Hi,
Your approach is correct as for me.
IgniteCache can help to hold all the
information about started transactions and users.
Using EventStorageSpi is a good way to handle the events.
BR,
Andrei
6/9/2020 10:06 AM, VeenaMithare пишет:
Cache_Put event generated from a remote_client user action has subject uuid
of Node that executes the request sometimes.
The Jira IGNITE-12781 was created by me for this. Some related conversation
on this could be found at
(
http://apache-ignite-developers.2346864.n4.nabble.com/Security-Subject-of-thin-client-on-remote-nodes-td46029.html#a46406
and the last few comments on this post :
http://apache-ignite-developers.2346864.n4.nabble.com/JDBC-thin-client-incorrect-security-context-td45929.html)
To tackle the issue till this jira is fixed I have used the approach as
below .
Kindly confirm if you see any concerns with this :
1.If the cache_put event holds the subject id of the remoteclient, then
fetch it using getSpiContext().authenticatedSubject(uuid ) method. ( This in
turn will check the AuthenticationContext.context() and match the subjectId
in of the event with the one in the AuthenticationContext.context() )
2.If it holds the subjectId of the node instead of the remoteclient( In this
case, the subject returned by point 1 will be null ) -
1.Create a cache( transactionIdToSubjectCache) that holds xid vs security
subject information where xid is the id of the transaction started event.
The subject Id on this event always holds the remote client id for cache put
events generated on dbeaver.
2.When a cacheput event is sent to the storage spi - match the xid as
follows
a.Get the subject from transactionIdToSubjectCache using the xid.
b.If the above is null, get the originating xid of the event xid and get the
subject using the originating xid.
I am able to get the subject using this approach- could you kindly verify if
I am missing anything.
Here is a pseudo code :
public class AuditSpi extends IgniteSpiAdapter implements EventStorageSpi {
private IgniteCache
transactionIdSubjectMapCache;
@Override
public void record(Event evt) throws IgniteSpiException {
assert evt != null;
ignite = Ignition.ignite(igniteInstanceName);
transactionIdSubjectMapCache =
ignite.cache("transactionIdSubjectMapCache");
if (evt instanceof TransactionStateChangedEvent && (evt.type()
== EventType.EVT_TX_STARTED
)) {
//populate the transactionIdSubjectMapCache for events generated
from dbeaver. This always contains the remote_client subject id.
if (AuthorizationContext.context() != null)
{
transactionIdSubjectMapCache.put(((TransactionStateChangedEvent)
evt).tx().xid(),
((ProjectAuthorizationContext) AuthorizationContext.context()) .subject());
}
return;
}
if (evt instanceof CacheEvent) {
SecuritySubject subj =
getSpiContext().authenticatedSubject(((CacheEvent) evt).subjectId())l;
IgniteUuid transactionId = null;
if (subj == null)
{
SecuritySubject sub =
getSecuritySubjectFromTransactionMap((CacheEvent) evt, transactionId);
// more logic to store it in the audit cache here.
}
}
}
private SecuritySubject getSecuritySubjectFromTransactionMap(CacheEvent
evt,
IgniteUuid transactionId) {
SecuritySubject subj = transactionIdSubjectMapCache.get(evt.xid());
if (subj == null) {
IgniteTxManager tm = ((IgniteEx)
ignite).context().cache().context().tm();
for (IgniteInternalTx transaction : tm.activeTransactions()) {
if (transaction.xid().equals(evt.xid())) {
if (transaction.nearXidVersion() != null)
{ subj = transactionIdSubjectMapCache
.get(transaction.nearXidVersion().asGridUuid()); }
}
}
}
return subj;
}
}
regards,
Veena.
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
