org.apache.ignite.internal.processors.security

Class IgniteSecurityProcessor

java.lang.Object

org.apache.ignite.internal.processors.GridProcessorAdapter

org.apache.ignite.internal.processors.security.IgniteSecurityAdapter

org.apache.ignite.internal.processors.security.IgniteSecurityProcessor

All Implemented Interfaces:

GridComponent, GridProcessor, IgniteSecurity

public class IgniteSecurityProcessor
extends IgniteSecurityAdapter

Default IgniteSecurity implementation.

IgniteSecurityProcessor serves here as a facade with is exposed to Ignite internal code, while GridSecurityProcessor is hidden and managed from IgniteSecurityProcessor.

This implementation of IgniteSecurity is responsible for:

• Keeping and propagating authenticated security contexts for cluster nodes;
• Delegating calls for all actions to GridSecurityProcessor;
• Managing sandbox and proving point of entry to the internal sandbox API.

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.ignite.internal.GridComponent

GridComponent.DiscoveryDataExchangeType

Field Summary

Fields

Modifier and Type	Field and Description
static String	ATTR_GRID_SEC_PROC_CLASS Internal attribute name constant.

Fields inherited from class org.apache.ignite.internal.processors.GridProcessorAdapter

ctx, diagnosticLog

Constructor Summary

Constructors

Constructor and Description
IgniteSecurityProcessor(GridKernalContext ctx, GridSecurityProcessor secPrc)

Method Summary

Modifier and Type	Method and Description
void	alterUser(String login, char[] pwd) Alters password of user with the specified login.
SecurityContext	authenticate(AuthenticationContext ctx) Delegates call to GridSecurityProcessor.authenticate(AuthenticationContext)
SecuritySubject	authenticatedSubject(UUID subjId) Delegates call to GridSecurityProcessor.authenticatedSubject(UUID)
Collection<SecuritySubject>	authenticatedSubjects() Delegates call to GridSecurityProcessor.authenticatedSubjects()
SecurityContext	authenticateNode(ClusterNode node, SecurityCredentials cred) Delegates call to GridSecurityProcessor.authenticateNode(org.apache.ignite.cluster.ClusterNode, org.apache.ignite.plugin.security.SecurityCredentials)
void	authorize(String name, SecurityPermission perm) Authorizes grid operation.
void	collectGridNodeData(DiscoveryDataBag dataBag) Collects discovery data on nodes already in grid on receiving TcpDiscoveryNodeAddedMessage.
void	collectJoiningNodeData(DiscoveryDataBag dataBag) Collects discovery data on joining node before sending TcpDiscoveryJoinRequestMessage request.
void	createUser(String login, char[] pwd) Creates user with the specified login and password.
@Nullable GridComponent.DiscoveryDataExchangeType	discoveryDataType() Gets unique component type to distinguish components providing discovery data.
void	dropUser(String login) Drops user with the specified login.
boolean	enabled()
boolean	isDefaultContext()
boolean	isGlobalNodeAuthentication() Delegates call to GridSecurityProcessor.isGlobalNodeAuthentication()
boolean	isSystemType(Class<?> cls)
void	onDisconnected(IgniteFuture<?> reconnectFut) Client disconnected callback.
void	onGridDataReceived(DiscoveryDataBag.GridDiscoveryData data) Receives discovery data object from remote nodes (called on new node during discovery process).
void	onJoiningNodeDataReceived(DiscoveryDataBag.JoiningNodeDiscoveryData data) Method is called on nodes that are already in grid (not on joining node).
void	onKernalStart(boolean active) Callback that notifies that kernal has successfully started, including all managers and processors.
void	onKernalStop(boolean cancel) Callback to notify that kernal is about to stop.
void	onLocalJoin() Callback for local join events for which the regular events are not generated.
@Nullable IgniteInternalFuture<?>	onReconnected(boolean clusterRestarted) Client reconnected callback.
void	onSessionExpired(UUID subjId) Delegates call to GridSecurityProcessor.onSessionExpired(UUID)
void	printMemoryStats() Prints memory statistics (sizes of internal structures, etc.).
IgniteSandbox	sandbox()
SecurityContext	securityContext()
GridSecurityProcessor	securityProcessor()
void	start() Starts grid component.
void	stop(boolean cancel) Stops grid component.
@Nullable IgniteNodeValidationResult	validateNode(ClusterNode node) Validates that new node can join grid topology, this method is called on coordinator node before new node joins topology.
@Nullable IgniteNodeValidationResult	validateNode(ClusterNode node, DiscoveryDataBag.JoiningNodeDiscoveryData discoData) Validates that new node can join grid topology, this method is called on coordinator node before new node joins topology.
OperationSecurityContext	withContext(SecurityContext secCtx) Creates OperationSecurityContext.
OperationSecurityContext	withContext(UUID subjId) Creates OperationSecurityContext.

Methods inherited from class org.apache.ignite.internal.processors.GridProcessorAdapter

assertParameter, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.apache.ignite.internal.processors.security.IgniteSecurity

authorize

Field Detail

ATTR_GRID_SEC_PROC_CLASS

public static final String ATTR_GRID_SEC_PROC_CLASS

Internal attribute name constant.

