在 IgniteDB 中实现身份验证
Implementing Authentication in IgniteDB
我刚刚在 IgniteDB 中配置了身份验证(特定服务器,而不是本地主机)
https://apacheignite.readme.io/docs/advanced-security
但是我在尝试连接时遇到了一些问题。我应该在哪里提供凭证?
TcpDiscoverySpi spi = new TcpDiscoverySpi();
TcpDiscoveryVmIpFinder ipFinder = new TcpDiscoveryMulticastIpFinder();
String ipList = appConfig.getIgniteIPAddressList();
List<String> addressList= Arrays.asList(ipList.split(";"));
ipFinder.setAddresses(addressList);
spi.setIpFinder(ipFinder);
IgniteConfiguration cfg = new IgniteConfiguration();
cfg.setIgniteInstanceName("IgnitePod");
cfg.setClientMode(true);
cfg.setDiscoverySpi(spi);
Ignite ignite = Ignition.start(cfg);
有人有实施它的想法吗?
https://apacheignite.readme.io/docs/advanced-security
描述如何仅通过用户名和密码为 THIN 连接配置身份验证(JDBC,ODBC)。
您可以使用 SQL 命令创建用户,如下所示:
https://apacheignite-sql.readme.io/docs/create-user
您可以使用其属性向瘦客户端连接字符串提供凭据:
https://apacheignite-sql.readme.io/docs/connection-string-and-dsn#section-supported-arguments
https://apacheignite-sql.readme.io/docs/jdbc-driver#section-additional-connection-string-examples
另请检查您是否配置了 Ignite 持久性。
作为, Ignite only authenticates thin clients by default, and even then only when persistence is enabled. If you need to have thick-clients authenticate also, you can do this using a plugin。也存在第三方商业解决方案。
普通 Apache Ignite 中可用的对等验证服务器节点的唯一选项是 SSL+证书。
能够通过创建我自己的 CustomTCPDiscoveryAPI 来解决我自己的问题。
首先,创建这个 class :
import org.apache.ignite.IgniteException;
import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.internal.IgniteNodeAttributes;
import org.apache.ignite.internal.processors.security.SecurityContext;
import org.apache.ignite.lang.IgniteProductVersion;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator;
import org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi;
import java.util.Map;
public class CustomTcpDiscoverySpi extends TcpDiscoverySpi implements DiscoverySpiNodeAuthenticator {
SecurityCredentials securityCredentials;
public CustomTcpDiscoverySpi(final SecurityCredentials securityCredentials) {
this.securityCredentials = securityCredentials;
this.setAuthenticator(this);
}
@Override
public SecurityContext authenticateNode(ClusterNode clusterNode, SecurityCredentials securityCredentials) throws IgniteException {
return null;
}
@Override
public boolean isGlobalNodeAuthentication() {
return true;
}
@Override
public void setNodeAttributes(final Map<String, Object> attrs, final IgniteProductVersion ver) {
attrs.put(IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS, this.securityCredentials);
super.setNodeAttributes(attrs, ver);
}
}
然后,像下面这样使用它:
SecurityCredentials cred = new SecurityCredentials();
cred.setLogin(appConfig.getIgniteUser());
cred.setPassword(appConfig.getIgnitePassword());
CustomTcpDiscoverySpi spi = new CustomTcpDiscoverySpi(cred);
//TcpDiscoverySpi spi = new TcpDiscoverySpi(); - > removed to use the CustomTCPDiscovery
TcpDiscoveryVmIpFinder ipFinder = new TcpDiscoveryMulticastIpFinder();
String ipList = appConfig.getIgniteIPAddressList();
List<String> addressList= Arrays.asList(ipList.split(";"));
ipFinder.setAddresses(addressList);
spi.setIpFinder(ipFinder);
IgniteConfiguration cfg = new IgniteConfiguration();
cfg.setIgniteInstanceName("IgnitePod");
cfg.setClientMode(true);
cfg.setAuthenticationEnabled(true);
// Ignite persistence configuration.
