org.gridgain.grid.security.jaas

Class JaasAuthenticator

java.lang.Object

org.gridgain.grid.security.jaas.JaasAuthenticator

All Implemented Interfaces:

LifecycleAware, AuthenticationValidator, Authenticator, JaasAuthenticatorMBean

public class JaasAuthenticator
extends Object
implements Authenticator, AuthenticationValidator, JaasAuthenticatorMBean, LifecycleAware

JAAS-based implementation of the authentication.

Description

On authentication request this authenticator delegates authentication to the externally configured JAAS login module in accordance with JAAS Reference Guide:

1. Authenticator passes context name and callback handler into the JAAS login context.
2. JAAS login context delegates authentication to the JAAS login module specified by the context name.
3. JAAS login module requests subject credentials from the callback handler and perform authentication.
4. Authenticator can create new callback handler via configured JaasCallbackHandlerFactory, which provides subject credentials in format acceptable by the JAAS login module.

After successful login authenticator with try to parse all Principals returned by subject as JSON permission set configuration. If none of the Principals match permission configuration syntax, authenticator will give default permissions configured by setDefaultPermissions(String). If default permissions were not configured, authenticator will default to deny all permissions.

JAAS configuration

Authenticator's login context should be configured in JAAS configuration file.

Path to JAAS configuration file is specified with -Djava.security.auth.login.config=/my/path/jass.config system property. Here is an example of JAAS configuration file for LDAP login module:

 GridJaasLoginContext {
     com.sun.security.auth.module.LdapLoginModule REQUIRED
     userProvider="ldap://serverName/ou=People,dc=nodomain
     userFilter="uid={USERNAME}"
     authzIdentity="{GRIDGAIN_PERMISSIONS}"
     useSSL=false
     debug=false;
     };
 

In this case LDAP property GRIDGAIN_PERMISSIONS will be used for JSON permissions assignment. Here is an example of JSON permission specification:

 {
     {
         "cache":"partitioned",
         "permissions":["CACHE_PUT", "CACHE_REMOVE", "CACHE_READ"]
     },
     {
         "cache":"*",
         "permissions":["CACHE_READ"]
     },
     {
         "task":"org.mytasks.*",
         "permissions":["TASK_EXECUTE"]
     },
     "defaultAllow":"false"
 }
 

You can also plug in your own implementation of JaasPermissionsProvider to additionally convert the principal to permission set. See setPermissionsProvider(JaasPermissionsProvider) method.

Configuration

Optional

The following configuration parameters are optional:

• JAAS login context name specified in JAAS configuration file above (see setLoginContextName(String))
• Callback handler's factory (see setCallbackHandlerFactory(JaasCallbackHandlerFactory))

Mandatory

Authenticator has no mandatory configuration parameters.

Java Example

 JaasAuthenticator auth = new JaasAuthenticator();

 // Override JAAS login context name.
 auth.setLoginContextName("GridJaasLoginContext");

 IgniteConfiguration cfg = new IgniteConfiguration();

 GridPluginConfiguration gCfg = new GridPluginConfiguration();

 // Override default authentication
 gCfg.setAuthenticator(auth);

 cfg.setPluginConfigurations(gCfg);

 // Start grid.
 GridGain.start(cfg);
 

Spring Example

JaasAuthenticator can be configured from Spring XML configuration file:

 <bean id="grid.custom.cfg" class="org.apache.ignite.configuration.IgniteConfiguration" singleton="true">
         ...
         <property name="pluginConfigurations">
              <list>
                  <bean class="org.gridgain.grid.GridPluginConfiguration">
                      <property name="authenticator">
                          <bean class="org.gridgain.grid.authentication.jaas.JaasAuthenticator">
                              <property name="loginContextName" value="GridJaasLoginContext"/>
                          </bean>
                     </property>
                  </bean>
              </list>
         </property>
         ...
 </bean>
 

For information about Spring framework visit www.springframework.org

Constructor Summary

Constructors

Constructor and Description
JaasAuthenticator()

Method Summary

Modifier and Type	Method and Description
SecuritySubject	authenticate(AuthenticationContext authCtx) Authenticates a given subject (either node or remote client).
String	getCallbackHandlerFactoryFormatted() Gets JAAS-authentication callback handler factory name.
String	getDefaultPermissions() Gets default permissions for users without principals.
SecurityPermissionSet	getDefaultPermissionSet() Gets default permission set.
String	getLoginContextName() Gets login context name.
JaasPermissionsProvider	getPermissionsProvider() Gets permissions provider.
boolean	isGlobalNodeAuthentication() Flag indicating whether node authentication should be run on coordinator only or on all nodes in current topology.
void	setCallbackHandlerFactory(JaasCallbackHandlerFactory callbackHndFactory) Sets JAAS-implementation specific callback handler factory.
void	setDefaultPermissions(String dfltPermissions) Sets default permissions for users without principals.
void	setDefaultPermissionSet(SecurityPermissionSet dfltPermSet) Sets default permission set.
void	setGlobalNodeAuthentication(boolean globalNodeAuth) Sets global node authentication flag.
void	setLoginContextName(String loginCtxName) Sets new login context name.
void	setPermissionsProvider(JaasPermissionsProvider permProvider) Set permissions provider.
void	start() Starts grid component, called on grid start.
void	stop() Stops grid component, called on grid shutdown.
boolean	supported(SecuritySubjectType subjType) Checks if given subject is supported by this authenticator.
String	toString()
Object	validationToken() Returns validation token.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

