org.gridgain.grid.security.passcode

Class PasscodeAuthenticator

java.lang.Object

org.gridgain.grid.security.passcode.PasscodeAuthenticator

All Implemented Interfaces:

LifecycleAware, AuthenticationValidator, Authenticator, PasscodeAuthenticatorMBean

Direct Known Subclasses:

IgniteAuthenticator

public class PasscodeAuthenticator
extends Object
implements Authenticator, AuthenticationValidator, PasscodeAuthenticatorMBean, LifecycleAware

Passcode-based implementation of the authentication.

Description

This authenticator requires provided through configuration Access Control List (ACL). ACL maps security credentials to a permission set that will be assigned to subjects who pass authentication. One can implement it's own instance of ACL provider which can, for example, read ACL from an encrypted storage, or simply use AuthenticationAclBasicProvider which accepts predefined map of credentials mapped to permission set.

Here is an example of JSON permission specification which can be provided for each node or client:

 {
     {
         "cache":"partitioned",
         "permissions":["CACHE_PUT", "CACHE_REMOVE", "CACHE_READ"]
     },
     {
         "cache":"*",
         "permissions":["CACHE_READ"]
     },
     {
         "task":"org.mytasks.*",
         "permissions":["TASK_EXECUTE"]
     },
     "defaultAllow":"false"
 }
 

Configuration

Mandatory

• Access Control List provider (see setAclProvider(AuthenticationAclProvider)

Optional

This authenticator has no optional parameters.

Java Example

 GridPasscodeAuthenticator auth = new GridPasscodeAuthenticator();

 // Override authentication passcode.
 auth.setAclProvider(new GridAuthenticationAclBasicProvider(
     F.asMap(userCred1, jsonSpec1, userCred2, jsonSpec2)));

 IgniteConfiguration cfg = new IgniteConfiguration();

 GridPluginConfiguration gCfg = new GridPluginConfiguration();

 // Override default authentication.
 gCfg.setAuthenticator(auth);

 cfg.setPluginConfigurations(gCfg);

 // Start grid.
 GridGain.start(cfg);
 

Spring Example

GridPasscodeAuthenticator can be configured from Spring XML configuration file:

 <bean id="grid.custom.cfg" class="org.apache.ignite.configuration.IgniteConfiguration" singleton="true">
         ...
         <property name="pluginConfigurations">
              <list>
                  <bean class="org.gridgain.grid.configuration.GridGainConfiguration">
                      <property name="authenticator">
                          <bean class="org.gridgain.grid.security.passcode.PasscodeAuthenticator">
                              <!-- Set acl provider. -->
                              <property name="aclProvider">
                                  <bean class="org.gridgain.grid.security.passcode.AuthenticationAclBasicProvider">
                                      <constructor-arg>
                                          <map>
                                              <entry>
                                                  <key><ref bean="userCred1"/></key>
                                                  <value>{defaultAllow:false}</value>
                                              </entry>
                                              <entry>
                                                  <key><ref bean="userCred2"/></key>
                                                  <value>{defaultAllow:true}</value>
                                              </entry>
                                          </map>
                                      </constructor-arg>
                                  </bean>
                              </property>
                          </bean>
                     </property>
                  </bean>
              </list>
         </property>
         ...
 </bean>
 

For information about Spring framework visit www.springframework.org

Constructor Summary

Constructors

Constructor and Description
PasscodeAuthenticator()

Method Summary

Modifier and Type	Method and Description
SecuritySubject	authenticate(AuthenticationContext authCtx) Authenticates a given subject (either node or remote client).
String	getPasscodesFormatted() Gets text presentation of the valid passcodes collection.
boolean	isGlobalNodeAuthentication() Flag indicating whether node authentication should be run on coordinator only or on all nodes in current topology.
void	setAclProvider(AuthenticationAclProvider aclProvider) Sets ACL provider.
void	start() Starts grid component, called on grid start.
void	stop() Stops grid component, called on grid shutdown.
boolean	supported(SecuritySubjectType subjType) Checks if given subject is supported by this authenticator.
String	toString()
Object	validationToken() Returns validation token.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

PasscodeAuthenticator

public PasscodeAuthenticator()

Method Detail

setAclProvider

public void setAclProvider(AuthenticationAclProvider aclProvider)

Sets ACL provider.

Parameters:

aclProvider - ACL provider.

getPasscodesFormatted

public String getPasscodesFormatted()

Gets text presentation of the valid passcodes collection.

Specified by:

getPasscodesFormatted in interface PasscodeAuthenticatorMBean

Returns:

Text presentation of the valid passcodes collection.

validationToken

public Object validationToken()

Returns validation token. GridGain checks that validation token on starting node is equal to tokens on already started nodes. If the token on the starting nodes differs, then an exception is thrown and the node fails to start.

Note: Configured marshaller should be able to marshall/unmarhsall the returned value.

Specified by:

validationToken in interface AuthenticationValidator

Returns:

Validation token.

supported

public boolean supported(SecuritySubjectType subjType)

Checks if given subject is supported by this authenticator. If not, then next authentication in the list will be checked.

Specified by:

supported in interface Authenticator

Parameters:

subjType - Subject type.

Returns:

True if subject type is supported, false otherwise.

isGlobalNodeAuthentication

public boolean isGlobalNodeAuthentication()

Flag indicating whether node authentication should be run on coordinator only or on all nodes in current topology.

Specified by:

isGlobalNodeAuthentication in interface Authenticator

Returns:

True if all nodes in topology should authenticate joining node. In this case security permissions will be validated to be the same on all nodes. In case if permissions differ, node will not be able to join the topology. If this method returns false, only coordinator node will authenticate joining node.

start

public void start()

Starts grid component, called on grid start.

Specified by:

start in interface LifecycleAware

stop

public void stop()

Stops grid component, called on grid shutdown.

Specified by:

stop in interface LifecycleAware

authenticate

public SecuritySubject authenticate(AuthenticationContext authCtx)
                             throws IgniteCheckedException

Authenticates a given subject (either node or remote client).

Specified by:

authenticate in interface Authenticator

Parameters:

authCtx - Authentication context. Contains all necessary information required to authenticate the subject.

Returns:

Authenticated subject context or null if authentication did not pass.

Throws:

IgniteCheckedException - If authentication resulted in system error. Note that bad credentials should not cause this exception.

toString

public String toString()

Overrides:

toString in class Object