Re: security question - custom plugin

2018-08-13 Thread dkarachentsev 
Hi,

1) You need to add jetbrains annotation in compile-time [1].
2) Imports depend on what are you using :) It's hard to say if your imports
enough. Add ignite-core to your plugin dependencies.

I don't think that there are other examples besides that blog post.

[1] https://mvnrepository.com/artifact/org.jetbrains/annotations/13.0

Thanks!
-Dmitry



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

security question - custom plugin

2018-08-13 Thread wt 
I am looking at the
http://smartkey.co.uk/development/securing-an-apache-ignite-cluster/ example
but it doesn't dive into details and when trying to build one myself i am
unsure of the following

1) what imports are needed for the annotations is it
org.jetbrains.annotations?

2) i have the following imports, am i missing anything

import org.apache.ignite.IgniteCheckedException;
import org.apache.ignite.IgniteException;
import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.plugin.IgnitePlugin;
import org.apache.ignite.plugin.PluginConfiguration;
import org.apache.ignite.plugin.PluginContext;
import org.apache.ignite.plugin.PluginProvider;
import org.apache.ignite.internal.processors.security.*;
import org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator;

import java.util.Collection;
import java.util.HashSet;
import java.util.Set;

If someone could point me to a recent working example of a security plugin
that would be amazing. I am looking at integrating authorization with
kerberos where i can create groups with specific permission and apply that
to individual caches.





--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: POC with DataStreamer (Kafka or Ignite - security question)

2018-04-09 Thread Denis Magda 
Built-in encryption facilities are being discussed on the dev list. Check
it up:
http://apache-ignite-developers.2346864.n4.nabble.com/IEP-18-Transparent-Data-Encryption-td29001.html

As for now, use operating system level encryption mechanics for your files.

--
Denis
--
Denis

On Fri, Apr 6, 2018 at 5:39 PM, Gaurav Bajaj  wrote:

> Also I don't think ignite provides any kind encryption for these db files.
>
> Best Regards,
> Gaurav
>
> On 06-Apr-2018 8:23 PM, "David Harvey"  wrote:
>
>> Assuming Ignite Persistence,  you can create a cache in a specific Data
>> Regions, but I'm unclear whether this properties can be set per region.  We
>> are setting them in
>>
>> org.apache.ignite.configuration.DataStorageConfiguration.   What you
>> seem to be asking for is to set these per Data Region.
>>
>>
>>> "/IgnitePersistenceStorage/store"/>
>>
>> 
>>
>>> "/IgnitePersistenceStorage/wal/archive"/>
>>
>>
>>
>>
>> On Fri, Apr 6, 2018 at 1:58 PM, Wilhelm 
>> wrote:
>>
>>> Hello,
>>>
>>> I'm building a POC, right now I have Kafka feeding ignite with the
>>> constraint of having 1 topic per tenant for security reason (historical
>>> data
>>> is persisted to files per topic by Kafka and each "file" container is
>>> encrypted differently per customer)
>>>
>>> If I decide to use only ignite with the DataStream (instead of Kafka),
>>> how
>>> can I make sure the customer data will be separated to disk (like
>>> separate
>>> file or db per customer)? and how can I encrypt this cache file per
>>> customer?
>>>
>>> I hope that make sense. So I guess it come down to: can I have the ignite
>>> cache persisted in different file/db per some rules (like a customer
>>> id)? or
>>> does it needs to be in different ignite memory caches? or it is not
>>> possible?
>>>
>>> Thanks for your help
>>>
>>> w
>>>
>>>
>>>
>>> --
>>> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>>>
>>
>>
>>
>> *Disclaimer*
>>
>> The information contained in this communication from the sender is
>> confidential. It is intended solely for use by the recipient and others
>> authorized to receive it. If you are not the recipient, you are hereby
>> notified that any disclosure, copying, distribution or taking action in
>> relation of the contents of this information is strictly prohibited and may
>> be unlawful.
>>
>> This email has been scanned for viruses and malware, and may have been
>> automatically archived by *Mimecast Ltd*, an innovator in Software as a
>> Service (SaaS) for business. Providing a *safer* and *more useful* place
>> for your human generated data. Specializing in; Security, archiving and
>> compliance. To find out more Click Here
>> .
>>
>

Re: POC with DataStreamer (Kafka or Ignite - security question)

2018-04-06 Thread Gaurav Bajaj 
Also I don't think ignite provides any kind encryption for these db files.

Best Regards,
Gaurav

On 06-Apr-2018 8:23 PM, "David Harvey"  wrote:

