IGNITE-12781 - 2.8.1 Ignite Security : Java Thin Client : cache_put event contains the node id instead of the remote_client subject id
Locked
IGNITE-12781 - 2.8.1 Ignite Security : Java Thin Client : cache_put event contains the node id instead of the remote_client subject id
 
|
This post was updated on .
Posting this here, as guided in the ignite users group.
Hi Team, 1. I noticed that this issue ( https://issues.apache.org/jira/browse/IGNITE-12781) is not resolved in 2.8.1. Could you guide how can we get audit information if a cache record modification is done on dbeaver and the cache_put event contains the node id instead of the remote_client subject id ? Please note this is a blocker issue for us to use Apache Ignite , since we use dbeaver to update records sometimes. Could we kindly ask this to be included in the next release. 2. Even if the cache_put event did contain the remote_client user id , how are we supposed to fetch it from the auditstoragespi ? The below link mentions http://apache-ignite-users.70518.x6.nabble.com/JDBC-thin-client-incorrect-security-context-td31354.html public class EventStorageSpi extends IgniteSpiAdapter implements EventStorageSpi { @LoggerResource private IgniteLogger log; @Override public <T extends Event> Collection<T> localEvents(IgnitePredicate<T> p) { return null; } @Override public void record(Event evt) throws IgniteSpiException { if (evt.type() == EVT_MANAGEMENT_TASK_STARTED) { TaskEvent taskEvent = (TaskEvent) evt; SecuritySubject subj = taskEvent.subjectId() != null ? getSpiContext().authenticatedSubject(taskEvent.subjectId()) : null; log.info("Management task started: [" + "name=" + taskEvent.taskName() + ", " + "eventNode=" + taskEvent.node() + ", " + "timestamp=" + taskEvent.timestamp() + ", " + "info=" + taskEvent.message() + ", " + "subjectId=" + taskEvent.subjectId() + ", " + "secureSubject=" + subj + "]"); } } @Override public void spiStart(@Nullable String igniteInstanceName) throws IgniteSpiException { /* No-op. */ } @Override public void spiStop() throws IgniteSpiException { /* No-op. */ } } IgniteSpiContext exposes authenticatedSubject which according to some discussions gets the subject *only for node* . ( http://apache-ignite-developers.2346864.n4.nabble.com/Security-Subject-of-thin-client-on-remote-nodes-td46029.html#a46412 ) securityContext(uuid ) was added to the GridSecurityProcessor to get the securitycontext of the thin client. However this is not exposed via the IgniteSpiContext. regards, Veena. -- Sent from: http://apache-ignite-developers.2346864.n4.nabble.com/ |
Re: IGNITE-12781 - ache_put event contains the node id instead of the remote_client subject id
|
|
Hello!
If this issue blocks you, I suggest investing time in fixing it, providing a patch perhaps? Regards, -- Ilya Kasnacheev вс, 26 июл. 2020 г. в 12:46, VeenaMithare <[hidden email]>: > Posting this here, as guided in the ignite users group. > Hi Team, > > 1. I noticed that this issue ( > https://issues.apache.org/jira/browse/IGNITE-12781) is not resolved in > 2.8.1. > > Could you guide how can we get audit information if a cache record > modification is done on dbeaver and the cache_put event contains the node > id > instead of the remote_client subject id ? > > Please note this is a blocker issue for us to use Apache Ignite , since we > use dbeaver to update records sometimes. > /*Could we kindly ask this to be included in the next > release.*/ > > 2. Even if the cache_put event did contain the remote_client user id , how > are we supposed to fetch it from the auditstoragespi ? > > The below link mentions > > http://apache-ignite-users.70518.x6.nabble.com/JDBC-thin-client-incorrect-security-context-td31354.html > > public class EventStorageSpi extends IgniteSpiAdapter implements > EventStorageSpi { > @LoggerResource > private IgniteLogger log; > > @Override > public <T extends Event> Collection<T> localEvents(IgnitePredicate<T> > p) > { > return null; > } > > @Override > public void record(Event evt) throws IgniteSpiException { > if (evt.type() == EVT_MANAGEMENT_TASK_STARTED) { > TaskEvent taskEvent = (TaskEvent) evt; > > SecuritySubject subj = taskEvent.subjectId() != null > ? > getSpiContext().authenticatedSubject(taskEvent.subjectId()) > : null; > > log.info("Management task started: [" + > "name=" + taskEvent.taskName() + ", " + > "eventNode=" + taskEvent.node() + ", " + > "timestamp=" + taskEvent.timestamp() + ", " + > "info=" + taskEvent.message() + ", " + > "subjectId=" + taskEvent.subjectId() + ", " + > "secureSubject=" + subj + > "]"); > } > } > > @Override > public void spiStart(@Nullable String igniteInstanceName) throws > IgniteSpiException { > /* No-op. */ > } > > @Override > public void spiStop() throws IgniteSpiException { > /* No-op. */ > } > } > > IgniteSpiContext exposes authenticatedSubject which according to some > discussions gets the subject *only for node* . ( > > http://apache-ignite-developers.2346864.n4.nabble.com/Security-Subject-of-thin-client-on-remote-nodes-td46029.html#a46412 > ) > > /*securityContext(uuid ) was added to the GridSecurityProcessor to get the > securitycontext of the thin client. However this is not exposed via the > IgniteSpiContext.*/ > > regards, > Veena. > > > > -- > Sent from: http://apache-ignite-developers.2346864.n4.nabble.com/ > |
«
Return to Apache Ignite Developers - Legacy Mail Archive
|
1 view|%1 views
| Free forum by Nabble | Edit this page |