(ignite) branch master updated: IGNITE-23563 Fix node fails while checking security permission for activation during join (#11631)

Thu, 31 Oct 2024 00:32:24 -0700 

This is an automated email from the ASF dual-hosted git repository.

ivandasch pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ignite.git


The following commit(s) were added to refs/heads/master by this push:
     new 9f4f7384dfa IGNITE-23563 Fix node fails while checking security 
permission for activation during join (#11631)
9f4f7384dfa is described below

commit 9f4f7384dfa2e5db706116b6f7f3bf336c2cf7b3
Author: Ivan Daschinskiy <[email protected]>
AuthorDate: Thu Oct 31 10:32:09 2024 +0300

    IGNITE-23563 Fix node fails while checking security permission for 
activation during join (#11631)
---
 .../cluster/GridClusterStateProcessor.java         |   7 +-
 ...nJoinWithoutPermissionsWithPersistenceTest.java | 105 +++++++++++++++++++++
 .../ignite/testsuites/SecurityTestSuite.java       |   4 +-
 .../zk/ZookeeperDiscoverySpiTestSuite4.java        |   4 +-
 4 files changed, 117 insertions(+), 3 deletions(-)

diff --git 
a/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
 
b/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
index 1b55eedebd9..bf723d400fa 100644
--- 
a/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
+++ 
b/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
@@ -1109,7 +1109,12 @@ public class GridClusterStateProcessor extends 
GridProcessorAdapter implements I
         boolean forceChangeBaselineTopology,
         boolean isAutoAdjust
     ) {
-        ctx.security().authorize(SecurityPermission.ADMIN_CLUSTER_STATE);
+        try {
+            ctx.security().authorize(SecurityPermission.ADMIN_CLUSTER_STATE);
+        }
+        catch (org.apache.ignite.plugin.security.SecurityException secEx) {
+            return new GridFinishedFuture<>(secEx);
+        }
 
         if (ctx.maintenanceRegistry().isMaintenanceMode()) {
             return new GridFinishedFuture<>(
diff --git 
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/ActivationOnJoinWithoutPermissionsWithPersistenceTest.java
 
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/ActivationOnJoinWithoutPermissionsWithPersistenceTest.java
new file mode 100644
index 00000000000..c6dc2b41a62
--- /dev/null
+++ 
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/ActivationOnJoinWithoutPermissionsWithPersistenceTest.java
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security.cluster;
+
+import org.apache.ignite.configuration.DataRegionConfiguration;
+import org.apache.ignite.configuration.DataStorageConfiguration;
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.failure.StopNodeFailureHandler;
+import org.apache.ignite.internal.processors.security.AbstractSecurityTest;
+import 
org.apache.ignite.internal.processors.security.impl.TestSecurityPluginProvider;
+import org.apache.ignite.internal.util.typedef.F;
+import org.apache.ignite.internal.util.typedef.G;
+import org.apache.ignite.plugin.security.SecurityPermission;
+import org.junit.Test;
+
+import static org.apache.ignite.cluster.ClusterState.ACTIVE;
+import static org.apache.ignite.cluster.ClusterState.INACTIVE;
+import static 
org.apache.ignite.plugin.security.SecurityPermission.ADMIN_CLUSTER_STATE;
+import static 
org.apache.ignite.plugin.security.SecurityPermission.JOIN_AS_SERVER;
+import static 
org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.create;
+
+/**
+ * Tests joining baseline node without permissions. It should join 
successfully, but
+ * cluster must be left in INACTIVE state. {@link 
org.apache.ignite.internal.processors.cluster.GridClusterStateProcessor#onLocalJoin}
+ * must not complete exceptionally.
+ */
+public class ActivationOnJoinWithoutPermissionsWithPersistenceTest extends 
AbstractSecurityTest {
+    /** */
+    private static final int NUM_NODES = 3;
+
+    /** {@inheritDoc} */
+    @Override protected IgniteConfiguration getConfiguration(String 
instanceName) throws Exception {
+        SecurityPermission[] srvPerms = F.asArray(ADMIN_CLUSTER_STATE);
+
+        return getConfiguration(instanceName, srvPerms);
+    }
+
+    /**
+     * @return Ignite configuration with given server and client permissions.
+     */
+    private IgniteConfiguration getConfiguration(
+        String instanceName,
+        SecurityPermission[] srvPerms
+    ) throws Exception {
+        IgniteConfiguration cfg = super.getConfiguration(instanceName);
+
+        cfg.setConsistentId(instanceName);
+
+        TestSecurityPluginProvider secPlugin = new TestSecurityPluginProvider(
+            instanceName,
+            "",
+            
create().defaultAllowAll(false).appendSystemPermissions(F.concat(srvPerms, 
JOIN_AS_SERVER)).build(),
+            false,
+            EMPTY_SECURITY_DATA
+        );
+
+        cfg.setPluginProviders(secPlugin);
+
+        cfg.setFailureHandler(new StopNodeFailureHandler());
+
+        cfg.setDataStorageConfiguration(new DataStorageConfiguration()
+                .setDefaultDataRegionConfiguration(new 
DataRegionConfiguration().setPersistenceEnabled(true)));
+
+        return cfg;
+    }
+
+    /** */
+    @Test
+    public void testNodeJoinWithoutPermissions() throws Exception {
+        // Start grids and activate them.
+        startGrids(NUM_NODES);
+
+        grid(0).cluster().state(ACTIVE);
+        assertEquals(ACTIVE, grid(0).cluster().state());
+
+        // Stop all of them and restart just the firsts.
+        G.stopAll(true);
+
+        startGrids(NUM_NODES - 1);
+
+        // Start the last one with empty permissions.
+        startGrid(getConfiguration(getTestIgniteInstanceName(NUM_NODES - 1), 
EMPTY_PERMS));
+
+        // Check for state and topology.
+        waitForTopology(NUM_NODES);
+
+        assertEquals(INACTIVE, grid(0).cluster().state());
+        assertEquals(NUM_NODES, grid(0).cluster().forServers().nodes().size());
+    }
+}
diff --git 
a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
 
