Class IgniteSecurityProcessor
- java.lang.Object
-
- org.apache.ignite.internal.processors.GridProcessorAdapter
-
- org.apache.ignite.internal.processors.security.IgniteSecurityAdapter
-
- org.apache.ignite.internal.processors.security.IgniteSecurityProcessor
-
- All Implemented Interfaces:
GridComponent,GridProcessor,IgniteSecurity
public class IgniteSecurityProcessor extends IgniteSecurityAdapter
DefaultIgniteSecurityimplementation.IgniteSecurityProcessorserves here as a facade with is exposed to Ignite internal code, whileGridSecurityProcessoris hidden and managed fromIgniteSecurityProcessor.This implementation of
IgniteSecurityis responsible for:- Keeping and propagating authenticated security contexts for cluster nodes;
- Delegating calls for all actions to
GridSecurityProcessor; - Managing sandbox and proving point of entry to the internal sandbox API.
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface org.apache.ignite.internal.GridComponent
GridComponent.DiscoveryDataExchangeType
-
-
Field Summary
Fields Modifier and Type Field Description static StringATTR_GRID_SEC_PROC_CLASSInternal attribute name constant.-
Fields inherited from class org.apache.ignite.internal.processors.GridProcessorAdapter
ctx, diagnosticLog
-
-
Constructor Summary
Constructors Constructor Description IgniteSecurityProcessor(GridKernalContext ctx, GridSecurityProcessor secPrc)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voidalterUser(String login, char[] pwd)Alters password of user with the specified login.SecurityContextauthenticate(AuthenticationContext ctx)Delegates call toGridSecurityProcessor.authenticate(AuthenticationContext)SecuritySubjectauthenticatedSubject(UUID subjId)Delegates call toGridSecurityProcessor.authenticatedSubject(UUID)Collection<SecuritySubject>authenticatedSubjects()Delegates call toGridSecurityProcessor.authenticatedSubjects()SecurityContextauthenticateNode(ClusterNode node, SecurityCredentials cred)voidauthorize(String name, SecurityPermission perm)Authorizes grid operation.voidcollectGridNodeData(DiscoveryDataBag dataBag)Collects discovery data on nodes already in grid on receivingTcpDiscoveryNodeAddedMessage.voidcollectJoiningNodeData(DiscoveryDataBag dataBag)Collects discovery data on joining node before sendingTcpDiscoveryJoinRequestMessagerequest.voidcreateUser(String login, char[] pwd)Creates user with the specified login and password.@Nullable GridComponent.DiscoveryDataExchangeTypediscoveryDataType()Gets unique component type to distinguish components providing discovery data.voiddropUser(String login)Drops user with the specified login.booleanenabled()booleanisDefaultContext()booleanisGlobalNodeAuthentication()Delegates call toGridSecurityProcessor.isGlobalNodeAuthentication()booleanisSystemType(Class<?> cls)voidonDisconnected(IgniteFuture<?> reconnectFut)Client disconnected callback.voidonGridDataReceived(DiscoveryDataBag.GridDiscoveryData data)Receives discovery data object from remote nodes (called on new node during discovery process).voidonJoiningNodeDataReceived(DiscoveryDataBag.JoiningNodeDiscoveryData data)Method is called on nodes that are already in grid (not on joining node).voidonKernalStart(boolean active)Callback that notifies that kernal has successfully started, including all managers and processors.voidonKernalStop(boolean cancel)Callback to notify that kernal is about to stop.voidonLocalJoin()Callback for local join events for which the regular events are not generated.@Nullable IgniteInternalFuture<?>onReconnected(boolean clusterRestarted)Client reconnected callback.voidonSessionExpired(UUID subjId)Delegates call toGridSecurityProcessor.onSessionExpired(UUID)voidprintMemoryStats()Prints memory statistics (sizes of internal structures, etc.).IgniteSandboxsandbox()SecurityContextsecurityContext()GridSecurityProcessorsecurityProcessor()voidstart()Starts grid component.voidstop(boolean cancel)Stops grid component.@Nullable IgniteNodeValidationResultvalidateNode(ClusterNode node)Validates that new node can join grid topology, this method is called on coordinator node before new node joins topology.@Nullable IgniteNodeValidationResultvalidateNode(ClusterNode node, DiscoveryDataBag.JoiningNodeDiscoveryData discoData)Validates that new node can join grid topology, this method is called on coordinator node before new node joins topology.OperationSecurityContextwithContext(UUID subjId)CreatesOperationSecurityContext.OperationSecurityContextwithContext(SecurityContext secCtx)CreatesOperationSecurityContext.-
Methods inherited from class org.apache.ignite.internal.processors.GridProcessorAdapter
assertParameter, toString
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
-
Methods inherited from interface org.apache.ignite.internal.processors.security.IgniteSecurity
authorize
-
-
-
-
Field Detail
-
ATTR_GRID_SEC_PROC_CLASS
public static final String ATTR_GRID_SEC_PROC_CLASS
Internal attribute name constant.- See Also:
- Constant Field Values
-
-
Constructor Detail
-
IgniteSecurityProcessor
public IgniteSecurityProcessor(GridKernalContext ctx, GridSecurityProcessor secPrc)
- Parameters:
ctx- Grid kernal context.secPrc- Security processor.
