在IgniteDB中实现身份验证

huangapple go评论80阅读模式
英文:

Implementing Authentication in IgniteDB

问题

我刚刚在IgniteDB中配置了身份验证(特定服务器,而不是本地主机)[https://apacheignite.readme.io/docs/advanced-security][1]。

然而,在尝试连接时遇到了一些问题。我应该在哪里提供凭据?

TcpDiscoverySpi spi = new TcpDiscoverySpi();
TcpDiscoveryVmIpFinder ipFinder = new TcpDiscoveryMulticastIpFinder();
String ipList = appConfig.getIgniteIPAddressList();
List addressList = Arrays.asList(ipList.split(";"));
ipFinder.setAddresses(addressList);
spi.setIpFinder(ipFinder);
IgniteConfiguration cfg = new IgniteConfiguration();
cfg.setIgniteInstanceName("IgnitePod");
cfg.setClientMode(true);
cfg.setDiscoverySpi(spi);
Ignite ignite = Ignition.start(cfg);

有人对如何实现有什么想法吗?
[1]: https://apacheignite.readme.io/docs/advanced-security

英文:

I just configured authentication in IgniteDB ( a specific server, not a localhost )
[https://apacheignite.readme.io/docs/advanced-security][1]

However I encountered some issue while trying to connect. Where should I provide the credential?

TcpDiscoverySpi spi = new TcpDiscoverySpi();
TcpDiscoveryVmIpFinder ipFinder = new TcpDiscoveryMulticastIpFinder();
String ipList = appConfig.getIgniteIPAddressList();
List<String> addressList= Arrays.asList(ipList.split(";"));
ipFinder.setAddresses(addressList);
spi.setIpFinder(ipFinder);
IgniteConfiguration cfg = new IgniteConfiguration();
cfg.setIgniteInstanceName("IgnitePod");
cfg.setClientMode(true);
cfg.setDiscoverySpi(spi);
Ignite ignite =  Ignition.start(cfg);

Anybody has idea on implementing it?
[1]: https://apacheignite.readme.io/docs/advanced-security

答案1

得分: 2

https://apacheignite.readme.io/docs/advanced-security

描述了如何仅为THIN连接(JDBC、ODBC)配置通过用户名和密码进行身份验证。

您可以使用类似下面的SQL命令创建用户:

https://apacheignite-sql.readme.io/docs/create-user

您可以通过其属性为thin客户端连接字符串提供凭据:

https://apacheignite-sql.readme.io/docs/connection-string-and-dsn#section-supported-arguments
https://apacheignite-sql.readme.io/docs/jdbc-driver#section-additional-connection-string-examples

请还要检查您是否已配置Ignite持久性。

英文:

https://apacheignite.readme.io/docs/advanced-security

Describes how to configure the authentication via username and password for THIN connections only (JDBC, ODBC).

You can create users using SQL commands like next:

https://apacheignite-sql.readme.io/docs/create-user

You can provide credentials to thin client connection string using its properties:

https://apacheignite-sql.readme.io/docs/connection-string-and-dsn#section-supported-arguments
https://apacheignite-sql.readme.io/docs/jdbc-driver#section-additional-connection-string-examples

Please also check that you have Ignite persistence configured.

答案2

得分: 2

根据Andrei的说明,Ignite默认仅对瘦客户端进行身份验证,即使在启用持久性时也仅如此。如果您需要使厚客户端也进行身份验证,可以使用插件来实现。还存在第三方商业解决方案。

英文:

As Andrei notes, Ignite only authenticates thin clients by default, and even then only when persistence is enabled. If you need to have thick-clients authenticate also, you can do this using a plugin. Third-party, commercial solutions also exist.