b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
index 64dc1d9e3a9..d7cf6a08796 100644
--- 
a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
+++ 
b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
@@ -39,6 +39,7 @@ import 
org.apache.ignite.internal.processors.security.client.ThinClientPermissio
 import 
org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckTest;
 import 
org.apache.ignite.internal.processors.security.client.ThinClientSecurityContextOnRemoteNodeTest;
 import 
org.apache.ignite.internal.processors.security.client.ThinClientSslPermissionCheckTest;
+import 
org.apache.ignite.internal.processors.security.cluster.ActivationOnJoinWithoutPermissionsWithPersistenceTest;
 import 
org.apache.ignite.internal.processors.security.cluster.ClusterNodeOperationPermissionTest;
 import 
org.apache.ignite.internal.processors.security.cluster.ClusterStatePermissionTest;
 import 
org.apache.ignite.internal.processors.security.cluster.NodeJoinPermissionsTest;
@@ -140,7 +141,8 @@ import org.junit.runners.Suite;
     ServiceStaticConfigTest.class,
     ClusterNodeOperationPermissionTest.class,
     NodeSecurityContextPropagationTest.class,
-    NodeJoinPermissionsTest.class
+    NodeJoinPermissionsTest.class,
+    ActivationOnJoinWithoutPermissionsWithPersistenceTest.class,
 })
 public class SecurityTestSuite {
     /** */
diff --git 
a/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/ZookeeperDiscoverySpiTestSuite4.java
 
b/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/ZookeeperDiscoverySpiTestSuite4.java
index 6a6d1f9a701..e364bc12182 100644
--- 
a/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/ZookeeperDiscoverySpiTestSuite4.java
+++ 
b/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/ZookeeperDiscoverySpiTestSuite4.java
@@ -27,6 +27,7 @@ import 
org.apache.ignite.internal.processors.cache.distributed.replicated.GridCa
 import 
org.apache.ignite.internal.processors.cache.distributed.replicated.IgniteCacheReplicatedQuerySelfTest;
 import 
org.apache.ignite.internal.processors.metastorage.DistributedMetaStoragePersistentTest;
 import 
org.apache.ignite.internal.processors.metastorage.DistributedMetaStorageTest;
+import 
org.apache.ignite.internal.processors.security.cluster.ActivationOnJoinWithoutPermissionsWithPersistenceTest;
 import 
org.apache.ignite.internal.processors.security.cluster.NodeJoinPermissionsTest;
 import org.apache.ignite.spi.discovery.DiscoverySpiDataExchangeTest;
 import org.junit.BeforeClass;
@@ -50,7 +51,8 @@ import org.junit.runners.Suite;
     IgniteNodeValidationFailedEventTest.class,
     DiscoverySpiDataExchangeTest.class,
     CacheCreateDestroyEventSecurityContextTest.class,
-    NodeJoinPermissionsTest.class
+    NodeJoinPermissionsTest.class,
+    ActivationOnJoinWithoutPermissionsWithPersistenceTest.class,
 })
 public class ZookeeperDiscoverySpiTestSuite4 {
     /** */

Reply via email to