IGNITE-19807 Deprecated legacy authorization approach via Security Co…

…ntext. (#10800)
apache · Nov 10, 2023 · aba0aaa · aba0aaa
1 parent 7bcf232
commit aba0aaa
Show file tree

Hide file tree

Showing 9 changed files with 392 additions and 16 deletions.
diff --git a/...src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java b/...src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java
@@ -53,6 +53,7 @@
 import static org.apache.ignite.internal.processors.security.SecurityUtils.hasSecurityManager;
 import static org.apache.ignite.internal.processors.security.SecurityUtils.nodeSecurityContext;
 import static org.apache.ignite.plugin.security.SecurityPermission.ADMIN_USER_ACCESS;
+import static org.apache.ignite.plugin.security.SecurityPermission.JOIN_AS_SERVER;
 
 /**
  * Default {@code IgniteSecurity} implementation.
@@ -363,7 +364,14 @@ else if (packAccess.contains(',' + IGNITE_INTERNAL_PACKAGE))
     @Override public @Nullable IgniteNodeValidationResult validateNode(ClusterNode node) {
         IgniteNodeValidationResult res = validateSecProcClass(node);
 
-        return res != null ? res : secPrc.validateNode(node);
+        if (res == null) {
+            res = validateNodeJoinPermission(node);
+
+            if (res == null)
+                res = secPrc.validateNode(node);
+        }
+
+        return res;
     }
 
     /** {@inheritDoc} */
@@ -443,6 +451,31 @@ private IgniteNodeValidationResult validateSecProcClass(ClusterNode node) {
         return null;
     }
 
+    /** */
+    private IgniteNodeValidationResult validateNodeJoinPermission(ClusterNode node) {
+        if (node.isClient())
+            return null;
+
+        SecurityContext secCtx = nodeSecurityContext(
+            marsh,
+            U.resolveClassLoader(ctx.config()),
+            node
+        );
+
+        try {
+            if (!secCtx.systemOperationAllowed(JOIN_AS_SERVER))
+                secPrc.authorize(null, JOIN_AS_SERVER, secCtx);
+
+            return null;
+        }
+        catch (SecurityException e) {
+            String msg = "Node is not authorized to join as a server node [joiningNodeId=" + node.id() +
+                ", addrs=" + U.addressesAsString(node) + ']';
+
+            return new IgniteNodeValidationResult(node.id(), msg, msg);
+        }
+    }
+
     /** @return Security processor implementation to which current security facade delegates operations. */
     public GridSecurityProcessor securityProcessor() {
         return secPrc;

diff --git a/...es/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java b/...es/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java
@@ -35,7 +35,10 @@ public interface SecurityContext {
      * @param taskClsName Task class name.
      * @param perm Permission to check.
      * @return {@code True} if task operation is allowed.
+     * @deprecated Use {@link IgniteSecurity#authorize(String, SecurityPermission)} instead.
+     * This method will be removed in the future releases.
      */
+    @Deprecated
     public boolean taskOperationAllowed(String taskClsName, SecurityPermission perm);
 
     /**
@@ -44,7 +47,10 @@ public interface SecurityContext {
      * @param cacheName Cache name.
      * @param perm Permission to check.
      * @return {@code True} if cache operation is allowed.
+     * @deprecated Use {@link IgniteSecurity#authorize(String, SecurityPermission)} instead.
+     * This method will be removed in the future releases.
      */
+    @Deprecated
     public boolean cacheOperationAllowed(String cacheName, SecurityPermission perm);
 
     /**
@@ -53,14 +59,20 @@ public interface SecurityContext {
      * @param srvcName Service name.
      * @param perm Permission to check.
      * @return {@code True} if task operation is allowed.
+     * @deprecated Use {@link IgniteSecurity#authorize(String, SecurityPermission)} instead.
+     * This method will be removed in the future releases.
      */
+    @Deprecated
     public boolean serviceOperationAllowed(String srvcName, SecurityPermission perm);
 
     /**
      * Checks whether system-wide permission is allowed (excluding Visor task operations).
      *
      * @param perm Permission to check.
      * @return {@code True} if system operation is allowed.
+     * @deprecated Use {@link IgniteSecurity#authorize(SecurityPermission)} instead.
+     * This method will be removed in the future releases.
      */
+    @Deprecated
     public boolean systemOperationAllowed(SecurityPermission perm);
 }
diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java
@@ -70,12 +70,20 @@ public default Certificate[] certificates() {
      * Authorized permission set for the subject.
      *
      * @return Authorized permission set for the subject.
+     * @deprecated {@link SecuritySubject} must contain only immutable set of
+     * information that represents a security principal. Security permissions are part of authorization process
+     * and have nothing to do with {@link SecuritySubject}. This method will be removed in the future releases.
      */
+    @Deprecated
     public SecurityPermissionSet permissions();
 
     /**
      * @return Permissions for SecurityManager checks.
+     * @deprecated {@link SecuritySubject} must contain only immutable set of
+     * information that represents a security principal. Security permissions are part of authorization process
+     * and have nothing to do with {@link SecuritySubject}. This method will be removed in the future releases.
      */
+    @Deprecated
     public default PermissionCollection sandboxPermissions() {
         ProtectionDomain pd = SecurityUtils.doPrivileged(() -> getClass().getProtectionDomain());
 

diff --git a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java
@@ -114,7 +114,6 @@
 import org.apache.ignite.lang.IgniteProductVersion;
 import org.apache.ignite.lang.IgniteUuid;
 import org.apache.ignite.plugin.security.SecurityCredentials;
-import org.apache.ignite.plugin.security.SecurityPermission;
 import org.apache.ignite.plugin.security.SecurityPermissionSet;
 import org.apache.ignite.spi.IgniteNodeValidationResult;
 import org.apache.ignite.spi.IgniteSpiContext;
@@ -4317,23 +4316,14 @@ else if (log.isDebugEnabled())
                             return;
                         }
                         else {
-                            String authFailedMsg = null;
-
                             if (!(subj instanceof Serializable)) {
                                 // Node has not pass authentication.
                                 LT.warn(log, "Authentication subject is not Serializable [nodeId=" + node.id() +
                                     ", addrs=" + U.addressesAsString(node) + ']');
 
-                                authFailedMsg = "Authentication subject is not serializable";
-                            }
-                            else if (node.clientRouterNodeId() == null &&
-                                !subj.systemOperationAllowed(SecurityPermission.JOIN_AS_SERVER))
-                                authFailedMsg = "Node is not authorised to join as a server node";
-
-                            if (authFailedMsg != null) {
                                 // Always output in debug.
                                 if (log.isDebugEnabled())
-                                    log.debug(authFailedMsg + " [nodeId=" + node.id() +
+                                    log.debug("Authentication subject is not serializable [nodeId=" + node.id() +
                                         ", addrs=" + U.addressesAsString(node));
 
                                 try {