/** * Authenticate user. * * @param login User's login. * @param passwd Plain text password. * @return User object on successful authenticate. Otherwise returns {@code null}. * @throws IgniteCheckedException On authentication error. */ private User authenticateOnServer(String login, String passwd) throws IgniteCheckedException { assert !ctx.clientNode() : "Must be used on server node"; readyForAuthFut.get(); User usr; usr = users.get(login); if (usr == null) throw new IgniteAccessControlException("The user name or password is incorrect [userName=" + login + ']'); if (usr.authorize(passwd)) return usr; else throw new IgniteAccessControlException("The user name or password is incorrect [userName=" + login + ']'); }
/** * @param op User operation to check. * @throws IgniteAccessControlException If operation check fails: user hasn't permissions for user management * or try to remove default user. */ public void checkUserOperation(UserManagementOperation op) throws IgniteAccessControlException { assert op != null; if (user == null) throw new IgniteAccessControlException("Operation not allowed: authorized context is empty."); if (!User.DFAULT_USER_NAME.equals(user.name()) && !(UserManagementOperation.OperationType.UPDATE == op.type() && user.name().equals(op.user().name()))) throw new IgniteAccessControlException("User management operations are not allowed for user. " + "[curUser=" + user.name() + ']'); if (op.type() == UserManagementOperation.OperationType.REMOVE && User.DFAULT_USER_NAME.equals(op.user().name())) throw new IgniteAccessControlException("Default user cannot be removed."); }
/** * @param msg Message. */ private void onAuthenticateResponseMessage(UserAuthenticateResponseMessage msg) { GridFutureAdapter<Void> fut = authFuts.get(msg.id()); fut.onDone(null, !msg.success() ? new IgniteAccessControlException(msg.errorMessage()) : null); authFuts.remove(msg.id()); }
/** * Do 3-rd party authentication. */ private AuthenticationContext authenticateExternal(String user, String pwd) throws IgniteCheckedException { SecurityCredentials cred = new SecurityCredentials(user, pwd); AuthenticationContext authCtx = new AuthenticationContext(); authCtx.subjectType(REMOTE_CLIENT); authCtx.subjectId(UUID.randomUUID()); authCtx.nodeAttributes(Collections.emptyMap()); authCtx.credentials(cred); secCtx = ctx.security().authenticate(authCtx); if (secCtx == null) throw new IgniteAccessControlException( String.format("The user name or password is incorrect [userName=%s]", user) ); return authCtx; }
/** * Perform authentication. * * @return Auth context. * @throws IgniteCheckedException If failed. */ protected AuthorizationContext authenticate(String user, String pwd) throws IgniteCheckedException { if (ctx.security().enabled()) authCtx = authenticateExternal(user, pwd).authorizationContext(); else if (ctx.authentication().enabled()) { if (F.isEmpty(user)) throw new IgniteAccessControlException("Unauthenticated sessions are prohibited."); authCtx = ctx.authentication().authenticate(user, pwd); if (authCtx == null) throw new IgniteAccessControlException("Unknown authentication error."); } else authCtx = null; return authCtx; }
/** * @param op User operation. * @return Operation future. * @throws IgniteCheckedException On error. */ private UserOperationFinishFuture execUserOperation(UserManagementOperation op) throws IgniteCheckedException { checkActivate(); checkEnabled(); synchronized (mux) { if (disconnected) { throw new UserManagementException("Failed to initiate user management operation because " + "client node is disconnected."); } AuthorizationContext actx = AuthorizationContext.context(); if (actx == null) throw new IgniteAccessControlException("Operation not allowed: authorized context is empty."); actx.checkUserOperation(op); UserOperationFinishFuture fut = new UserOperationFinishFuture(op.id()); opFinishFuts.put(op.id(), fut); UserProposedMessage msg = new UserProposedMessage(op); ctx.discovery().sendCustomEvent(msg); return fut; } }
throw new IgniteAccessControlException("The user name or password is incorrect [userName=" + login + ']');
