-
Notifications
You must be signed in to change notification settings - Fork 1.9k
/
GridSecurityProcessor.java
180 lines (164 loc) · 6.91 KB
/
GridSecurityProcessor.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.ignite.internal.processors.security;
import java.util.Collection;
import java.util.UUID;
import org.apache.ignite.IgniteCheckedException;
import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.internal.processors.GridProcessor;
import org.apache.ignite.internal.processors.security.sandbox.IgniteSandbox;
import org.apache.ignite.plugin.security.AuthenticationContext;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.plugin.security.SecurityException;
import org.apache.ignite.plugin.security.SecurityPermission;
import org.apache.ignite.plugin.security.SecuritySubject;
/**
* This interface is responsible for:
* <ul>
* <li>Node authentication;</li>
* <li>Thin client authentication;</li>
* <li>Providing configuration info whether global node authentication is enabled;</li>
* <li>Keeping and propagating all authenticated security subjects;</li>
* <li>Providing configuration info whether security mode is enabled at all;</li>
* <li>Handling expired sessions;</li>
* <li>Providing configuration info whether sandbox is enabled;</li>
* <li>Keeping and propagating authenticated security subject for thin clients;</li>
* <li>Keeping and propagating authenticated security contexts for nodes and thin clients;</li>
* <li>Authorizing specific operations (cache put, task execute, so on) when session security context is set.</li>
* </ul>
*/
public interface GridSecurityProcessor extends GridProcessor {
/**
* Authenticates grid node with it's attributes via underlying Authenticator.
*
* @param node Node id to authenticate.
* @param cred Security credentials.
* @return {@code True} if succeeded, {@code false} otherwise.
* @throws IgniteCheckedException If error occurred.
*/
public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteCheckedException;
/**
* Gets flag indicating whether all nodes or coordinator only should run the authentication for joining node.
*
* @return {@code True} if all nodes should run authentication process, {@code false} otherwise.
*/
public boolean isGlobalNodeAuthentication();
/**
* Authenticates subject via underlying Authenticator.
*
* @param ctx Authentication context.
* @return {@code True} if succeeded, {@code false} otherwise.
* @throws IgniteCheckedException If error occurred.
*/
public SecurityContext authenticate(AuthenticationContext ctx) throws IgniteCheckedException;
/**
* Gets collection of authenticated nodes.
*
* @return Collection of authenticated nodes.
* @throws IgniteCheckedException If error occurred.
*/
public Collection<SecuritySubject> authenticatedSubjects() throws IgniteCheckedException;
/**
* Gets authenticated node subject.
*
* @param subjId Subject ID.
* @return Security subject.
* @throws IgniteCheckedException If error occurred.
*/
public SecuritySubject authenticatedSubject(UUID subjId) throws IgniteCheckedException;
/**
* Gets security context for authenticated nodes and thin clients.
*
* @param subjId Security subject id.
* @return Security context or null if not found.
*/
public default SecurityContext securityContext(UUID subjId) {
throw new UnsupportedOperationException();
}
/**
* Authorizes grid operation.
*
* @param name Cache name or task class name.
* @param perm Permission to authorize.
* @param securityCtx Optional security context.
* @throws SecurityException If security check failed.
*/
public void authorize(String name, SecurityPermission perm, SecurityContext securityCtx)
throws SecurityException;
/**
* Callback invoked when subject session got expired.
*
* @param subjId Subject ID.
*/
public void onSessionExpired(UUID subjId);
/**
* @return GridSecurityProcessor is enable.
* @deprecated To determine the security mode use {@link IgniteSecurity#enabled()}.
*/
@Deprecated
public boolean enabled();
/**
* If this method returns true and {@link SecurityManager} is installed,
* then the user-defined code will be run inside the Sandbox.
*
* @return True if sandbox is enabled.
* @see IgniteSandbox
*/
public default boolean sandboxEnabled() {
return false;
}
/**
* Creates user with the specified login and password.
*
* @param login Login of the user to be created.
* @param pwd User password.
* @throws IgniteCheckedException If error occurred.
*/
public default void createUser(String login, char[] pwd) throws IgniteCheckedException {
throw new UnsupportedOperationException();
}
/**
* Alters password of user with the specified login.
*
* @param login Login of the user which password should be altered.
* @param pwd User password to alter.
* @throws IgniteCheckedException If error occurred.
*/
public default void alterUser(String login, char[] pwd) throws IgniteCheckedException {
throw new UnsupportedOperationException();
}
/**
* Drops user with the specified login.
*
* @param login Login of the user to be dropped.
* @throws IgniteCheckedException If error occurred.
*/
public default void dropUser(String login) throws IgniteCheckedException {
throw new UnsupportedOperationException();
}
/**
* @param cls The class for which the check is to be performed.
* @return Whether the specified class can be considered system. System classes are classes whose source code
* can be considered controlled by the Ignite administrator and to which less stringent security checks can be
* applied. This method will be called on classes that are not part of the Ignite codebase. This allows the
* Security Plugin to extend the pool of system classes with user-defined ones
* (e.g. classes that belongs to custom Ignite Plugins).
*/
public default boolean isSystemType(Class<?> cls) {
return false;
}
}