See Also:

Constant Field Values

Constructor Detail

IgniteSecurityProcessor

public IgniteSecurityProcessor(GridKernalContext ctx,
                               GridSecurityProcessor secPrc)

Parameters:

ctx - Grid kernal context.

secPrc - Security processor.

Method Detail

withContext

public OperationSecurityContext withContext(SecurityContext secCtx)

Creates OperationSecurityContext. All calls of methods IgniteSecurity.authorize(String, SecurityPermission) or IgniteSecurity.authorize(SecurityPermission) will be processed into the context of passed SecurityContext until holder OperationSecurityContext will be closed.

Parameters:

secCtx - Security Context.

Returns:

Security context holder.

withContext

public OperationSecurityContext withContext(UUID subjId)

Creates OperationSecurityContext. All calls of methods IgniteSecurity.authorize(String, SecurityPermission) or IgniteSecurity.authorize(SecurityPermission) will be processed into the context of SecurityContext that is owned by the node with given nodeId until holder OperationSecurityContext will be closed.

Parameters:

subjId - Node id.

Returns:

Security context holder.

isDefaultContext

public boolean isDefaultContext()

Returns:

True if current thread executed in default security context.

securityContext

public SecurityContext securityContext()

Returns:

SecurityContext of holder OperationSecurityContext.

authenticateNode

public SecurityContext authenticateNode(ClusterNode node,
                                        SecurityCredentials cred)
                                 throws IgniteCheckedException

Delegates call to GridSecurityProcessor.authenticateNode(org.apache.ignite.cluster.ClusterNode, org.apache.ignite.plugin.security.SecurityCredentials)

Throws:

IgniteCheckedException

isGlobalNodeAuthentication

public boolean isGlobalNodeAuthentication()

Delegates call to GridSecurityProcessor.isGlobalNodeAuthentication()

authenticate

public SecurityContext authenticate(AuthenticationContext ctx)
                             throws IgniteCheckedException

Delegates call to GridSecurityProcessor.authenticate(AuthenticationContext)

Throws:

IgniteCheckedException

authenticatedSubjects

public Collection<SecuritySubject> authenticatedSubjects()
                                                  throws IgniteCheckedException

Delegates call to GridSecurityProcessor.authenticatedSubjects()

Throws:

IgniteCheckedException

authenticatedSubject

public SecuritySubject authenticatedSubject(UUID subjId)
                                     throws IgniteCheckedException

Delegates call to GridSecurityProcessor.authenticatedSubject(UUID)

Throws:

IgniteCheckedException

onSessionExpired

public void onSessionExpired(UUID subjId)

Delegates call to GridSecurityProcessor.onSessionExpired(UUID)

authorize

public void authorize(String name,
                      SecurityPermission perm)
               throws SecurityException

Authorizes grid operation.

Parameters:

name - Cache name or task class name.

perm - Permission to authorize.

Throws:

SecurityException - If security check failed.

sandbox

public IgniteSandbox sandbox()

Returns:

Instance of IgniteSandbox.

enabled

public boolean enabled()

Returns:

True if IgniteSecurity is a plugin implementation, false if it's used a default NoOp implementation.

start

public void start()
           throws IgniteCheckedException

Starts grid component.

Specified by:

start in interface GridComponent

Overrides:

start in class GridProcessorAdapter

Throws:

IgniteCheckedException - Throws in case of any errors.

stop

public void stop(boolean cancel)
          throws IgniteCheckedException

Stops grid component.

Specified by:

stop in interface GridComponent

Overrides:

stop in class GridProcessorAdapter

Parameters:

cancel - If true, then all ongoing tasks or jobs for relevant components need to be cancelled.

Throws:

IgniteCheckedException - Thrown in case of any errors.

onKernalStart

public void onKernalStart(boolean active)
                   throws IgniteCheckedException

Callback that notifies that kernal has successfully started, including all managers and processors.

Specified by:

onKernalStart in interface GridComponent

Overrides:

onKernalStart in class GridProcessorAdapter

Parameters:

active - Cluster active flag (note: should be used carefully since state can change concurrently).

Throws:

IgniteCheckedException - Thrown in case of any errors.

onKernalStop

public void onKernalStop(boolean cancel)

Callback to notify that kernal is about to stop.

Specified by:

onKernalStop in interface GridComponent

Overrides:

onKernalStop in class GridProcessorAdapter

Parameters:

cancel - Flag indicating whether jobs should be canceled.

collectJoiningNodeData

public void collectJoiningNodeData(DiscoveryDataBag dataBag)

Collects discovery data on joining node before sending TcpDiscoveryJoinRequestMessage request.

Specified by:

collectJoiningNodeData in interface GridComponent

Overrides:

collectJoiningNodeData in class GridProcessorAdapter

Parameters:

dataBag - container object to store discovery data in.

collectGridNodeData

public void collectGridNodeData(DiscoveryDataBag dataBag)

Collects discovery data on nodes already in grid on receiving TcpDiscoveryNodeAddedMessage.