DataStorageConfiguration storageCfg = new DataStorageConfiguration();
// Enabling the persistence.
storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);
// Applying settings.
// tests
cfg.setDataStorageConfiguration(storageCfg);
cfg.setDiscoverySpi(spi);
Ignite ignite = Ignition.start(cfg);
希望这对遇到同样问题的其他人有所帮助。
Apache Ignite 的开源版本不提供这些类型的安全功能。可以自己实现,也可以使用商业 Gridgain 发行版。
以下是实现自定义安全插件的步骤。
需要实现 GridSecurityProcessor,用于验证加入节点。
在 GridSecurityProcessor 中,您必须按如下方式实现 authenticateNode() api
public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteCheckedException {
SecurityCredentials userSecurityCredentials;
if (securityPluginConfiguration != null) {
if ((userSecurityCredentials = securityPluginConfiguration.getSecurityCredentials()) != null) {
return userSecurityCredentials.equals(cred) ? new SecurityContextImpl() : null;
}
if (cred == null && userSecurityCredentials == null) {
return new SecurityContextImpl();
}
}
if (cred == null)
return new SecurityContextImpl();
return null;
}
此外,您需要扩展 TcpDiscoverySpi 以在 initLocalNode() 期间传递用户凭据,如下所示
@Override
protected void initLocalNode(int srvPort, boolean addExtAddrAttr) {
try {
super.initLocalNode(srvPort, addExtAddrAttr);
this.setSecurityCredentials();
} catch (Exception e) {
e.printStackTrace();
}
}
private void setSecurityCredentials() {
if (securityCredentials != null) {
Map<String,Object> attributes = new HashMap<>(locNode.getAttributes());
attributes.put(IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS, securityCredentials);
this.locNode.setAttributes(attributes);
}
}
您可以按照下面给出的 link 获取编写自定义安全插件及其用法的详细步骤。
https://www.bugdbug.com/post/how-to-secure-apache-ignite-cluster
我刚刚在 IgniteDB 中配置了身份验证(特定服务器,而不是本地主机) https://apacheignite.readme.io/docs/advanced-security
但是我在尝试连接时遇到了一些问题。我应该在哪里提供凭证?
TcpDiscoverySpi spi = new TcpDiscoverySpi();
TcpDiscoveryVmIpFinder ipFinder = new TcpDiscoveryMulticastIpFinder();
String ipList = appConfig.getIgniteIPAddressList();
List<String> addressList= Arrays.asList(ipList.split(";"));
ipFinder.setAddresses(addressList);
spi.setIpFinder(ipFinder);
IgniteConfiguration cfg = new IgniteConfiguration();
cfg.setIgniteInstanceName("IgnitePod");
cfg.setClientMode(true);
cfg.setDiscoverySpi(spi);
Ignite ignite = Ignition.start(cfg);
有人有实施它的想法吗?
