Not able to start second server node due to authentication failure

classic Classic list List threaded Threaded
5 messages Options
Sankar Ramiah Sankar Ramiah
Reply | Threaded
Open this post in threaded view
|

Not able to start second server node due to authentication failure

I have implemented custom authentication and authorization through a plugin.

public class MyPlugin implements GridSecurityProcessor, IgnitePlugin {

Implemented authenticateNode method which bypasses authentication for server nodes and returns a security context instance. validateNode is returning null always. When I start the second server node, authenticateNode is being invoked and it goes through code which bypasses authentication but the startup fails after that with Authentication Failed error. validateNode doesn't seem to be invoked.
ERROR: org.apache.ignite.internal.IgniteKernal - Got exception while starting (will rollback startup routine). org.apache.ignite.IgniteCheckedException: Failed to start manager: GridManagerAdapter [enabled=true, name=org.apache.ignite.internal.managers.discovery.GridDiscoveryManager] at org.apache.ignite.internal.IgniteKernal.startManager(IgniteKernal.java:1687) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.internal.IgniteKernal.start(IgniteKernal.java:1066) [ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.internal.IgnitionEx$IgniteNamedInstance.start0(IgnitionEx.java:2038) [ignite-core-2.7.0.jar!/:2.7.0] Caused by: org.apache.ignite.IgniteCheckedException: Failed to start SPI: TcpDiscoverySpi [addrRslvr=null, sockTimeout=5000, ackTimeout=5000, marsh=JdkMarshaller [clsFilter=org.apache.ignite.marshaller.MarshallerUtils$1@5b51df3f], reconCnt=10, reconDelay=2000, maxAckTimeout=600000, forceSrvMode=false, clientReconnectDisabled=false, internalLsnr=null] at org.apache.ignite.internal.managers.GridManagerAdapter.startSpi(GridManagerAdapter.java:300) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.internal.managers.discovery.GridDiscoveryManager.start(GridDiscoveryManager.java:939) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.internal.IgniteKernal.startManager(IgniteKernal.java:1682) ~[ignite-core-2.7.0.jar!/:2.7.0] ... 66 more Caused by: org.apache.ignite.spi.IgniteSpiException: Authentication failed [nodeId=e3ab993e-0acf-4e55-86a7-473989e0fdca, addr=0.0.0.0] at org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi.authenticationFailedError(TcpDiscoverySpi.java:1935) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.spi.discovery.tcp.ServerImpl.joinTopology(ServerImpl.java:967) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.spi.discovery.tcp.ServerImpl.spiStart(ServerImpl.java:391) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi.spiStart(TcpDiscoverySpi.java:2020) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.internal.managers.GridManagerAdapter.startSpi(GridManagerAdapter.java:297) ~[ignite-core-2.7.0.jar!/:2.7.0]


I have spent quiet sometime with this error. The first node starts without any issues. Multiple server start fine without the security plugin in place. Any help in this regard would be highly appreciated. Thanks.

Sent from the Apache Ignite Users mailing list archive at Nabble.com.
aealexsandrov aealexsandrov
Reply | Threaded
Open this post in threaded view
|

Re: Not able to start second server node due to authentication failure

Hi,

It's correct that SecurityContext is null in your case:

    SecurityContext subj = spi.nodeAuth.authenticateNode(node, cred);

    if (subj == null) {
        // Node has not pass authentication.
        LT.warn(log, "Authentication failed [nodeId=" + node.id() +
            ", addrs=" + U.addressesAsString(node) + ']');

This subject should be returned from security processor (here spi is DiscoverySPI):

            spi.setAuthenticator(new DiscoverySpiNodeAuthenticator() {
                @Override public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) {
                    try {
                        return ctx.security().authenticateNode(node, cred);
                    }
                    catch (IgniteCheckedException e) {
                        throw U.convertException(e);
                    }
                }

                @Override public boolean isGlobalNodeAuthentication() {
                    return ctx.security().isGlobalNodeAuthentication();
                }
            });

From ctx.security().authenticateNode(node, cred); method.