-
-
Method Detail
-
withContext
public OperationSecurityContext withContext(SecurityContext secCtx)
CreatesOperationSecurityContext. All calls of methodsIgniteSecurity.authorize(String, SecurityPermission)orIgniteSecurity.authorize(SecurityPermission)will be processed into the context of passedSecurityContextuntil holderOperationSecurityContextwill be closed.- Parameters:
secCtx- Security Context.- Returns:
- Security context holder.
-
withContext
public OperationSecurityContext withContext(UUID subjId)
CreatesOperationSecurityContext. All calls of methodsIgniteSecurity.authorize(String, SecurityPermission)orIgniteSecurity.authorize(SecurityPermission)will be processed into the context ofSecurityContextthat is owned by the node with given nodeId until holderOperationSecurityContextwill be closed.- Parameters:
subjId- Node id.- Returns:
- Security context holder.
-
isDefaultContext
public boolean isDefaultContext()
- Returns:
Trueif current thread executed in default security context.
-
securityContext
public SecurityContext securityContext()
- Returns:
- SecurityContext of holder
OperationSecurityContext.
-
authenticateNode
public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteCheckedException
Delegates call toGridSecurityProcessor.authenticateNode(org.apache.ignite.cluster.ClusterNode, org.apache.ignite.plugin.security.SecurityCredentials)- Throws:
IgniteCheckedException
-
isGlobalNodeAuthentication
public boolean isGlobalNodeAuthentication()
Delegates call toGridSecurityProcessor.isGlobalNodeAuthentication()
-
authenticate
public SecurityContext authenticate(AuthenticationContext ctx) throws IgniteCheckedException
Delegates call toGridSecurityProcessor.authenticate(AuthenticationContext)- Throws:
IgniteCheckedException
-
authenticatedSubjects
public Collection<SecuritySubject> authenticatedSubjects() throws IgniteCheckedException
Delegates call toGridSecurityProcessor.authenticatedSubjects()- Throws:
IgniteCheckedException
-
authenticatedSubject
public SecuritySubject authenticatedSubject(UUID subjId) throws IgniteCheckedException
Delegates call toGridSecurityProcessor.authenticatedSubject(UUID)- Throws:
IgniteCheckedException
-
onSessionExpired
public void onSessionExpired(UUID subjId)
Delegates call toGridSecurityProcessor.onSessionExpired(UUID)
-
authorize
public void authorize(String name, SecurityPermission perm) throws SecurityException
Authorizes grid operation.- Parameters:
name- Cache name or task class name.perm- Permission to authorize.- Throws:
SecurityException- If security check failed.
-
sandbox
public IgniteSandbox sandbox()
- Returns:
- Instance of IgniteSandbox.
-
enabled
public boolean enabled()
- Returns:
- True if IgniteSecurity is a plugin implementation, false if it's used a default NoOp implementation.
-
start
public void start() throws IgniteCheckedExceptionStarts grid component.- Specified by:
startin interfaceGridComponent- Overrides:
startin classGridProcessorAdapter- Throws:
IgniteCheckedException- Throws in case of any errors.
-
stop
public void stop(boolean cancel) throws IgniteCheckedExceptionStops grid component.- Specified by:
stopin interfaceGridComponent- Overrides:
stopin classGridProcessorAdapter- Parameters:
cancel- Iftrue, then all ongoing tasks or jobs for relevant components need to be cancelled.- Throws:
IgniteCheckedException- Thrown in case of any errors.
-
onKernalStart
public void onKernalStart(boolean active) throws IgniteCheckedExceptionCallback that notifies that kernal has successfully started, including all managers and processors.- Specified by:
onKernalStartin interfaceGridComponent- Overrides:
onKernalStartin classGridProcessorAdapter- Parameters:
active- Cluster active flag (note: should be used carefully since state can change concurrently).- Throws:
IgniteCheckedException- Thrown in case of any errors.
-
onKernalStop
public void onKernalStop(boolean cancel)
Callback to notify that kernal is about to stop.- Specified by:
onKernalStopin interfaceGridComponent- Overrides:
onKernalStopin classGridProcessorAdapter- Parameters:
cancel- Flag indicating whether jobs should be canceled.
-
collectJoiningNodeData
public void collectJoiningNodeData(DiscoveryDataBag dataBag)
Collects discovery data on joining node before sendingTcpDiscoveryJoinRequestMessagerequest.- Specified by:
collectJoiningNodeDatain interfaceGridComponent- Overrides:
collectJoiningNodeDatain classGridProcessorAdapter- Parameters:
dataBag- container object to store discovery data in.
-
collectGridNodeData
public void collectGridNodeData(DiscoveryDataBag dataBag)
Collects discovery data on nodes already in grid on receivingTcpDiscoveryNodeAddedMessage.- Specified by:
collectGridNodeDatain interfaceGridComponent- Overrides:
collectGridNodeDatain classGridProcessorAdapter- Parameters:
dataBag- container object to store discovery data in.
