IGNITE-21240 Removed deprecated authorization methods from Security C…

…ontext. (#11174)
apache · Jan 19, 2024 · 9e2e2a6 · 9e2e2a6
1 parent 566b522
commit 9e2e2a6
Show file tree

Hide file tree

Showing 12 changed files with 91 additions and 597 deletions.
diff --git a/...a/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java b/...a/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
@@ -71,7 +71,6 @@
 import org.apache.ignite.plugin.security.SecurityCredentials;
 import org.apache.ignite.plugin.security.SecurityException;
 import org.apache.ignite.plugin.security.SecurityPermission;
-import org.apache.ignite.plugin.security.SecurityPermissionSet;
 import org.apache.ignite.plugin.security.SecuritySubject;
 import org.apache.ignite.plugin.security.SecuritySubjectType;
 import org.apache.ignite.spi.discovery.DiscoveryDataBag;
@@ -89,7 +88,6 @@
 import static org.apache.ignite.internal.processors.authentication.UserManagementOperation.OperationType.ADD;
 import static org.apache.ignite.internal.processors.authentication.UserManagementOperation.OperationType.REMOVE;
 import static org.apache.ignite.internal.processors.authentication.UserManagementOperation.OperationType.UPDATE;
-import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALL_PERMISSIONS;
 import static org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_CLIENT;
 import static org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_NODE;
 
@@ -1405,11 +1403,6 @@ public SecuritySubjectImpl(UUID id, String login, SecuritySubjectType type, Inet
             return addr;
         }
 
-        /** {@inheritDoc} */
-        @Override public SecurityPermissionSet permissions() {
-            return ALL_PERMISSIONS;
-        }
-
         /** {@inheritDoc} */
         @Override public String toString() {
             return S.toString(SecuritySubjectImpl.class, this);
@@ -1433,25 +1426,5 @@ public SecurityContextImpl(UUID id, String login, SecuritySubjectType type, Inet
         @Override public SecuritySubject subject() {
             return subj;
         }
-
-        /** {@inheritDoc} */
-        @Override public boolean taskOperationAllowed(String taskClsName, SecurityPermission perm) {
-            return true;
-        }
-
-        /** {@inheritDoc} */
-        @Override public boolean cacheOperationAllowed(String cacheName, SecurityPermission perm) {
-            return true;
-        }
-
-        /** {@inheritDoc} */
-        @Override public boolean serviceOperationAllowed(String srvcName, SecurityPermission perm) {
-            return true;
-        }
-
-        /** {@inheritDoc} */
-        @Override public boolean systemOperationAllowed(SecurityPermission perm) {
-            return true;
-        }
     }
 }
diff --git a/...src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java b/...src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java
@@ -463,8 +463,7 @@ private IgniteNodeValidationResult validateNodeJoinPermission(ClusterNode node)
         );
 
         try {
-            if (!secCtx.systemOperationAllowed(JOIN_AS_SERVER))
-                secPrc.authorize(null, JOIN_AS_SERVER, secCtx);
+            secPrc.authorize(null, JOIN_AS_SERVER, secCtx);
 
             return null;
         }

diff --git a/...es/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java b/...es/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java
@@ -17,7 +17,6 @@
 
 package org.apache.ignite.internal.processors.security;
 
-import org.apache.ignite.plugin.security.SecurityPermission;
 import org.apache.ignite.plugin.security.SecuritySubject;
 
 /**
@@ -28,51 +27,4 @@ public interface SecurityContext {
      * @return Security subject.
      */
     public SecuritySubject subject();
-
-    /**
-     * Checks whether task operation is allowed.
-     *
-     * @param taskClsName Task class name.
-     * @param perm Permission to check.
-     * @return {@code True} if task operation is allowed.
-     * @deprecated Use {@link IgniteSecurity#authorize(String, SecurityPermission)} instead.
-     * This method will be removed in the future releases.
-     */
-    @Deprecated
-    public boolean taskOperationAllowed(String taskClsName, SecurityPermission perm);
-
-    /**
-     * Checks whether cache operation is allowed.
-     *
-     * @param cacheName Cache name.
-     * @param perm Permission to check.
-     * @return {@code True} if cache operation is allowed.
-     * @deprecated Use {@link IgniteSecurity#authorize(String, SecurityPermission)} instead.
-     * This method will be removed in the future releases.
-     */
-    @Deprecated
-    public boolean cacheOperationAllowed(String cacheName, SecurityPermission perm);
-
-    /**
-     * Checks whether service operation is allowed.
-     *
-     * @param srvcName Service name.
-     * @param perm Permission to check.
-     * @return {@code True} if task operation is allowed.
-     * @deprecated Use {@link IgniteSecurity#authorize(String, SecurityPermission)} instead.
-     * This method will be removed in the future releases.
-     */
-    @Deprecated
-    public boolean serviceOperationAllowed(String srvcName, SecurityPermission perm);
-
-    /**
-     * Checks whether system-wide permission is allowed (excluding Visor task operations).
-     *
-     * @param perm Permission to check.
-     * @return {@code True} if system operation is allowed.
-     * @deprecated Use {@link IgniteSecurity#authorize(SecurityPermission)} instead.
-     * This method will be removed in the future releases.
-     */
-    @Deprecated
-    public boolean systemOperationAllowed(SecurityPermission perm);
 }
diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java
@@ -66,17 +66,6 @@ public default Certificate[] certificates() {
         return null;
     }
 
