean cancel) Callback to notify that kernal is about to stop.
void	onReadyForRead(ReadOnlyMetastorage metastorage) Is called when metastorage is made ready for read-only operations very early on node startup phase.
void	onReadyForReadWrite(ReadWriteMetastorage metastorage) Fully functional metastore capable of performing reading and writing operations.
IgniteInternalFuture<?>	onReconnected(boolean active) Client reconnected callback.
void	onSessionExpired(UUID subjId) Callback invoked when subject session got expired.
SecurityContext	securityContext(UUID subjId) Gets security context for authenticated nodes and thin clients.
void	startProcessor() Starts processor.
void	stop(boolean cancel) Stops grid component.
static void	validate(String login, char[] passwd)

Methods inherited from class org.apache.ignite.internal.processors.GridProcessorAdapter

assertParameter, collectJoiningNodeData, onJoiningNodeDataReceived, onKernalStart, printMemoryStats, start, toString, validateNode, validateNode

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.apache.ignite.internal.processors.security.GridSecurityProcessor

sandboxEnabled

Methods inherited from interface org.apache.ignite.internal.GridComponent

collectJoiningNodeData, onJoiningNodeDataReceived, onKernalStart, printMemoryStats, start, validateNode, validateNode

Methods inherited from interface org.apache.ignite.internal.processors.cache.distributed.dht.preloader.PartitionsExchangeAware

onDoneAfterTopologyUnlock, onInitAfterTopologyLock, onInitBeforeTopologyLock

Constructor Detail

IgniteAuthenticationProcessor

public IgniteAuthenticationProcessor(GridKernalContext ctx)

Parameters:

ctx - Kernal context.

Method Detail

startProcessor

public void startProcessor()
                    throws IgniteCheckedException

Starts processor.

Throws:

IgniteCheckedException

stop

public void stop(boolean cancel)
          throws IgniteCheckedException

Stops grid component.

Specified by:

stop in interface GridComponent

Overrides:

stop in class GridProcessorAdapter

Parameters:

cancel - If true, then all ongoing tasks or jobs for relevant components need to be cancelled.

Throws:

IgniteCheckedException - Thrown in case of any errors.

onKernalStop

public void onKernalStop(boolean cancel)

Callback to notify that kernal is about to stop.

Specified by:

onKernalStop in interface GridComponent

Overrides:

onKernalStop in class GridProcessorAdapter

Parameters:

cancel - Flag indicating whether jobs should be canceled.

onDisconnected

public void onDisconnected(IgniteFuture reconnectFut)

Client disconnected callback.

Specified by:

onDisconnected in interface GridComponent

Overrides:

onDisconnected in class GridProcessorAdapter

Parameters:

reconnectFut - Reconnect future.

onReconnected

public IgniteInternalFuture<?> onReconnected(boolean active)

Client reconnected callback.

Specified by:

onReconnected in interface GridComponent

Overrides:

onReconnected in class GridProcessorAdapter

Parameters:

active - Cluster restarted flag.

Returns:

Future to wait before completing reconnect future.

authenticate

public SecurityContext authenticate(AuthenticationContext authCtx)
                             throws IgniteCheckedException

Authenticates subject via underlying Authenticator.

Specified by:

authenticate in interface GridSecurityProcessor

Parameters:

authCtx - Authentication context.

Returns:

True if succeeded, false otherwise.

Throws:

IgniteCheckedException - If error occurred.

validate

public static void validate(String login,
                            char[] passwd)
                     throws UserManagementException

Parameters:

login - User's login.

passwd - Password.

Throws:

UserManagementException - On error.

createUser

public void createUser(String login,
                       char[] passwd)
                throws IgniteCheckedException

Creates user with the specified login and password.

Specified by:

createUser in interface GridSecurityProcessor

Parameters:

login - Login of the user to be created.

passwd - User password.

Throws:

IgniteCheckedException - If error occurred.

dropUser

public void dropUser(String login)
              throws IgniteCheckedException

Drops user with the specified login.

Specified by:

dropUser in interface GridSecurityProcessor

Parameters:

login - Login of the user to be dropped.

Throws:

IgniteCheckedException - If error occurred.

alterUser

public void alterUser(String login,
                      char[] passwd)
               throws IgniteCheckedException

Alters password of user with the specified login.

Specified by:

alterUser in interface GridSecurityProcessor

Parameters:

login - Login of the user which password should be altered.

passwd - User password to alter.

Throws:

IgniteCheckedException - If error occurred.

onReadyForRead

public void onReadyForRead(ReadOnlyMetastorage metastorage)
                    throws IgniteCheckedException

Is called when metastorage is made ready for read-only operations very early on node startup phase. Reference for read-only metastorage should be used only within this method and shouldn't be stored to any field.

Specified by:

onReadyForRead in interface MetastorageLifecycleListener

Parameters:

metastorage - Read-only meta storage.

Throws:

IgniteCheckedException

onReadyForReadWrite

public void onReadyForReadWrite(ReadWriteMetastorage metastorage)

Fully functional metastore capable of performing reading and writing operations. Components interested in using metastore are allowed to keep reference passed into the method in their fields.