答案3

得分: 2

Apache Ignite在其开源版本中不提供这些安全功能。您可以自行实现或使用商业版Gridgain分发版。

以下是实现自定义安全插件的步骤。

首先,您需要实现GridSecurityProcessor,该处理器用于对加入集群的节点进行身份验证。

GridSecurityProcessor中,您需要按照以下方式实现authenticateNode() API:

public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteCheckedException {
    SecurityCredentials userSecurityCredentials;

    if (securityPluginConfiguration != null) {
        if ((userSecurityCredentials = securityPluginConfiguration.getSecurityCredentials()) != null) {
            return userSecurityCredentials.equals(cred) ? new SecurityContextImpl() : null;
        }
        if (cred == null && userSecurityCredentials == null) {
            return new SecurityContextImpl();
        }
    }

    if (cred == null)
        return new SecurityContextImpl();

    return null;
}

此外,您需要扩展TcpDiscoverySpi,以在initLocalNode()期间传递用户凭据,如下所示:

@Override
protected void initLocalNode(int srvPort, boolean addExtAddrAttr) {
    try {
        super.initLocalNode(srvPort, addExtAddrAttr);
        this.setSecurityCredentials();
    } catch (Exception e) {
        e.printStackTrace();
    }
}

private void setSecurityCredentials() {
    if (securityCredentials != null) {

        Map<String, Object> attributes = new HashMap<>(locNode.getAttributes());
        attributes.put(IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS, securityCredentials);
        this.locNode.setAttributes(attributes);
    }
}

您可以通过以下链接获取详细步骤,以编写自定义安全插件以及其用法:

https://www.bugdbug.com/post/how-to-secure-apache-ignite-cluster

英文:

Apache Ignite does not provide these kinds of security capabilities with its open-source version. One can either implement it on your own or use commercial Gridgain distribution.

Here are the steps to implement a custom security plugin.

One would need to implement GridSecurityProcessor which would be used to authenticate the joining node.

In GridSecurityProcessor, you would have to implement authenticateNode() api as follows

public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteCheckedException {

        SecurityCredentials userSecurityCredentials;

        if (securityPluginConfiguration != null) {
            if ((userSecurityCredentials = securityPluginConfiguration.getSecurityCredentials()) != null) {
                return userSecurityCredentials.equals(cred) ? new SecurityContextImpl() : null;
            }
            if (cred == null &amp;&amp; userSecurityCredentials == null) {
                return new SecurityContextImpl();
            }
        }

        if (cred == null)
            return new SecurityContextImpl();

        return null;

    }

Also, you would need to extend TcpDiscoverySpi to pass the user credentials during initLocalNode() as follows

@Override
    protected void initLocalNode(int srvPort, boolean addExtAddrAttr) {
        try {
            super.initLocalNode(srvPort, addExtAddrAttr);
            this.setSecurityCredentials();
        } catch (Exception e) {
            e.printStackTrace();
        }

    }
private void setSecurityCredentials() {
        if (securityCredentials != null) {

            Map&lt;String,Object&gt; attributes = new HashMap&lt;&gt;(locNode.getAttributes());
            attributes.put(IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS, securityCredentials);
            this.locNode.setAttributes(attributes);
        }
    }

You can follow the link given below to get detailed steps that can be followed to write a custom security plugin and its usage.

https://www.bugdbug.com/post/how-to-secure-apache-ignite-cluster

答案4

得分: 1

能够通过创建自己的CustomTCPDiscoveryAPI来解决我的问题。
首先,创建这个类:

import org.apache.ignite.IgniteException;
import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.internal.IgniteNodeAttributes;
import org.apache.ignite.internal.processors.security.SecurityContext;
import org.apache.ignite.lang.IgniteProductVersion;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator;
import org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi;

import java.util.Map;

public class CustomTcpDiscoverySpi extends TcpDiscoverySpi implements DiscoverySpiNodeAuthenticator {
    SecurityCredentials securityCredentials;

    public CustomTcpDiscoverySpi(final SecurityCredentials securityCredentials) {
        this.securityCredentials = securityCredentials;
        this.setAuthenticator(this);
    }

    @Override
    public SecurityContext authenticateNode(ClusterNode clusterNode, SecurityCredentials securityCredentials) throws IgniteException {
        return null;
    }

    @Override
    public boolean isGlobalNodeAuthentication() {
        return true;
    }

    @Override
    public void setNodeAttributes(final Map<String, Object> attrs, final IgniteProductVersion ver) {
        attrs.put(IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS, this.securityCredentials);
        super.setNodeAttributes(attrs, ver);
    }
}

