public class CertificateAuthenticator extends Object implements Authenticator, SecurityCredentialsProvider
Constructor and Description |
---|
CertificateAuthenticator() |
Modifier and Type | Method and Description |
---|---|
SecuritySubject |
authenticate(AuthenticationContext authCtx)
Authenticates a given subject (either node or remote client).
|
SecurityCredentials |
credentials()
Unless
setAlwaysAcceptServerNodes(boolean) is set to false, returns empty SecurityCredentials
to be used as credentials of local node. |
boolean |
isGlobalNodeAuthentication()
Flag indicating whether node authentication should be run on coordinator only or on all nodes
in current topology.
|
void |
setAlwaysAcceptServerNodes(boolean alwaysAcceptServerNodes)
If set to
true , CertificateAuthenticator will automatically approve all remote nodes and only check
thin clients. |
void |
setPermissions(Map<? extends IgnitePredicate<Certificate[]>,SecurityPermissionSet> permsMap)
Sets mapping of certificate predicates to permissions.
|
<P extends IgnitePredicate<Certificate[]>> |
setPermissionsJson(Map<P,String> permsMapJson)
Sets mapping of certificate predicates to permissions.
|
boolean |
supported(SecuritySubjectType subjType)
Checks if given subject is supported by this authenticator.
|
String |
toString() |
public void setPermissions(Map<? extends IgnitePredicate<Certificate[]>,SecurityPermissionSet> permsMap)
LinkedHashMap
to make sure authorization results are consistent.permsMap
- Map of certificate matchers to permissions.public <P extends IgnitePredicate<Certificate[]>> void setPermissionsJson(Map<P,String> permsMapJson) throws IgniteCheckedException
LinkedHashMap
to make sure authorization results are consistent.
Permissions are passed in JSON form, please refer to AuthenticationAclBasicProvider
for details.permsMapJson
- Map of certificate matchers to permissions in JSON format.IgniteCheckedException
public void setAlwaysAcceptServerNodes(boolean alwaysAcceptServerNodes)
true
, CertificateAuthenticator will automatically approve all remote nodes and only check
thin clients. Currently, authorization by certificates of remote nodes is not implemented,
but SSL will perform its own authentication when remote node tries to join, if SSL between nodes is enabled.
Set to false
to use in conjunction with a different authenticator, such as JaasAuthenticator
,
to only check thin clients' permissions with certificates.alwaysAcceptServerNodes
- Whether to automatically accept all server nodes.public boolean supported(SecuritySubjectType subjType)
supported
in interface Authenticator
subjType
- Subject type.True
if subject type is supported, false
otherwise.public SecuritySubject authenticate(AuthenticationContext authCtx) throws IgniteCheckedException
authenticate
in interface Authenticator
authCtx
- Authentication context. Contains all necessary information required to authenticate
the subject.null
if authentication did not pass.IgniteCheckedException
- If authentication resulted in system error.
Note that bad credentials should not cause this exception.public boolean isGlobalNodeAuthentication()
isGlobalNodeAuthentication
in interface Authenticator
True
if all nodes in topology should authenticate joining node. In this case security
permissions will be validated to be the same on all nodes. In case if permissions differ, node will
not be able to join the topology. If this method returns false
, only coordinator node will
authenticate joining node.public SecurityCredentials credentials()
setAlwaysAcceptServerNodes(boolean)
is set to false, returns empty SecurityCredentials
to be used as credentials of local node.credentials
in interface SecurityCredentialsProvider
null
.
GridGain In-Memory Computing Platform : ver. 8.9.15 Release Date : December 3 2024