Specified by:

collectGridNodeData in interface GridComponent

Overrides:

collectGridNodeData in class GridProcessorAdapter

Parameters:

dataBag - container object to store discovery data in.

onGridDataReceived

public void onGridDataReceived(DiscoveryDataBag.GridDiscoveryData data)

Receives discovery data object from remote nodes (called on new node during discovery process).

Specified by:

onGridDataReceived in interface GridComponent

Overrides:

onGridDataReceived in class GridProcessorAdapter

Parameters:

data - DiscoveryDataBag.GridDiscoveryData interface to retrieve discovery data collected on remote nodes (data common for all nodes in grid and specific for each node).

onJoiningNodeDataReceived

public void onJoiningNodeDataReceived(DiscoveryDataBag.JoiningNodeDiscoveryData data)

Method is called on nodes that are already in grid (not on joining node). It receives discovery data from joining node.

Specified by:

onJoiningNodeDataReceived in interface GridComponent

Overrides:

onJoiningNodeDataReceived in class GridProcessorAdapter

Parameters:

data - DiscoveryDataBag.JoiningNodeDiscoveryData interface to retrieve discovery data of joining node.

printMemoryStats

public void printMemoryStats()

Prints memory statistics (sizes of internal structures, etc.). NOTE: this method is for testing and profiling purposes only.

Specified by:

printMemoryStats in interface GridComponent

Overrides:

printMemoryStats in class GridProcessorAdapter

validateNode

@Nullable
public @Nullable IgniteNodeValidationResult validateNode(ClusterNode node)

Validates that new node can join grid topology, this method is called on coordinator node before new node joins topology.

Specified by:

validateNode in interface GridComponent

Overrides:

validateNode in class GridProcessorAdapter

Parameters:

node - Joining node.

Returns:

Validation result or null in case of success.

validateNode

@Nullable
public @Nullable IgniteNodeValidationResult validateNode(ClusterNode node,
                                                                   DiscoveryDataBag.JoiningNodeDiscoveryData discoData)

Validates that new node can join grid topology, this method is called on coordinator node before new node joins topology.

Specified by:

validateNode in interface GridComponent

Overrides:

validateNode in class GridProcessorAdapter

Parameters:

node - Joining node.

discoData - Joining node discovery data.

Returns:

Validation result or null in case of success.

discoveryDataType

@Nullable
public @Nullable GridComponent.DiscoveryDataExchangeType discoveryDataType()

Gets unique component type to distinguish components providing discovery data. Must return non-null value if component implements any of methods GridComponent.collectJoiningNodeData(DiscoveryDataBag) or GridComponent.collectGridNodeData(DiscoveryDataBag).

Specified by:

discoveryDataType in interface GridComponent

Overrides:

discoveryDataType in class GridProcessorAdapter

Returns:

Unique component type for discovery data exchange.

onDisconnected

public void onDisconnected(IgniteFuture<?> reconnectFut)
                    throws IgniteCheckedException

Client disconnected callback.

Specified by:

onDisconnected in interface GridComponent

Overrides:

onDisconnected in class GridProcessorAdapter

Parameters:

reconnectFut - Reconnect future.

Throws:

IgniteCheckedException - If failed.

onReconnected

@Nullable
public @Nullable IgniteInternalFuture<?> onReconnected(boolean clusterRestarted)
                                                          throws IgniteCheckedException

Client reconnected callback.

Specified by:

onReconnected in interface GridComponent

Overrides:

onReconnected in class GridProcessorAdapter

Parameters:

clusterRestarted - Cluster restarted flag.

Returns:

Future to wait before completing reconnect future.

Throws:

IgniteCheckedException - If failed.

createUser

public void createUser(String login,
                       char[] pwd)
                throws IgniteCheckedException

Creates user with the specified login and password.

Parameters:

login - Login of the user to be created.

pwd - User password.

Throws:

IgniteCheckedException - If error occurred.

alterUser

public void alterUser(String login,
                      char[] pwd)
               throws IgniteCheckedException

Alters password of user with the specified login.

Parameters:

login - Login of the user which password should be altered.

pwd - User password to alter.

Throws:

IgniteCheckedException - If error occurred.

dropUser

public void dropUser(String login)
              throws IgniteCheckedException

Drops user with the specified login.

Parameters:

login - Login of the user to be dropped.

Throws:

IgniteCheckedException - If error occurred.

onLocalJoin

public void onLocalJoin()

Callback for local join events for which the regular events are not generated.

Local join event is expected in cases of joining to topology or client reconnect.

isSystemType

public boolean isSystemType(Class<?> cls)

Specified by:

isSystemType in interface IgniteSecurity

Overrides:

isSystemType in class IgniteSecurityAdapter

Parameters:

cls - The class for which the check is to be performed.

Returns:

Whether the specified class can be considered system. System classes are classes whose source code can be considered controlled by the Ignite administrator and to which less stringent security checks can be applied. By default, Ignite considers only classes from its own codebase as system but their pool can be extended by custom Security Plugin.

See Also:

GridSecurityProcessor.isSystemType(Class)

securityProcessor

public GridSecurityProcessor securityProcessor()

Returns:

Security processor implementation to which current security facade delegates operations.