public class JaasAuthenticator extends Object implements Authenticator, AuthenticationValidator, JaasAuthenticatorMBean, LifecycleAware
On authentication request this authenticator delegates authentication to the externally configured JAAS login module in accordance with JAAS Reference Guide:
JaasCallbackHandlerFactory
,
which provides subject credentials in format acceptable by the JAAS login module.
After successful login authenticator with try to parse all Principals returned by subject as JSON permission set
configuration. If none of the Principals match permission configuration syntax, authenticator will give default
permissions configured by setDefaultPermissions(String)
. If default permissions were not configured,
authenticator will default to deny all permissions.
Path to JAAS configuration file is specified with -Djava.security.auth.login.config=/my/path/jass.config
system property. Here is an example of JAAS configuration file for LDAP login module:
GridJaasLoginContext { com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider="ldap://serverName/ou=People,dc=nodomain userFilter="uid={USERNAME}" authzIdentity="{GRIDGAIN_PERMISSIONS}" useSSL=false debug=false; };In this case LDAP property
GRIDGAIN_PERMISSIONS
will be used for JSON permissions assignment. Here is
an example of JSON permission specification:
{ { "cache":"partitioned", "permissions":["CACHE_PUT", "CACHE_REMOVE", "CACHE_READ"] }, { "cache":"*", "permissions":["CACHE_READ"] }, { "task":"org.mytasks.*", "permissions":["TASK_EXECUTE"] }, "defaultAllow":"false" }You can also plug in your own implementation of
JaasPermissionsProvider
to additionally convert the
principal to permission set. See setPermissionsProvider(JaasPermissionsProvider)
method.
setLoginContextName(String)
)
setCallbackHandlerFactory(JaasCallbackHandlerFactory)
)JaasAuthenticator auth = new JaasAuthenticator(); // Override JAAS login context name. auth.setLoginContextName("GridJaasLoginContext"); IgniteConfiguration cfg = new IgniteConfiguration(); GridPluginConfiguration gCfg = new GridPluginConfiguration(); // Override default authentication gCfg.setAuthenticator(auth); cfg.setPluginConfigurations(gCfg); // Start grid. GridGain.start(cfg);
<bean id="grid.custom.cfg" class="org.apache.ignite.configuration.IgniteConfiguration" singleton="true"> ... <property name="pluginConfigurations"> <list> <bean class="org.gridgain.grid.GridPluginConfiguration"> <property name="authenticator"> <bean class="org.gridgain.grid.authentication.jaas.JaasAuthenticator"> <property name="loginContextName" value="GridJaasLoginContext"/> </bean> </property> </bean> </list> </property> ... </bean>
For information about Spring framework visit www.springframework.org
Constructor and Description |
---|
JaasAuthenticator() |
Modifier and Type | Method and Description |
---|---|
SecuritySubject |
authenticate(AuthenticationContext authCtx)
Authenticates a given subject (either node or remote client).
|
String |
getCallbackHandlerFactoryFormatted()
Gets JAAS-authentication callback handler factory name.
|
String |
getDefaultPermissions()
Gets default permissions for users without principals.
|
SecurityPermissionSet |
getDefaultPermissionSet()
Gets default permission set.
|
String |
getLoginContextName()
Gets login context name.
|
JaasPermissionsProvider |
getPermissionsProvider()
Gets permissions provider.
|
boolean |
isGlobalNodeAuthentication()
Flag indicating whether node authentication should be run on coordinator only or on all nodes
in current topology.
|
void |
setCallbackHandlerFactory(JaasCallbackHandlerFactory callbackHndFactory)
Sets JAAS-implementation specific callback handler factory.
|
void |
setDefaultPermissions(String dfltPermissions)
Sets default permissions for users without principals.
|
void |
setDefaultPermissionSet(SecurityPermissionSet dfltPermSet)
Sets default permission set.
|
void |
setGlobalNodeAuthentication(boolean globalNodeAuth)
Sets global node authentication flag.
|
void |
setLoginContextName(String loginCtxName)
Sets new login context name.
|
void |
setPermissionsProvider(JaasPermissionsProvider permProvider)
Set permissions provider.
|
void |
start()
Starts grid component, called on grid start.
|
void |
stop()
Stops grid component, called on grid shutdown.
|
boolean |
supported(SecuritySubjectType subjType)
Checks if given subject is supported by this authenticator.
|
String |
toString() |
Object |
validationToken()
Returns validation token.
|
public String getLoginContextName()
Default value is "GridJaasLoginContext"
.
getLoginContextName
in interface JaasAuthenticatorMBean
public void setLoginContextName(String loginCtxName)
Default value is "GridJaasLoginContext"
.
setLoginContextName
in interface JaasAuthenticatorMBean
loginCtxName
- New login context name.public String getCallbackHandlerFactoryFormatted()
getCallbackHandlerFactoryFormatted
in interface JaasAuthenticatorMBean
public void setCallbackHandlerFactory(JaasCallbackHandlerFactory callbackHndFactory)
callbackHndFactory
- JAAS-implementation specific callback handler factory.public String getDefaultPermissions()
public SecurityPermissionSet getDefaultPermissionSet()
public void setDefaultPermissionSet(SecurityPermissionSet dfltPermSet)
dfltPermSet
- Default permission set.public JaasPermissionsProvider getPermissionsProvider()
public void setPermissionsProvider(JaasPermissionsProvider permProvider)
permProvider
- Permissions provider.public void setDefaultPermissions(String dfltPermissions)
dfltPermissions
- Default permissions in JSON format.public boolean isGlobalNodeAuthentication()
isGlobalNodeAuthentication
in interface Authenticator
True
if all nodes in topology should authenticate joining node. In this case security
permissions will be validated to be the same on all nodes. In case if permissions differ, node will
not be able to join the topology. If this method returns false
, only coordinator node will
authenticate joining node.public void setGlobalNodeAuthentication(boolean globalNodeAuth)
globalNodeAuth
- Global node authentication flag.isGlobalNodeAuthentication()
public Object validationToken()
Note: Configured marshaller should be able to marshall/unmarhsall the returned value.
validationToken
in interface AuthenticationValidator
public SecuritySubject authenticate(AuthenticationContext authCtx) throws IgniteCheckedException
authenticate
in interface Authenticator
authCtx
- Authentication context. Contains all necessary information required to authenticate
the subject.null
if authentication did not pass.IgniteCheckedException
- If authentication resulted in system error.
Note that bad credentials should not cause this exception.public boolean supported(SecuritySubjectType subjType)
supported
in interface Authenticator
subjType
- Subject type.True
if subject type is supported, false
otherwise.public void start()
start
in interface LifecycleAware
public void stop()
stop
in interface LifecycleAware
GridGain In-Memory Computing Platform : ver. 8.9.14 Release Date : November 5 2024