Re: Cache_Put event generated from a remote_client user action has subject uuid of Node that executes the request sometimes
Hi Andrei, Could you kindly help review the approach to get the remote client user when the update is triggered from dbeaver ( jdbc thin client ). As mentioned this was done as a workaround to tackle this issue : IGNITE-12781 ( Wasnt sure if you were confirming the approach itself in the earlier reply you had sent. ) -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: Cache_Put event generated from a remote_client user action has subject uuid of Node that executes the request sometimes
HI Andrei, >>IgniteCache can help to hold all the information about started transactions and users. >>Using EventStorageSpi is a good way to handle the events. Thank you . I wanted a review on the below approach : 1.If the cache_put event holds the subject id of the remoteclient, then fetch it using getSpiContext().authenticatedSubject(uuid ) method. ( This in turn will check the AuthenticationContext.context() and match the subjectId in of the event with the one in the AuthenticationContext.context() ) 2.If it holds the subjectId of the node instead of the remoteclient( In this case, the subject returned by point 1 will be null ) - 1.Create a cache( transactionIdToSubjectCache) that holds xid vs security subject information where xid is the id of the transaction started event. The subject Id on this event always holds the remote client id for cache put events generated on dbeaver. 2.When a cacheput event is sent to the storage spi - match the xid as follows a.Get the subject from transactionIdToSubjectCache using the xid. b.If the above is null, get the originating xid of the event xid and get the subject using the originating xid. Is the approach okay ? regards Veena. -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: Cache_Put event generated from a remote_client user action has subject uuid of Node that executes the request sometimes
Hi, Your approach is correct as for me. IgniteCache can help to hold all the information about started transactions and users. Using EventStorageSpi is a good way to handle the events. BR, Andrei 6/9/2020 10:06 AM, VeenaMithare пишет: Cache_Put event generated from a remote_client user action has subject uuid of Node that executes the request sometimes. The Jira IGNITE-12781 was created by me for this. Some related conversation on this could be found at ( http://apache-ignite-developers.2346864.n4.nabble.com/Security-Subject-of-thin-client-on-remote-nodes-td46029.html#a46406 and the last few comments on this post : http://apache-ignite-developers.2346864.n4.nabble.com/JDBC-thin-client-incorrect-security-context-td45929.html) To tackle the issue till this jira is fixed I have used the approach as below . Kindly confirm if you see any concerns with this : 1.If the cache_put event holds the subject id of the remoteclient, then fetch it using getSpiContext().authenticatedSubject(uuid ) method. ( This in turn will check the AuthenticationContext.context() and match the subjectId in of the event with the one in the AuthenticationContext.context() ) 2.If it holds the subjectId of the node instead of the remoteclient( In this case, the subject returned by point 1 will be null ) - 1.Create a cache( transactionIdToSubjectCache) that holds xid vs security subject information where xid is the id of the transaction started event. The subject Id on this event always holds the remote client id for cache put events generated on dbeaver. 2.When a cacheput event is sent to the storage spi - match the xid as follows a.Get the subject from transactionIdToSubjectCache using the xid. b.If the above is null, get the originating xid of the event xid and get the subject using the originating xid. I am able to get the subject using this approach- could you kindly verify if I am missing anything. Here is a pseudo code : public class AuditSpi extends IgniteSpiAdapter implements EventStorageSpi { private IgniteCache transactionIdSubjectMapCache; @Override public void record(Event evt) throws IgniteSpiException { assert evt != null; ignite = Ignition.ignite(igniteInstanceName); transactionIdSubjectMapCache = ignite.cache("transactionIdSubjectMapCache"); if (evt instanceof TransactionStateChangedEvent && (evt.type() == EventType.EVT_TX_STARTED )) { //populate the transactionIdSubjectMapCache for events generated from dbeaver. This always contains the remote_client subject id. if (AuthorizationContext.context() != null) { transactionIdSubjectMapCache.put(((TransactionStateChangedEvent) evt).tx().xid(), ((ProjectAuthorizationContext) AuthorizationContext.context()) .subject()); } return; } if (evt instanceof CacheEvent) { SecuritySubject subj = getSpiContext().authenticatedSubject(((CacheEvent) evt).subjectId())l; IgniteUuid transactionId = null; if (subj == null) { SecuritySubject sub = getSecuritySubjectFromTransactionMap((CacheEvent) evt, transactionId); // more logic to store it in the audit cache here. } } } private SecuritySubject getSecuritySubjectFromTransactionMap(CacheEvent evt, IgniteUuid transactionId) { SecuritySubject subj = transactionIdSubjectMapCache.get(evt.xid()); if (subj == null) { IgniteTxManager tm = ((IgniteEx) ignite).context().cache().context().tm(); for (IgniteInternalTx transaction : tm.activeTransactions()) { if (transaction.xid().equals(evt.xid())) { if (transaction.nearXidVersion() != null) { subj = transactionIdSubjectMapCache .get(transaction.nearXidVersion().asGridUuid()); } } } } return subj; } } regards, Veena. -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Cache_Put event generated from a remote_client user action has subject uuid of Node that executes the request sometimes
Cache_Put event generated from a remote_client user action has subject uuid of Node that executes the request sometimes. The Jira IGNITE-12781 was created by me for this. Some related conversation on this could be found at ( http://apache-ignite-developers.2346864.n4.nabble.com/Security-Subject-of-thin-client-on-remote-nodes-td46029.html#a46406 and the last few comments on this post : http://apache-ignite-developers.2346864.n4.nabble.com/JDBC-thin-client-incorrect-security-context-td45929.html) To tackle the issue till this jira is fixed I have used the approach as below . Kindly confirm if you see any concerns with this : 1.If the cache_put event holds the subject id of the remoteclient, then fetch it using getSpiContext().authenticatedSubject(uuid ) method. ( This in turn will check the AuthenticationContext.context() and match the subjectId in of the event with the one in the AuthenticationContext.context() ) 2.If it holds the subjectId of the node instead of the remoteclient( In this case, the subject returned by point 1 will be null ) - 1.Create a cache( transactionIdToSubjectCache) that holds xid vs security subject information where xid is the id of the transaction started event. The subject Id on this event always holds the remote client id for cache put events generated on dbeaver. 2.When a cacheput event is sent to the storage spi - match the xid as follows a.Get the subject from transactionIdToSubjectCache using the xid. b.If the above is null, get the originating xid of the event xid and get the subject using the originating xid. I am able to get the subject using this approach- could you kindly verify if I am missing anything. Here is a pseudo code : public class AuditSpi extends IgniteSpiAdapter implements EventStorageSpi { private IgniteCache transactionIdSubjectMapCache; @Override public void record(Event evt) throws IgniteSpiException { assert evt != null; ignite = Ignition.ignite(igniteInstanceName); transactionIdSubjectMapCache = ignite.cache("transactionIdSubjectMapCache"); if (evt instanceof TransactionStateChangedEvent && (evt.type() == EventType.EVT_TX_STARTED )) { //populate the transactionIdSubjectMapCache for events generated from dbeaver. This always contains the remote_client subject id. if (AuthorizationContext.context() != null) { transactionIdSubjectMapCache.put(((TransactionStateChangedEvent) evt).tx().xid(), ((ProjectAuthorizationContext) AuthorizationContext.context()) .subject()); } return; } if (evt instanceof CacheEvent) { SecuritySubject subj = getSpiContext().authenticatedSubject(((CacheEvent) evt).subjectId())l; IgniteUuid transactionId = null; if (subj == null) { SecuritySubject sub = getSecuritySubjectFromTransactionMap((CacheEvent) evt, transactionId); // more logic to store it in the audit cache here. } } } private SecuritySubject getSecuritySubjectFromTransactionMap(CacheEvent evt, IgniteUuid transactionId) { SecuritySubject subj = transactionIdSubjectMapCache.get(evt.xid()); if (subj == null) { IgniteTxManager tm = ((IgniteEx) ignite).context().cache().context().tm(); for (IgniteInternalTx transaction : tm.activeTransactions()) { if (transaction.xid().equals(evt.xid())) { if (transaction.nearXidVersion() != null) { subj = transactionIdSubjectMapCache .get(transaction.nearXidVersion().asGridUuid()); } } } } return subj; } } regards, Veena. -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/