org.gridgain.grid.security.certificate

Class CertificateAuthenticator

java.lang.Object

org.gridgain.grid.security.certificate.CertificateAuthenticator

All Implemented Interfaces:

org.apache.ignite.plugin.security.SecurityCredentialsProvider, Authenticator

public class CertificateAuthenticator
extends Object
implements Authenticator, org.apache.ignite.plugin.security.SecurityCredentialsProvider

Authorizes client nodes and thin clients based on client SSL certificates and assigns permissions.

Constructor Summary

Constructors

Constructor and Description
CertificateAuthenticator()

Method Summary

Modifier and Type	Method and Description
org.apache.ignite.plugin.security.SecuritySubject	authenticate(org.apache.ignite.plugin.security.AuthenticationContext authCtx) Authenticates a given subject (either node or remote client).
org.apache.ignite.plugin.security.SecurityCredentials	credentials() Unless setAlwaysAcceptServerNodes(boolean) is set to false, returns empty SecurityCredentials to be used as credentials of local node.
boolean	isGlobalNodeAuthentication() Flag indicating whether node authentication should be run on coordinator only or on all nodes in current topology.
void	setAlwaysAcceptServerNodes(boolean alwaysAcceptServerNodes) If set to true, CertificateAuthenticator will automatically approve all remote nodes and only check thin clients.
void	setPermissions(Map<? extends org.apache.ignite.lang.IgnitePredicate<Certificate[]>,org.apache.ignite.plugin.security.SecurityPermissionSet> permsMap) Sets mapping of certificate predicates to permissions.
<P extends org.apache.ignite.lang.IgnitePredicate<Certificate[]>> void	setPermissionsJson(Map<P,String> permsMapJson) Sets mapping of certificate predicates to permissions.
boolean	supported(org.apache.ignite.plugin.security.SecuritySubjectType subjType) Checks if given subject is supported by this authenticator.
String	toString()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

CertificateAuthenticator

public CertificateAuthenticator()

Method Detail

setPermissions

public void setPermissions(Map<? extends org.apache.ignite.lang.IgnitePredicate<Certificate[]>,org.apache.ignite.plugin.security.SecurityPermissionSet> permsMap)

Sets mapping of certificate predicates to permissions. If multiple predicates may accept a single certificate, it is advised to use LinkedHashMap to make sure authorization results are consistent.

Parameters:

permsMap - Map of certificate matchers to permissions.

setPermissionsJson

public <P extends org.apache.ignite.lang.IgnitePredicate<Certificate[]>> void setPermissionsJson(Map<P,String> permsMapJson)
                                                                                          throws org.apache.ignite.IgniteCheckedException

Sets mapping of certificate predicates to permissions. If multiple predicates may accept a single certificate, it is advised to use LinkedHashMap to make sure authorization results are consistent. Permissions are passed in JSON form, please refer to AuthenticationAclBasicProvider for details.

Parameters:

permsMapJson - Map of certificate matchers to permissions in JSON format.

Throws:

org.apache.ignite.IgniteCheckedException

setAlwaysAcceptServerNodes

public void setAlwaysAcceptServerNodes(boolean alwaysAcceptServerNodes)

If set to true, CertificateAuthenticator will automatically approve all remote nodes and only check thin clients. Currently, authorization by certificates of remote nodes is not implemented, but SSL will perform its own authentication when remote node tries to join, if SSL between nodes is enabled. Set to false to use in conjunction with a different authenticator, such as JaasAuthenticator, to only check thin clients' permissions with certificates.

Parameters:

alwaysAcceptServerNodes - Whether to automatically accept all server nodes.

supported

public boolean supported(org.apache.ignite.plugin.security.SecuritySubjectType subjType)

Checks if given subject is supported by this authenticator. If not, then next authentication in the list will be checked.

Specified by:

supported in interface Authenticator

Parameters:

subjType - Subject type.

Returns:

True if subject type is supported, false otherwise.

authenticate

public org.apache.ignite.plugin.security.SecuritySubject authenticate(org.apache.ignite.plugin.security.AuthenticationContext authCtx)
                                                               throws org.apache.ignite.IgniteCheckedException

Authenticates a given subject (either node or remote client).

Specified by:

authenticate in interface Authenticator

Parameters:

authCtx - Authentication context. Contains all necessary information required to authenticate the subject.

Returns:

Authenticated subject context or null if authentication did not pass.

Throws:

org.apache.ignite.IgniteCheckedException - If authentication resulted in system error. Note that bad credentials should not cause this exception.

isGlobalNodeAuthentication

public boolean isGlobalNodeAuthentication()

Flag indicating whether node authentication should be run on coordinator only or on all nodes in current topology.

Specified by:

isGlobalNodeAuthentication in interface Authenticator

Returns:

True if all nodes in topology should authenticate joining node. In this case security permissions will be validated to be the same on all nodes. In case if permissions differ, node will not be able to join the topology. If this method returns false, only coordinator node will authenticate joining node.

toString

public String toString()

Overrides:

toString in class Object

credentials

public org.apache.ignite.plugin.security.SecurityCredentials credentials()

Unless setAlwaysAcceptServerNodes(boolean) is set to false, returns empty SecurityCredentials to be used as credentials of local node.

Specified by:

credentials in interface org.apache.ignite.plugin.security.SecurityCredentialsProvider

Returns:

Empty security credentials or null.