JaasAuthenticator

public JaasAuthenticator()

Method Detail

getLoginContextName

public String getLoginContextName()

Gets login context name. The name must be the same as provided in JAAS configuration file for the JVM.

Default value is "GridJaasLoginContext".

Specified by:

getLoginContextName in interface JaasAuthenticatorMBean

Returns:

Login context name.

setLoginContextName

public void setLoginContextName(String loginCtxName)

Sets new login context name. Must be the same name as provided in JAAS configuration file for the JVM.

Default value is "GridJaasLoginContext".

Specified by:

setLoginContextName in interface JaasAuthenticatorMBean

Parameters:

loginCtxName - New login context name.

getCallbackHandlerFactoryFormatted

public String getCallbackHandlerFactoryFormatted()

Gets JAAS-authentication callback handler factory name.

Specified by:

getCallbackHandlerFactoryFormatted in interface JaasAuthenticatorMBean

Returns:

JAAS-authentication callback handler factory name.

setCallbackHandlerFactory

public void setCallbackHandlerFactory(JaasCallbackHandlerFactory callbackHndFactory)

Sets JAAS-implementation specific callback handler factory.

Parameters:

callbackHndFactory - JAAS-implementation specific callback handler factory.

getDefaultPermissions

public String getDefaultPermissions()

Gets default permissions for users without principals.

Returns:

Default permissions in JSON format.

getDefaultPermissionSet

public SecurityPermissionSet getDefaultPermissionSet()

Gets default permission set.

Returns:

Default permission set.

setDefaultPermissionSet

public void setDefaultPermissionSet(SecurityPermissionSet dfltPermSet)

Sets default permission set.

Parameters:

dfltPermSet - Default permission set.

getPermissionsProvider

public JaasPermissionsProvider getPermissionsProvider()

Gets permissions provider.

Returns:

Permissions provider.

setPermissionsProvider

public void setPermissionsProvider(JaasPermissionsProvider permProvider)

Set permissions provider.

Parameters:

permProvider - Permissions provider.

setDefaultPermissions

public void setDefaultPermissions(String dfltPermissions)

Sets default permissions for users without principals.

Parameters:

dfltPermissions - Default permissions in JSON format.

isGlobalNodeAuthentication

public boolean isGlobalNodeAuthentication()

Flag indicating whether node authentication should be run on coordinator only or on all nodes in current topology.

Specified by:

isGlobalNodeAuthentication in interface Authenticator

Returns:

True if all nodes in topology should authenticate joining node. In this case security permissions will be validated to be the same on all nodes. In case if permissions differ, node will not be able to join the topology. If this method returns false, only coordinator node will authenticate joining node.

setGlobalNodeAuthentication

public void setGlobalNodeAuthentication(boolean globalNodeAuth)

Sets global node authentication flag.

Parameters:

globalNodeAuth - Global node authentication flag.

See Also:

isGlobalNodeAuthentication()

validationToken

public Object validationToken()

Returns validation token. GridGain checks that validation token on starting node is equal to tokens on already started nodes. If the token on the starting nodes differs, then an exception is thrown and the node fails to start.

Note: Configured marshaller should be able to marshall/unmarhsall the returned value.

Specified by:

validationToken in interface AuthenticationValidator

Returns:

Validation token.

authenticate

public SecuritySubject authenticate(AuthenticationContext authCtx)
                             throws IgniteCheckedException

Authenticates a given subject (either node or remote client).

Specified by:

authenticate in interface Authenticator

Parameters:

authCtx - Authentication context. Contains all necessary information required to authenticate the subject.

Returns:

Authenticated subject context or null if authentication did not pass.

Throws:

IgniteCheckedException - If authentication resulted in system error. Note that bad credentials should not cause this exception.

supported

public boolean supported(SecuritySubjectType subjType)

Checks if given subject is supported by this authenticator. If not, then next authentication in the list will be checked.

Specified by:

supported in interface Authenticator

Parameters:

subjType - Subject type.

Returns:

True if subject type is supported, false otherwise.

start

public void start()

Starts grid component, called on grid start.

Specified by:

start in interface LifecycleAware

stop

public void stop()

Stops grid component, called on grid shutdown.

Specified by:

stop in interface LifecycleAware

toString

public String toString()

Overrides:

toString in class Object