public class PasscodeAuthenticator extends Object implements Authenticator, AuthenticationValidator, PasscodeAuthenticatorMBean, LifecycleAware
This authenticator requires provided through configuration Access Control List (ACL). ACL maps security credentials to
a permission set that will be assigned to subjects who pass authentication. One can implement
it's own instance of ACL provider which can, for example, read ACL from an encrypted storage, or simply use
AuthenticationAclBasicProvider
which accepts predefined map of credentials mapped to permission
set.
Here is an example of JSON permission specification which can be provided for each node or client:
{ { "cache":"partitioned", "permissions":["CACHE_PUT", "CACHE_REMOVE", "CACHE_READ"] }, { "cache":"*", "permissions":["CACHE_READ"] }, { "task":"org.mytasks.*", "permissions":["TASK_EXECUTE"] }, "defaultAllow":"false" }
setAclProvider(AuthenticationAclProvider)
GridPasscodeAuthenticator auth = new GridPasscodeAuthenticator(); // Override authentication passcode. auth.setAclProvider(new GridAuthenticationAclBasicProvider( F.asMap(userCred1, jsonSpec1, userCred2, jsonSpec2))); IgniteConfiguration cfg = new IgniteConfiguration(); GridPluginConfiguration gCfg = new GridPluginConfiguration(); // Override default authentication. gCfg.setAuthenticator(auth); cfg.setPluginConfigurations(gCfg); // Start grid. GridGain.start(cfg);
<bean id="grid.custom.cfg" class="org.apache.ignite.configuration.IgniteConfiguration" singleton="true"> ... <property name="pluginConfigurations"> <list> <bean class="org.gridgain.grid.configuration.GridGainConfiguration"> <property name="authenticator"> <bean class="org.gridgain.grid.security.passcode.PasscodeAuthenticator"> <!-- Set acl provider. --> <property name="aclProvider"> <bean class="org.gridgain.grid.security.passcode.AuthenticationAclBasicProvider"> <constructor-arg> <map> <entry> <key><ref bean="userCred1"/></key> <value>{defaultAllow:false}</value> </entry> <entry> <key><ref bean="userCred2"/></key> <value>{defaultAllow:true}</value> </entry> </map> </constructor-arg> </bean> </property> </bean> </property> </bean> </list> </property> ... </bean>
For information about Spring framework visit www.springframework.org
Constructor and Description |
---|
PasscodeAuthenticator() |
Modifier and Type | Method and Description |
---|---|
SecuritySubject |
authenticate(AuthenticationContext authCtx)
Authenticates a given subject (either node or remote client).
|
String |
getPasscodesFormatted()
Gets text presentation of the valid passcodes collection.
|
boolean |
isGlobalNodeAuthentication()
Flag indicating whether node authentication should be run on coordinator only or on all nodes
in current topology.
|
void |
setAclProvider(AuthenticationAclProvider aclProvider)
Sets ACL provider.
|
void |
start()
Starts grid component, called on grid start.
|
void |
stop()
Stops grid component, called on grid shutdown.
|
boolean |
supported(SecuritySubjectType subjType)
Checks if given subject is supported by this authenticator.
|
String |
toString() |
Object |
validationToken()
Returns validation token.
|
public void setAclProvider(AuthenticationAclProvider aclProvider)
aclProvider
- ACL provider.public String getPasscodesFormatted()
getPasscodesFormatted
in interface PasscodeAuthenticatorMBean
public Object validationToken()
Note: Configured marshaller should be able to marshall/unmarhsall the returned value.
validationToken
in interface AuthenticationValidator
public boolean supported(SecuritySubjectType subjType)
supported
in interface Authenticator
subjType
- Subject type.True
if subject type is supported, false
otherwise.public boolean isGlobalNodeAuthentication()
isGlobalNodeAuthentication
in interface Authenticator
True
if all nodes in topology should authenticate joining node. In this case security
permissions will be validated to be the same on all nodes. In case if permissions differ, node will
not be able to join the topology. If this method returns false
, only coordinator node will
authenticate joining node.public void start()
start
in interface LifecycleAware
public void stop()
stop
in interface LifecycleAware
public SecuritySubject authenticate(AuthenticationContext authCtx) throws IgniteCheckedException
authenticate
in interface Authenticator
authCtx
- Authentication context. Contains all necessary information required to authenticate
the subject.null
if authentication did not pass.IgniteCheckedException
- If authentication resulted in system error.
Note that bad credentials should not cause this exception.
GridGain In-Memory Computing Platform : ver. 8.9.15 Release Date : December 3 2024