-
onGridDataReceived
public void onGridDataReceived(DiscoveryDataBag.GridDiscoveryData data)
Receives discovery data object from remote nodes (called on new node during discovery process).- Specified by:
onGridDataReceivedin interfaceGridComponent- Overrides:
onGridDataReceivedin classGridProcessorAdapter- Parameters:
data-DiscoveryDataBag.GridDiscoveryDatainterface to retrieve discovery data collected on remote nodes (data common for all nodes in grid and specific for each node).
-
onJoiningNodeDataReceived
public void onJoiningNodeDataReceived(DiscoveryDataBag.JoiningNodeDiscoveryData data)
Method is called on nodes that are already in grid (not on joining node). It receives discovery data from joining node.- Specified by:
onJoiningNodeDataReceivedin interfaceGridComponent- Overrides:
onJoiningNodeDataReceivedin classGridProcessorAdapter- Parameters:
data-DiscoveryDataBag.JoiningNodeDiscoveryDatainterface to retrieve discovery data of joining node.
-
printMemoryStats
public void printMemoryStats()
Prints memory statistics (sizes of internal structures, etc.). NOTE: this method is for testing and profiling purposes only.- Specified by:
printMemoryStatsin interfaceGridComponent- Overrides:
printMemoryStatsin classGridProcessorAdapter
-
validateNode
@Nullable public @Nullable IgniteNodeValidationResult validateNode(ClusterNode node)
Validates that new node can join grid topology, this method is called on coordinator node before new node joins topology.- Specified by:
validateNodein interfaceGridComponent- Overrides:
validateNodein classGridProcessorAdapter- Parameters:
node- Joining node.- Returns:
- Validation result or
nullin case of success.
-
validateNode
@Nullable public @Nullable IgniteNodeValidationResult validateNode(ClusterNode node, DiscoveryDataBag.JoiningNodeDiscoveryData discoData)
Validates that new node can join grid topology, this method is called on coordinator node before new node joins topology.- Specified by:
validateNodein interfaceGridComponent- Overrides:
validateNodein classGridProcessorAdapter- Parameters:
node- Joining node.discoData- Joining node discovery data.- Returns:
- Validation result or
nullin case of success.
-
discoveryDataType
@Nullable public @Nullable GridComponent.DiscoveryDataExchangeType discoveryDataType()
Gets unique component type to distinguish components providing discovery data. Must return non-null value if component implements any of methodsGridComponent.collectJoiningNodeData(DiscoveryDataBag)orGridComponent.collectGridNodeData(DiscoveryDataBag).- Specified by:
discoveryDataTypein interfaceGridComponent- Overrides:
discoveryDataTypein classGridProcessorAdapter- Returns:
- Unique component type for discovery data exchange.
-
onDisconnected
public void onDisconnected(IgniteFuture<?> reconnectFut) throws IgniteCheckedException
Client disconnected callback.- Specified by:
onDisconnectedin interfaceGridComponent- Overrides:
onDisconnectedin classGridProcessorAdapter- Parameters:
reconnectFut- Reconnect future.- Throws:
IgniteCheckedException- If failed.
-
onReconnected
@Nullable public @Nullable IgniteInternalFuture<?> onReconnected(boolean clusterRestarted) throws IgniteCheckedException
Client reconnected callback.- Specified by:
onReconnectedin interfaceGridComponent- Overrides:
onReconnectedin classGridProcessorAdapter- Parameters:
clusterRestarted- Cluster restarted flag.- Returns:
- Future to wait before completing reconnect future.
- Throws:
IgniteCheckedException- If failed.
-
createUser
public void createUser(String login, char[] pwd) throws IgniteCheckedException
Creates user with the specified login and password.- Parameters:
login- Login of the user to be created.pwd- User password.- Throws:
IgniteCheckedException- If error occurred.
-
alterUser
public void alterUser(String login, char[] pwd) throws IgniteCheckedException
Alters password of user with the specified login.- Parameters:
login- Login of the user which password should be altered.pwd- User password to alter.- Throws:
IgniteCheckedException- If error occurred.
-
dropUser
public void dropUser(String login) throws IgniteCheckedException
Drops user with the specified login.- Parameters:
login- Login of the user to be dropped.- Throws:
IgniteCheckedException- If error occurred.
-
onLocalJoin
public void onLocalJoin()
Callback for local join events for which the regular events are not generated. Local join event is expected in cases of joining to topology or client reconnect.
-
isSystemType
public boolean isSystemType(Class<?> cls)
- Specified by:
isSystemTypein interfaceIgniteSecurity- Overrides:
isSystemTypein classIgniteSecurityAdapter- Parameters:
cls- The class for which the check is to be performed.- Returns:
- Whether the specified class can be considered system. System classes are classes whose source code can be considered controlled by the Ignite administrator and to which less stringent security checks can be applied. By default, Ignite considers only classes from its own codebase as system but their pool can be extended by custom Security Plugin.
- See Also:
GridSecurityProcessor.isSystemType(Class)
-
securityProcessor
public GridSecurityProcessor securityProcessor()
- Returns:
- Security processor implementation to which current security facade delegates operations.
-
-