But there is no security processor by default in Ignite. However, looks like you should re-implement your DiscoverySPI and setAuthenticator method:

https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/spi/discovery/DiscoverySpi.html#setAuthenticator-org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator-

BR,
Andei

11/6/2019 1:26 PM, Sankar Ramiah пишет:
I have implemented custom authentication and authorization through a plugin.

public class MyPlugin implements GridSecurityProcessor, IgnitePlugin {

Implemented authenticateNode method which bypasses authentication for server nodes and returns a security context instance. validateNode is returning null always. When I start the second server node, authenticateNode is being invoked and it goes through code which bypasses authentication but the startup fails after that with Authentication Failed error. validateNode doesn't seem to be invoked.
ERROR: org.apache.ignite.internal.IgniteKernal - Got exception while starting (will rollback startup routine). org.apache.ignite.IgniteCheckedException: Failed to start manager: GridManagerAdapter [enabled=true, name=org.apache.ignite.internal.managers.discovery.GridDiscoveryManager] at org.apache.ignite.internal.IgniteKernal.startManager(IgniteKernal.java:1687) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.internal.IgniteKernal.start(IgniteKernal.java:1066) [ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.internal.IgnitionEx$IgniteNamedInstance.start0(IgnitionEx.java:2038) [ignite-core-2.7.0.jar!/:2.7.0] Caused by: org.apache.ignite.IgniteCheckedException: Failed to start SPI: TcpDiscoverySpi [addrRslvr=null, sockTimeout=5000, ackTimeout=5000, marsh=JdkMarshaller [clsFilter=org.apache.ignite.marshaller.MarshallerUtils$1@5b51df3f], reconCnt=10, reconDelay=2000, maxAckTimeout=600000, forceSrvMode=false, clientReconnectDisabled=false, internalLsnr=null] at org.apache.ignite.internal.managers.GridManagerAdapter.startSpi(GridManagerAdapter.java:300) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.internal.managers.discovery.GridDiscoveryManager.start(GridDiscoveryManager.java:939) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.internal.IgniteKernal.startManager(IgniteKernal.java:1682) ~[ignite-core-2.7.0.jar!/:2.7.0] ... 66 more Caused by: org.apache.ignite.spi.IgniteSpiException: Authentication failed [nodeId=e3ab993e-0acf-4e55-86a7-473989e0fdca, addr=0.0.0.0] at org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi.authenticationFailedError(TcpDiscoverySpi.java:1935) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.spi.discovery.tcp.ServerImpl.joinTopology(ServerImpl.java:967) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.spi.discovery.tcp.ServerImpl.spiStart(ServerImpl.java:391) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi.spiStart(TcpDiscoverySpi.java:2020) ~[ignite-core-2.7.0.jar!/:2.7.0] at org.apache.ignite.internal.managers.GridManagerAdapter.startSpi(GridManagerAdapter.java:297) ~[ignite-core-2.7.0.jar!/:2.7.0]


I have spent quiet sometime with this error. The first node starts without any issues. Multiple server start fine without the security plugin in place. Any help in this regard would be highly appreciated. Thanks.

Sent from the Apache Ignite Users mailing list archive at Nabble.com.
Zaheer Zaheer
Reply | Threaded
Open this post in threaded view
|

Re: Not able to start second server node due to authentication failure

In reply to this post by Sankar Ramiah
Hi Sankar,

What Andei said is correct. We need to return a security subject. I faced
this problem and solved it like this :

*1. Create your own SecurityPermissionSet class that implements
org.apache.ignite.plugin.security.SecurityPermissionSet .*

/public class TestSecurityPermissionSet implements SecurityPermissionSet,
Serializable {
    private boolean defaultAllowAll;
    private Map<String, Collection&lt;SecurityPermission>> taskPermissions;
    private Map<String, Collection&lt;SecurityPermission>> cachePermissions;
    private Map<String, Collection&lt;SecurityPermission>>
servicePermissions;
    private Collection<SecurityPermission> systemPermissions;

    public TestSecurityPermissionSet(boolean defaultAllowAll, Map<String,
Collection&lt;SecurityPermission>> taskPermissions, Map<String,
Collection&lt;SecurityPermission>> cachePermissions, Map<String,
Collection&lt;SecurityPermission>> servicePermissions,
Collection<SecurityPermission> systemPermissions) {
        this.defaultAllowAll = defaultAllowAll;
        this.taskPermissions = taskPermissions;
        this.cachePermissions = cachePermissions;
        this.servicePermissions = servicePermissions;
        this.systemPermissions = systemPermissions;
    }

    public boolean defaultAllowAll() {
        return defaultAllowAll;
    }

    public Map<String, Collection&lt;SecurityPermission>> taskPermissions()
{
        return taskPermissions;
    }

    public Map<String, Collection&lt;SecurityPermission>> cachePermissions()
{
        return cachePermissions;
    }

    public Map<String, Collection&lt;SecurityPermission>>
servicePermissions() {
        return servicePermissions;
    }

