Hi,
I see that you found the ticket related to the current issue:
https://issues.apache.org/jira/browse/IGNITE-12589
Looks like it can be a reason of your problem.
Generally, I don't know how you implemented your security plugin if you
take a look at similar plugin from third party vendor
<https://www.gridgain.com/docs/latest/administrators-guide/security/security-audit>
then you can see that subjectID should be related to user
connection/session, not to node where some task will be executed (yes
every node has it's subjectID and user but JDBC connection with another
user should have its own subjectID ).
How it implemented there in common details:
1)JDBC supports username and password fields:
https://apacheignite-sql.readme.io/docs/jdbc-driver#section-parameters
2)Every user session/connection mapped to some SecuritySubject (that
contains subjectID)
3)Every event that contains subjectID can be linked with some user
connection (SecuritySubject.login()) using the following code:
|public class EventStorageSpi extends IgniteSpiAdapter implements
EventStorageSpi { @LoggerResource private IgniteLogger log; @Override
public <T extends Event> Collection<T> localEvents(IgnitePredicate<T> p)
{ return null; } @Override public void record(Event evt) throws
IgniteSpiException { if (evt.type() == EVT_MANAGEMENT_TASK_STARTED) {
TaskEvent taskEvent = (TaskEvent) evt; SecuritySubject subj =
taskEvent.subjectId() != null ?
getSpiContext().authenticatedSubject(taskEvent.subjectId()) : null;
log.info("Management task started: [" + "name=" + taskEvent.taskName() +
", " + "eventNode=" + taskEvent.node() + ", " + "timestamp=" +
taskEvent.timestamp() + ", " + "info=" + taskEvent.message() + ", " +
"subjectId=" + taskEvent.subjectId() + ", " + "secureSubject=" + subj +
"]"); } } @Override public void spiStart(@Nullable String
igniteInstanceName) throws IgniteSpiException { /* No-op. */ } @Override
public void spiStop() throws IgniteSpiException { /* No-op. */ } }|
In case if this approach doesn't work for your implementation because of
some issues then you can try to start the thread on Ignite developer
mail list.
BR,
Andrei
2/12/2020 6:54 PM, VeenaMithare пишет:
Hi ,
We have built a security and audit plugin for security of our ignite
cluster. We are unable to get the right audit information i.e. we are unable
to get the right subject for users logged in through dbeaver ( jdbc thin
client. ). This is because the subjectid associated with the "CACHE_PUT"
event when an update is triggered by the jdbc thin client, contains the uuid
of the node that executed the update rather than the logged in jdbc thin
client user.
If this is a limitation with the current version of ignite, is there any
workaround to get this information ?
regards,
Veena.
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/