Authentication for Apache Ignite 2.5

classic Classic list List threaded Threaded
2 messages Options
SINORCHIAN Remus Alex SINORCHIAN Remus Alex
Reply | Threaded
Open this post in threaded view
|

Authentication for Apache Ignite 2.5

Hello,

 

I would like to implement authentication for all the nodes of the cluster (client and server should provide username and password to join the cluster). I tried to use the latest version 2.5, which the documentation claims to provide authentication, but it doesn't implement it for all the nodes; it's just for the new thin java client. Indeed I am not able to access the cluster with the thin client without providing credentials, but I am able to do it with the fat client (the client node which joins the cluster topology) without providing credentials -> so, this means cluster nodes are not authenticated.

First question: is my understanding correct, or am I missing something?

 

I also tried to implement the authentication of all the nodes using the GridSecurityProcessor interface, as part of a custom plugin (by following this guide http://smartkey.co.uk/development/securing-an-apache-ignite-cluster/ and other discussions on the public mailing list).

I got the plugin to be recognized by the server node, but I can't wire my implementation of the SecurityCredentialsProvider to Ignite; it seems Ignite doesn't use it. The question is similar to this one: http://apache-ignite-users.70518.x6.nabble.com/Custom-SecurityCredentialsProvider-and-SecurityCredentials-td16360.html.

As a consequence, when GridSecurityProcessor.authenticateNode(ClusterNode node, SecurityCredentials cred) is called, cred is null.

Second question: How to hook SecurityCredentialsProvider and SecurityCredentials to Ignite, so that it will call the authorizeNode method from my plugin, with these credentials?

 

Thanks.

 

=========================================================

Ce message et toutes les pieces jointes (ci-apres le "message")
sont confidentiels et susceptibles de contenir des informations
couvertes par le secret professionnel. Ce message est etabli
a l'intention exclusive de ses destinataires. Toute utilisation
ou diffusion non autorisee interdite.
Tout message electronique est susceptible d'alteration. La SOCIETE GENERALE
et ses filiales declinent toute responsabilite au titre de ce message
s'il a ete altere, deforme falsifie.

=========================================================

This message and any attachments (the "message") are confidential,
intended solely for the addresses, and may contain legally privileged
information. Any unauthorized use or dissemination is prohibited.
E-mails are susceptible to alteration. Neither SOCIETE GENERALE nor any
of its subsidiaries or affiliates shall be liable for the message
if altered, changed or falsified.

=========================================================

aealexsandrov aealexsandrov
Reply | Threaded
Open this post in threaded view
|

Re: Authentication for Apache Ignite 2.5

Hi,

1)According to advanced security that provided by default:

https://apacheignite.readme.io/docs/advanced-security

It will provide the possibility to create/drop/alter the users. Also, it
provides the only simple authentification with the password.

Note that it required the persistence and <property
name="authenticationEnabled" value="true"/>.

Could you please provide step by step case when you enable the security,
enable persistence and create the user using
https://apacheignite-sql.readme.io/docs/create-user and it doesn't work?

2)According to GridSecurityProcessor interface

You can take a look at the next thread. There you can see some problems that
you can face.

http://apache-ignite-users.70518.x6.nabble.com/Custom-GridSecurityProcessor-plugin-question-td4942.html

About hooking and the SecurityCredentialsProvider and SecurityCredentials.
In your example you see how it could be done:

There is no simple way to do it but you can try to extend
IgniteConfiguration like next:


public class SecurityIgniteConfiguration extends IgniteConfiguration {
    private SecurityCredentialsProvider securityCredentialsProvider;

    public SecurityCredentialsProvider getSecurityCredentialsProvider() {
        return securityCredentialsProvider;
    }

    public void setSecurityCredentialsProvider(
        SecurityCredentialsProvider securityCredentialsProvider) {
        this.securityCredentialsProvider = securityCredentialsProvider;
    }
}

After that in your security processor do next:

securityCred = ((SecurityIgniteConfiguration)
ctx.config()).getSecurityCredentialsProvider();

BR,
Andrei







--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/