    @Nullable
    public Collection<SecurityPermission> systemPermissions() {
        return systemPermissions;
    }
}/
*2. Create your own security subject (say TestSecuritySubject) class that
implements org.apache.ignite.plugin.security.SecuritySubject.*
 /public class TestSecuritySubject implements SecuritySubject, Serializable
{

    private SecuritySubjectType subjectType;
    private UUID uuid;
    private Object login;
    private TestSecurityPermissionSet securityPermissionSet;

    public TestSecuritySubject(SecuritySubjectType subjectType, UUID uuid,
Object login, TestSecurityPermissionSet securityPermissionSet) {
        this.subjectType = subjectType;
        this.uuid = uuid;
        this.login = login;
        this.securityPermissionSet = securityPermissionSet;
    }

    public UUID id() {
        return uuid;
    }

    public SecuritySubjectType type() {
        return subjectType;
    }

    public Object login() {
        return login;
    }

    public InetSocketAddress address() {
        return null;
    }

    public TestSecurityPermissionSet permissions() {
        return securityPermissionSet;
    }
}/
*3. Create your own security context class that implements
org.apache.ignite.internal.processors.security.SecurityContext , with a
TestSecuritySubject field in the class.*
/public class TestSecurityContext implements SecurityContext, Serializable {
    private TestSecuritySubject securitySubject;

    public TestSecurityContext(TestSecuritySubject securitySubject) {
        this.securitySubject = securitySubject;
    }

    public SecuritySubject subject() {
        return securitySubject;
    }

    public boolean taskOperationAllowed(String taskClsName,
SecurityPermission perm) {
        //Check if the security subject task permissions contain the given
taskClsName and given perm and return true/false accordingly
    }

    public boolean cacheOperationAllowed(String cacheName,
SecurityPermission perm) {
        //Check if the security subject cache permissions contain the given
cacheName and given perm and return true/false accordingly
       
    }

    public boolean serviceOperationAllowed(String srvcName,
SecurityPermission perm) {
       //Check if the security subject service permissions contain the given
srvcName and given perm and return true/false accordingly
    }

    public boolean systemOperationAllowed(SecurityPermission perm) {
        //Check if the security subject system permissions contain the given
perm and return true/false accordingly
    }

   
}/

*4. In the authenticateNode method, create an instance of your
SecuritySubject and set it in your SecurityContext instance and return it*.

/public SecurityContext authenticateNode(ClusterNode node,
SecurityCredentials cred) throws IgniteCheckedException {
 TestSecurityPermissionSet permissionSet = new
TestSecurityPermissionSet(true, null, null, null, null);
               
TestSecuritySubject securitySubject = new
TestSecuritySubject(SecuritySubjectType.REMOTE_NODE, node.id(), "",
permissionSet);

return new TestSecurityContext(securitySubject);

}/

*In the above snippet, I gave
TestSecurityPermissionSet(true,null,null,null,null) ==> That is default
allow all is true. This way, you returned a security context with proper
subject and proper permissions.*

Let me know if you need more clarification.







--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Sankar Ramiah Sankar Ramiah
Reply | Threaded
Open this post in threaded view
|

Re: Not able to start second server node due to authentication failure

Thank you Andei and Zaheer for your response.

I have tried setting a security subject with defaultAllowAll true for the
server node but there is no change in the output. It is going through
authenticateNode of my plugin (that implements GridSecurityProcessor),
creates security subject, sets it to my security context and return the
same. It still throws the same Authentication Failed error (as given in my
previous post) after executing authenticateNode.

The another thing that bothers me is that validateNode is not being invoked
when the second server node is started. I am still stuck with this issue.



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Maksim Stepachev Maksim Stepachev
Reply | Threaded
Open this post in threaded view
|

Re: Not able to start second server node due to authentication failure

Hi,

Look at the parent of DataStreamerPermissionCheckTest. This code contains a test implementation of security: org.apache.ignite.internal.processors.security.impl.*

ср, 13 нояб. 2019 г. в 15:24, Sankar Ramiah <[hidden email]>:
Thank you Andei and Zaheer for your response.

I have tried setting a security subject with defaultAllowAll true for the
server node but there is no change in the output. It is going through
authenticateNode of my plugin (that implements GridSecurityProcessor),
creates security subject, sets it to my security context and return the
same. It still throws the same Authentication Failed error (as given in my
previous post) after executing authenticateNode.

The another thing that bothers me is that validateNode is not being invoked
when the second server node is started. I am still stuck with this issue.



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/