How do I understand and debug this code?

[devinbost]

This project was super helpful for getting me started with creating an Ignite plugin for custom authorization.
However, it's not clear to me how to debug this code.
Here are some of my questions:

1. Is the login object (in SecurityCredentials) convertible to a string? (I'm hoping that the string equals the username of the person attempting the action.)
2. I need to be able to check usernames against what actions are allowed for those users. Is AuthenticationProcessor.authorize(..) the right place to put that logic? If so, then what would SecurityContextImpl be used for? It looks like the AuthenticationContext that gets passed to SecurityContextImpl's constructor in SecurityProcessor.authenticate(..) could be used as a property in SecurityContextImpl for performing most of the complex auth logic.
3. SecurityProcessor.authenticateNode(..) does not pass an AuthenticationContext instance to the constructor of SecurityContextImpl. What purpose does SecurityContextImpl provide in this situation? It looks like perhaps it could be used to set very broad restrictions (that would apply to all users); but, if so, then I'd think it would be better to create a second class that implements SecurityContext specifically for these broad restrictions, perhaps like:

• UserSecurityContextImpl implements SecurityContext (for SecurityProcessor.authenticate(..))
• NodeSecurityContextImpl implements SecurityContext (for SecurityProcessor.authenticateNode(..))

[devinbost]

@aamargajbhiye

[aamargajbhiye]

@devinbost I am glad you found this project helpful. You can find more information about this project at https://www.bugdbug.com/post/how-to-secure-apache-ignite-cluster

It would be easy to debug if you open this project in two different IDE instances and run those in debug mode. This way when you will start two different instances, you would get the joining request in SecurityProcessor.authenticateNode. From there you can debug and understand how authentication and authorization works.

[devinbost]

@aamargajbhiye Thank you for the help.
I've made quite a bit of progress on my implementation, but now, whenever I try to run a SQL SELECT query on Ignite over JDBC, AuthorizationProcessor.authenticate(..) is run many times, like this:

Running AuthorizationPluginProvider.createCacheProvider(..)
Running AuthorizationPluginProvider.createComponent(..)
Running AuthorizationPluginProvider.createCacheProvider(..)
Running AuthorizationPluginProvider.createComponent(..)
// Initial setup completed
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite
Running AuthorizationProcessor.enabled()
Running AuthorizationProcessor.authenticate(..)
Username is: ignite

and then my JDBC client gives me this error:

	at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.executeStatement(JDBCStatementImpl.java:134)
	at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.executeStatement(SQLQueryJob.java:488)
	at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.lambda$0(SQLQueryJob.java:425)
	at org.jkiss.dbeaver.model.exec.DBExecUtils.tryExecuteRecover(DBExecUtils.java:170)
	at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.executeSingleQuery(SQLQueryJob.java:417)
	at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.extractData(SQLQueryJob.java:775)
	at org.jkiss.dbeaver.ui.editors.sql.SQLEditor$QueryResultsContainer.readData(SQLEditor.java:2914)
	at org.jkiss.dbeaver.ui.controls.resultset.ResultSetJobDataRead.lambda$0(ResultSetJobDataRead.java:111)
	at org.jkiss.dbeaver.model.exec.DBExecUtils.tryExecuteRecover(DBExecUtils.java:170)
	at org.jkiss.dbeaver.ui.controls.resultset.ResultSetJobDataRead.run(ResultSetJobDataRead.java:109)
	at org.jkiss.dbeaver.ui.controls.resultset.ResultSetViewer$17.run(ResultSetViewer.java:3423)
	at org.jkiss.dbeaver.model.runtime.AbstractJob.run(AbstractJob.java:103)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by: java.sql.SQLException: Failed to communicate with Ignite cluster.
	at org.apache.ignite.internal.jdbc.thin.JdbcThinConnection.sendRequest(JdbcThinConnection.java:916)
	at org.apache.ignite.internal.jdbc.thin.JdbcThinStatement.execute0(JdbcThinStatement.java:231)
	at org.apache.ignite.internal.jdbc.thin.JdbcThinStatement.execute(JdbcThinStatement.java:559)
	at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.execute(JDBCStatementImpl.java:338)
	at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.executeStatement(JDBCStatementImpl.java:131)
	... 12 more
Caused by: class org.apache.ignite.binary.BinaryObjectException: Not enough data to read the value [position=20, requiredBytes=1, remainingBytes=0]
	at org.apache.ignite.internal.binary.streams.BinaryAbstractInputStream.ensureEnoughData(BinaryAbstractInputStream.java:305)
	at org.apache.ignite.internal.binary.streams.BinaryAbstractInputStream.readByte(BinaryAbstractInputStream.java:35)
	at org.apache.ignite.internal.binary.streams.BinaryAbstractInputStream.readBoolean(BinaryAbstractInputStream.java:53)
	at org.apache.ignite.internal.binary.BinaryReaderExImpl.readBoolean(BinaryReaderExImpl.java:548)
	at org.apache.ignite.internal.processors.odbc.jdbc.JdbcQueryExecuteResult.readBinary(JdbcQueryExecuteResult.java:167)
	at org.apache.ignite.internal.processors.odbc.jdbc.JdbcResult.readResult(JdbcResult.java:207)
	at org.apache.ignite.internal.processors.odbc.jdbc.JdbcResponse.readBinary(JdbcResponse.java:153)
	at org.apache.ignite.internal.jdbc.thin.JdbcThinTcpIo.readResponse(JdbcThinTcpIo.java:451)
	at org.apache.ignite.internal.jdbc.thin.JdbcThinTcpIo.sendRequest(JdbcThinTcpIo.java:423)
	at org.apache.ignite.internal.jdbc.thin.JdbcThinConnection.sendRequest(JdbcThinConnection.java:890)
	... 16 more

(I'm using DBeaver as my client with a JDBC Ignite driver.)

Do you have any idea what might cause this?

[devinbost]

I only get that error when running a SQL SELECT. I don't get it when I run CREATE TABLE or INSERT INTO.

[devinbost]

@aamargajbhiye I got beyond those issues. The issue I'm running into now is that it's not clear how I can handle authenticatioN... all of my clients are able to authenticate with any username/password combination, which is a major security problem.

Do I need to implement my own approach in the authentication(..) method of the plugin to authenticate access?
It's not clear if there's even a way to create users for a cache since all the Ignite docs I've found that discuss creating users are referring to SQL tables.