然后,像下面这样使用它:

SecurityCredentials cred = new SecurityCredentials();
cred.setLogin(appConfig.getIgniteUser());
cred.setPassword(appConfig.getIgnitePassword());
CustomTcpDiscoverySpi spi = new CustomTcpDiscoverySpi(cred);
TcpDiscoveryVmIpFinder ipFinder = new TcpDiscoveryMulticastIpFinder();
String ipList = appConfig.getIgniteIPAddressList();
List<String> addressList = Arrays.asList(ipList.split(";"));
ipFinder.setAddresses(addressList);
spi.setIpFinder(ipFinder);
IgniteConfiguration cfg = new IgniteConfiguration();
cfg.setIgniteInstanceName("IgnitePod");
cfg.setClientMode(true);
cfg.setAuthenticationEnabled(true);
DataStorageConfiguration storageCfg = new DataStorageConfiguration();
storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);
cfg.setDataStorageConfiguration(storageCfg);
cfg.setDiscoverySpi(spi);
Ignite ignite = Ignition.start(cfg);

希望这能帮助遇到相同问题的其他人
英文:

Was able to solve my own problem by creating my own CustomTCPDiscoveryAPI.
First, create this class :

import org.apache.ignite.IgniteException;
import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.internal.IgniteNodeAttributes;
import org.apache.ignite.internal.processors.security.SecurityContext;
import org.apache.ignite.lang.IgniteProductVersion;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator;
import org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi;

import java.util.Map;

public class CustomTcpDiscoverySpi extends TcpDiscoverySpi implements DiscoverySpiNodeAuthenticator {
	SecurityCredentials securityCredentials;
	public CustomTcpDiscoverySpi(final SecurityCredentials securityCredentials) {
		this.securityCredentials = securityCredentials;
		this.setAuthenticator(this);
	}

	@Override
	public SecurityContext authenticateNode(ClusterNode clusterNode, SecurityCredentials securityCredentials) throws IgniteException {
		return null;
	}

	@Override
	public boolean isGlobalNodeAuthentication() {
		return true;
	}

	@Override
	public void setNodeAttributes(final Map&lt;String, Object&gt; attrs, final IgniteProductVersion ver) {
		attrs.put(IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS, this.securityCredentials);
		super.setNodeAttributes(attrs, ver);
	}
}

And then, use it like below :

    SecurityCredentials cred = new SecurityCredentials();
    cred.setLogin(appConfig.getIgniteUser());
    cred.setPassword(appConfig.getIgnitePassword());
    CustomTcpDiscoverySpi spi =  new CustomTcpDiscoverySpi(cred);
    //TcpDiscoverySpi spi = new TcpDiscoverySpi(); - &gt; removed to use the CustomTCPDiscovery
    TcpDiscoveryVmIpFinder ipFinder = new TcpDiscoveryMulticastIpFinder();
    String ipList = appConfig.getIgniteIPAddressList();
    List&lt;String&gt; addressList= Arrays.asList(ipList.split(&quot;;&quot;));
    ipFinder.setAddresses(addressList);
    spi.setIpFinder(ipFinder);
    IgniteConfiguration cfg = new IgniteConfiguration();
    cfg.setIgniteInstanceName(&quot;IgnitePod&quot;);
    cfg.setClientMode(true);
    cfg.setAuthenticationEnabled(true);
    // Ignite persistence configuration.
    DataStorageConfiguration storageCfg = new DataStorageConfiguration();
    // Enabling the persistence.
    storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);
    // Applying settings.
    // tests
    cfg.setDataStorageConfiguration(storageCfg);
    cfg.setDiscoverySpi(spi);
    Ignite ignite =  Ignition.start(cfg);

Hope this helps other people who stuck with the same problem.

答案5

得分: 0

Apache Ignite中唯一可用的用于对等验证服务器节点的选项是SSL+证书。

英文:

The only option for peer-authenticating server nodes which is available in vanilla Apache Ignite is SSL+certificates.

huangapple
  • 本文由 发表于 2020年1月6日 18:07:33
  • 转载请务必保留本文链接:https://go.coder-hub.com/59610118.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定