https://apacheignite.readme.io/docs/advanced-security
描述如何仅通过用户名和密码为 THIN 连接配置身份验证(JDBC,ODBC)。
您可以使用 SQL 命令创建用户,如下所示:
https://apacheignite-sql.readme.io/docs/create-user
您可以使用其属性向瘦客户端连接字符串提供凭据:
https://apacheignite-sql.readme.io/docs/connection-string-and-dsn#section-supported-arguments https://apacheignite-sql.readme.io/docs/jdbc-driver#section-additional-connection-string-examples
另请检查您是否配置了 Ignite 持久性。
作为
普通 Apache Ignite 中可用的对等验证服务器节点的唯一选项是 SSL+证书。
能够通过创建我自己的 CustomTCPDiscoveryAPI 来解决我自己的问题。 首先,创建这个 class :
import org.apache.ignite.IgniteException;
import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.internal.IgniteNodeAttributes;
import org.apache.ignite.internal.processors.security.SecurityContext;
import org.apache.ignite.lang.IgniteProductVersion;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator;
import org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi;
import java.util.Map;
public class CustomTcpDiscoverySpi extends TcpDiscoverySpi implements DiscoverySpiNodeAuthenticator {
SecurityCredentials securityCredentials;
public CustomTcpDiscoverySpi(final SecurityCredentials securityCredentials) {
this.securityCredentials = securityCredentials;
this.setAuthenticator(this);
}
@Override
public SecurityContext authenticateNode(ClusterNode clusterNode, SecurityCredentials securityCredentials) throws IgniteException {
return null;
}
@Override
public boolean isGlobalNodeAuthentication() {
return true;
}
@Override
public void setNodeAttributes(final Map<String, Object> attrs, final IgniteProductVersion ver) {
attrs.put(IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS, this.securityCredentials);
super.setNodeAttributes(attrs, ver);
}
}
然后,像下面这样使用它:
SecurityCredentials cred = new SecurityCredentials();
cred.setLogin(appConfig.getIgniteUser());
cred.setPassword(appConfig.getIgnitePassword());
CustomTcpDiscoverySpi spi = new CustomTcpDiscoverySpi(cred);
//TcpDiscoverySpi spi = new TcpDiscoverySpi(); - > removed to use the CustomTCPDiscovery
TcpDiscoveryVmIpFinder ipFinder = new TcpDiscoveryMulticastIpFinder();
String ipList = appConfig.getIgniteIPAddressList();
List<String> addressList= Arrays.asList(ipList.split(";"));
ipFinder.setAddresses(addressList);
spi.setIpFinder(ipFinder);
IgniteConfiguration cfg = new IgniteConfiguration();
cfg.setIgniteInstanceName("IgnitePod");
cfg.setClientMode(true);
cfg.setAuthenticationEnabled(true);
// Ignite persistence configuration.
DataStorageConfiguration storageCfg = new DataStorageConfiguration();
// Enabling the persistence.
storageCfg.getDefaultDataRegionConfiguration().setPersistenceEnabled(true);
// Applying settings.
// tests
cfg.setDataStorageConfiguration(storageCfg);
cfg.setDiscoverySpi(spi);
Ignite ignite = Ignition.start(cfg);
希望这对遇到同样问题的其他人有所帮助。
Apache Ignite 的开源版本不提供这些类型的安全功能。可以自己实现,也可以使用商业 Gridgain 发行版。
以下是实现自定义安全插件的步骤。
需要实现 GridSecurityProcessor,用于验证加入节点。
在 GridSecurityProcessor 中,您必须按如下方式实现 authenticateNode() api
public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteCheckedException {
SecurityCredentials userSecurityCredentials;
if (securityPluginConfiguration != null) {
if ((userSecurityCredentials = securityPluginConfiguration.getSecurityCredentials()) != null) {
return userSecurityCredentials.equals(cred) ? new SecurityContextImpl() : null;
}
if (cred == null && userSecurityCredentials == null) {
return new SecurityContextImpl();
}
}
if (cred == null)
return new SecurityContextImpl();
return null;
}
此外,您需要扩展 TcpDiscoverySpi 以在 initLocalNode() 期间传递用户凭据,如下所示
@Override
protected void initLocalNode(int srvPort, boolean addExtAddrAttr) {
try {
super.initLocalNode(srvPort, addExtAddrAttr);
this.setSecurityCredentials();
} catch (Exception e) {
e.printStackTrace();
}
}
private void setSecurityCredentials() {
if (securityCredentials != null) {
Map<String,Object> attributes = new HashMap<>(locNode.getAttributes());
attributes.put(IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS, securityCredentials);
this.locNode.setAttributes(attributes);
}
}
您可以按照下面给出的 link 获取编写自定义安全插件及其用法的详细步骤。
https://www.bugdbug.com/post/how-to-secure-apache-ignite-cluster