> Assuming Ignite Persistence,  you can create a cache in a specific Data
> Regions, but I'm unclear whether this properties can be set per region.  We
> are setting them in
>
> org.apache.ignite.configuration.DataStorageConfiguration.   What you seem
> to be asking for is to set these per Data Region.
>
>
>
>
> 
>
>
>
>
>
>
> On Fri, Apr 6, 2018 at 1:58 PM, Wilhelm 
> wrote:
>
>> Hello,
>>
>> I'm building a POC, right now I have Kafka feeding ignite with the
>> constraint of having 1 topic per tenant for security reason (historical
>> data
>> is persisted to files per topic by Kafka and each "file" container is
>> encrypted differently per customer)
>>
>> If I decide to use only ignite with the DataStream (instead of Kafka), how
>> can I make sure the customer data will be separated to disk (like separate
>> file or db per customer)? and how can I encrypt this cache file per
>> customer?
>>
>> I hope that make sense. So I guess it come down to: can I have the ignite
>> cache persisted in different file/db per some rules (like a customer id)?
>> or
>> does it needs to be in different ignite memory caches? or it is not
>> possible?
>>
>> Thanks for your help
>>
>> w
>>
>>
>>
>> --
>> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>>
>
>
>
> *Disclaimer*
>
> The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and others
> authorized to receive it. If you are not the recipient, you are hereby
> notified that any disclosure, copying, distribution or taking action in
> relation of the contents of this information is strictly prohibited and may
> be unlawful.
>
> This email has been scanned for viruses and malware, and may have been
> automatically archived by *Mimecast Ltd*, an innovator in Software as a
> Service (SaaS) for business. Providing a *safer* and *more useful* place
> for your human generated data. Specializing in; Security, archiving and
> compliance. To find out more Click Here
> .
>

Re: POC with DataStreamer (Kafka or Ignite - security question)

2018-04-06 Thread David Harvey 
Assuming Ignite Persistence,  you can create a cache in a specific Data
Regions, but I'm unclear whether this properties can be set per region.  We
are setting them in

org.apache.ignite.configuration.DataStorageConfiguration.   What you seem
to be asking for is to set these per Data Region.


   



   




On Fri, Apr 6, 2018 at 1:58 PM, Wilhelm  wrote:

> Hello,
>
> I'm building a POC, right now I have Kafka feeding ignite with the
> constraint of having 1 topic per tenant for security reason (historical
> data
> is persisted to files per topic by Kafka and each "file" container is
> encrypted differently per customer)
>
> If I decide to use only ignite with the DataStream (instead of Kafka), how
> can I make sure the customer data will be separated to disk (like separate
> file or db per customer)? and how can I encrypt this cache file per
> customer?
>
> I hope that make sense. So I guess it come down to: can I have the ignite
> cache persisted in different file/db per some rules (like a customer id)?
> or
> does it needs to be in different ignite memory caches? or it is not
> possible?
>
> Thanks for your help
>
> w
>
>
>
> --
> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>

Disclaimer

The information contained in this communication from the sender is 
confidential. It is intended solely for use by the recipient and others 
authorized to receive it. If you are not the recipient, you are hereby notified 
that any disclosure, copying, distribution or taking action in relation of the 
contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been 
automatically archived by Mimecast Ltd, an innovator in Software as a Service 
(SaaS) for business. Providing a safer and more useful place for your human 
generated data. Specializing in; Security, archiving and compliance. To find 
out more visit the Mimecast website.

POC with DataStreamer (Kafka or Ignite - security question)

2018-04-06 Thread Wilhelm 
Hello,

I'm building a POC, right now I have Kafka feeding ignite with the
constraint of having 1 topic per tenant for security reason (historical data
is persisted to files per topic by Kafka and each "file" container is
encrypted differently per customer)

If I decide to use only ignite with the DataStream (instead of Kafka), how
can I make sure the customer data will be separated to disk (like separate
file or db per customer)? and how can I encrypt this cache file per
customer? 

I hope that make sense. So I guess it come down to: can I have the ignite
cache persisted in different file/db per some rules (like a customer id)? or
does it needs to be in different ignite memory caches? or it is not
possible?

Thanks for your help

w 



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: Security question

2017-10-16 Thread franck102 
Thanks Dmitry, that makes sense, we will make sure that client-side code is
trusted.

Franck



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: Security question

2017-10-16 Thread dkarachentsev 
Franck,

You're definitely right, but this is more like client roles than regular
security.

On "they have a number of connected clients with actual applications" I
meant that user's application is connected to the grid via clients with
their local permissions. But end user cannot access the grid directly, only
via user's API.

Anyway, I don't think that it would be changed in nearest time.

Thanks!
-Dmitry



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: Security question

2017-10-13 Thread franck102 
Wow. That means any client who can get past node authentication on join can
do anything they like on all caches, including all admin commands.

The node validation logic won't help at all - the join request may claim
that a given security processor is used, but subsequent requests can
perfectly be contructed client-side without going through client-side
security.

Unless I am missing something this sounds like a pretty serious issue.

Franck



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Re: Security question

2017-10-13 Thread dkarachentsev 
Hi Franck,

Yes, here is used client-side security, looks like it was made to allow
connect of different clients with different permissions. But it depends on
GridSecurityProcessor. For example, it may have a node validation logic that
will not accept nodes with unapproved security processor. 

In most cases Ignite users place cluster in private network where they have
number of connected clients with actual applications, to which they provide
access for end users. So there is no way for a third party person to connect
to the grid from outside.

Thanks!



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Security question

2017-10-13 Thread franck102 
Hi all,

Stepping through the code during a cache.get() request from a client node to
a server node, I don't see that GridSecurityProcessor.authorize will ever be
called on the server node?

Authorize is called on the client node, but on the server node the code goes
straight to GridCacheAdapter#getAllAsync0 which skips the ctx.checkSecurity
call??

If that is the case any node which is able to connect can easily do anything
on a cache using custom client code to bypass client-side security... am I
missing something?

Thanks!
Franck



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/