Specified by:

onReadyForReadWrite in interface MetastorageLifecycleListener

Parameters:

metastorage - Fully functional meta storage.

discoveryDataType

@Nullable
public @Nullable GridComponent.DiscoveryDataExchangeType discoveryDataType()

Gets unique component type to distinguish components providing discovery data. Must return non-null value if component implements any of methods GridComponent.collectJoiningNodeData(DiscoveryDataBag) or GridComponent.collectGridNodeData(DiscoveryDataBag).

Specified by:

discoveryDataType in interface GridComponent

Overrides:

discoveryDataType in class GridProcessorAdapter

Returns:

Unique component type for discovery data exchange.

collectGridNodeData

public void collectGridNodeData(DiscoveryDataBag dataBag)

Collects discovery data on nodes already in grid on receiving TcpDiscoveryNodeAddedMessage.

Specified by:

collectGridNodeData in interface GridComponent

Overrides:

collectGridNodeData in class GridProcessorAdapter

Parameters:

dataBag - container object to store discovery data in.

onGridDataReceived

public void onGridDataReceived(DiscoveryDataBag.GridDiscoveryData data)

Receives discovery data object from remote nodes (called on new node during discovery process).

Specified by:

onGridDataReceived in interface GridComponent

Overrides:

onGridDataReceived in class GridProcessorAdapter

Parameters:

data - DiscoveryDataBag.GridDiscoveryData interface to retrieve discovery data collected on remote nodes (data common for all nodes in grid and specific for each node).

enabled

public boolean enabled()

Specified by:

enabled in interface GridSecurityProcessor

Returns:

GridSecurityProcessor is enable.

onDoneBeforeTopologyUnlock

public void onDoneBeforeTopologyUnlock(GridDhtPartitionsExchangeFuture fut)

Callback from exchange process completion; called before topology is unlocked. Guarantees that no updates were performed on local node since exchange process started.

Specified by:

onDoneBeforeTopologyUnlock in interface PartitionsExchangeAware

Parameters:

fut - Partition map exchange future.

authenticateNode

public SecurityContext authenticateNode(ClusterNode node,
                                        SecurityCredentials cred)
                                 throws IgniteCheckedException

Authenticates grid node with it's attributes via underlying Authenticator. The current implementation of GridSecurityProcessor allows any Ignite node to join the Ignite cluster without authentication check.

Specified by:

authenticateNode in interface GridSecurityProcessor

Parameters:

node - Node id to authenticate.

cred - Security credentials.

Returns:

True if succeeded, false otherwise.

Throws:

IgniteCheckedException - If error occurred.

authenticatedSubject

public SecuritySubject authenticatedSubject(UUID subjId)
                                     throws IgniteCheckedException

Gets authenticated node subject.

Specified by:

authenticatedSubject in interface GridSecurityProcessor

Parameters:

subjId - Subject ID.

Returns:

Security subject.

Throws:

IgniteCheckedException - If error occurred.

authenticatedSubjects

public Collection<SecuritySubject> authenticatedSubjects()
                                                  throws IgniteCheckedException

Gets collection of authenticated nodes.

Specified by:

authenticatedSubjects in interface GridSecurityProcessor

Returns:

Collection of authenticated nodes.

Throws:

IgniteCheckedException - If error occurred.

isGlobalNodeAuthentication

public boolean isGlobalNodeAuthentication()

Gets flag indicating whether all nodes or coordinator only should run the authentication for joining node.

Specified by:

isGlobalNodeAuthentication in interface GridSecurityProcessor

Returns:

True if all nodes should run authentication process, false otherwise.

authorize

public void authorize(String name,
                      SecurityPermission perm,
                      SecurityContext securityCtx)
               throws SecurityException

Authorizes grid operation.

Specified by:

authorize in interface GridSecurityProcessor

Parameters:

name - Cache name or task class name.

perm - Permission to authorize.

securityCtx - Optional security context.

Throws:

SecurityException - If security check failed.

onSessionExpired

public void onSessionExpired(UUID subjId)

Callback invoked when subject session got expired.

Specified by:

onSessionExpired in interface GridSecurityProcessor

Parameters:

subjId - Subject ID.

securityContext

public SecurityContext securityContext(UUID subjId)

Gets security context for authenticated nodes and thin clients. This method works with the assumption that SecurityContext associated with the Ignite node is stored in node attributes and is obtained automatically by the Ignite using the node ID (see IgniteSecurityProcessor.withContext(java.util.UUID)). Since we use the node ID as the subject ID during node authentication, this method is used for obtaining security context for thin clients only. Note, that the returned security context does not contain the address of the security subject. Since the client node does not store user data, the SecurityContext returned by the client node does not contain any user information, address, or username.

Specified by:

securityContext in interface GridSecurityProcessor

Parameters:

subjId - Security subject id.

Returns:

Security context or null if not found.

checkUserOperation

public void checkUserOperation(UserManagementOperation op)
                        throws IgniteAccessControlException

Parameters:

op - User operation to check.

Throws:

IgniteAccessControlException - If operation check fails: user hasn't permissions for user management or try to remove default user.