/** * Authenticate user. * * @param login User's login. * @param passwd Plain text password. * @return User object on successful authenticate. Otherwise returns {@code null}. * @throws IgniteCheckedException On authentication error. */ private User authenticateOnServer(String login, String passwd) throws IgniteCheckedException { assert !ctx.clientNode() : "Must be used on server node"; readyForAuthFut.get(); User usr; usr = users.get(login); if (usr == null) throw new IgniteAccessControlException("The user name or password is incorrect [userName=" + login + ']'); if (usr.authorize(passwd)) return usr; else throw new IgniteAccessControlException("The user name or password is incorrect [userName=" + login + ']'); }
/** * @param op User operation to check. * @throws IgniteAccessControlException If operation check fails: user hasn't permissions for user management * or try to remove default user. */ public void checkUserOperation(UserManagementOperation op) throws IgniteAccessControlException { assert op != null; if (user == null) throw new IgniteAccessControlException("Operation not allowed: authorized context is empty."); if (!User.DFAULT_USER_NAME.equals(user.name()) && !(UserManagementOperation.OperationType.UPDATE == op.type() && user.name().equals(op.user().name()))) throw new IgniteAccessControlException("User management operations are not allowed for user. " + "[curUser=" + user.name() + ']'); if (op.type() == UserManagementOperation.OperationType.REMOVE && User.DFAULT_USER_NAME.equals(op.user().name())) throw new IgniteAccessControlException("Default user cannot be removed."); }
/** * @param msg Message. */ private void onAuthenticateResponseMessage(UserAuthenticateResponseMessage msg) { GridFutureAdapter<Void> fut = authFuts.get(msg.id()); fut.onDone(null, !msg.success() ? new IgniteAccessControlException(msg.errorMessage()) : null); authFuts.remove(msg.id()); }
/** * Do 3-rd party authentication. */ private AuthenticationContext authenticateExternal(String user, String pwd) throws IgniteCheckedException { SecurityCredentials cred = new SecurityCredentials(user, pwd); AuthenticationContext authCtx = new AuthenticationContext(); authCtx.subjectType(REMOTE_CLIENT); authCtx.subjectId(UUID.randomUUID()); authCtx.nodeAttributes(Collections.emptyMap()); authCtx.credentials(cred); secCtx = ctx.security().authenticate(authCtx); if (secCtx == null) throw new IgniteAccessControlException( String.format("The user name or password is incorrect [userName=%s]", user) ); return authCtx; } }
/** * Perform authentication. * * @return Auth context. * @throws IgniteCheckedException If failed. */ protected AuthorizationContext authenticate(String user, String pwd) throws IgniteCheckedException { if (ctx.security().enabled()) authCtx = authenticateExternal(user, pwd).authorizationContext(); else if (ctx.authentication().enabled()) { if (F.isEmpty(user)) throw new IgniteAccessControlException("Unauthenticated sessions are prohibited."); authCtx = ctx.authentication().authenticate(user, pwd); if (authCtx == null) throw new IgniteAccessControlException("Unknown authentication error."); } else authCtx = null; return authCtx; }
/** * @param op User operation. * @return Operation future. * @throws IgniteCheckedException On error. */ private UserOperationFinishFuture execUserOperation(UserManagementOperation op) throws IgniteCheckedException { checkActivate(); checkEnabled(); synchronized (mux) { if (disconnected) { throw new UserManagementException("Failed to initiate user management operation because " + "client node is disconnected."); } AuthorizationContext actx = AuthorizationContext.context(); if (actx == null) throw new IgniteAccessControlException("Operation not allowed: authorized context is empty."); actx.checkUserOperation(op); UserOperationFinishFuture fut = new UserOperationFinishFuture(op.id()); opFinishFuts.put(op.id(), fut); UserProposedMessage msg = new UserProposedMessage(op); ctx.discovery().sendCustomEvent(msg); return fut; } }
throw new IgniteAccessControlException("The user name or password is incorrect [userName=" + login + ']');