-    /**
-     * Authorized permission set for the subject.
-     *
-     * @return Authorized permission set for the subject.
-     * @deprecated {@link SecuritySubject} must contain only immutable set of
-     * information that represents a security principal. Security permissions are part of authorization process
-     * and have nothing to do with {@link SecuritySubject}. This method will be removed in the future releases.
-     */
-    @Deprecated
-    public SecurityPermissionSet permissions();
-
     /**
      * @return Permissions for SecurityManager checks.
      * @deprecated {@link SecuritySubject} must contain only immutable set of

diff --git a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java
@@ -114,7 +114,6 @@
 import org.apache.ignite.lang.IgniteProductVersion;
 import org.apache.ignite.lang.IgniteUuid;
 import org.apache.ignite.plugin.security.SecurityCredentials;
-import org.apache.ignite.plugin.security.SecurityPermissionSet;
 import org.apache.ignite.spi.IgniteNodeValidationResult;
 import org.apache.ignite.spi.IgniteSpiContext;
 import org.apache.ignite.spi.IgniteSpiException;
@@ -182,7 +181,6 @@
 import static org.apache.ignite.internal.IgniteNodeAttributes.ATTR_MARSHALLER_USE_BINARY_STRING_SER_VER_2;
 import static org.apache.ignite.internal.IgniteNodeAttributes.ATTR_MARSHALLER_USE_DFLT_SUID;
 import static org.apache.ignite.internal.processors.security.SecurityUtils.authenticateLocalNode;
-import static org.apache.ignite.internal.processors.security.SecurityUtils.nodeSecurityContext;
 import static org.apache.ignite.internal.processors.security.SecurityUtils.withSecurityContext;
 import static org.apache.ignite.spi.IgnitePortProtocol.TCP;
 import static org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi.DFLT_DISCOVERY_CLIENT_RECONNECT_HISTORY_SIZE;
@@ -2160,28 +2158,6 @@ private boolean recordable(TcpDiscoveryAbstractMessage msg) {
             !(msg instanceof TcpDiscoveryConnectionCheckMessage);
     }
 
-    /**
-     * Checks if two given {@link SecurityPermissionSet} objects contain the same permissions.
-     * Each permission belongs to one of three groups : cache, task or system.
-     *
-     * @param locPerms The first set of permissions.
-     * @param rmtPerms The second set of permissions.
-     * @return {@code True} if given parameters contain the same permissions, {@code False} otherwise.
-     */
-    private boolean permissionsEqual(@Nullable SecurityPermissionSet locPerms,
-        @Nullable SecurityPermissionSet rmtPerms) {
-        if (locPerms == null || rmtPerms == null)
-            return false;
-
-        boolean dfltAllowMatch = locPerms.defaultAllowAll() == rmtPerms.defaultAllowAll();
-
-        boolean bothHaveSamePerms = F.eqNotOrdered(rmtPerms.systemPermissions(), locPerms.systemPermissions()) &&
-            F.eqNotOrdered(rmtPerms.cachePermissions(), locPerms.cachePermissions()) &&
-            F.eqNotOrdered(rmtPerms.taskPermissions(), locPerms.taskPermissions());
-
-        return dfltAllowMatch && bothHaveSamePerms;
-    }
-
     /**
      * @param msg Message.
      * @param nodeId Node ID.
@@ -4993,11 +4969,7 @@ else if (!locNodeId.equals(node.id()) && ring.node(node.id()) != null) {
                         else {
                             SecurityContext subj = spi.nodeAuth.authenticateNode(node, cred);
 
-                            SecurityContext coordSubj = nodeSecurityContext(
-                                spi.marshaller(), U.resolveClassLoader(spi.ignite().configuration()), node
-                            );
-
-                            if (!permissionsEqual(getPermissions(coordSubj), getPermissions(subj))) {
+                            if (subj == null) {
                                 // Node has not pass authentication.
                                 LT.warn(log, "Authentication failed [nodeId=" + node.id() +
                                     ", addrs=" + U.addressesAsString(node) + ']');
@@ -5082,50 +5054,6 @@ else if (spiState == CONNECTING)
                         if (top != null && !top.isEmpty()) {
                             spi.gridStartTime = msg.gridStartTime();
 
-                            if (spi.nodeAuth != null && spi.nodeAuth.isGlobalNodeAuthentication()) {
-                                TcpDiscoveryAbstractMessage authFail =
-                                    new TcpDiscoveryAuthFailedMessage(locNodeId, spi.locHost, node.id());
-
-                                try {
-                                    ClassLoader ldr = U.resolveClassLoader(spi.ignite().configuration());
-
-                                    SecurityContext rmCrd = nodeSecurityContext(
-                                        spi.marshaller(), ldr, node
-                                    );
-
-                                    SecurityContext locCrd = nodeSecurityContext(
-                                        spi.marshaller(), ldr, locNode
-                                    );
-
-                                    if (!permissionsEqual(getPermissions(locCrd), getPermissions(rmCrd))) {
-                                        // Node has not pass authentication.
-                                        LT.warn(log,
-                                            "Failed to authenticate local node " +
-                                                "(local authentication result is different from rest of topology) " +
-                                                "[nodeId=" + node.id() + ", addrs=" + U.addressesAsString(node) + ']');
-
-                                        joinRes.set(authFail);
-
-                                        spiState = AUTH_FAILED;
-
-                                        mux.notifyAll();
-
-                                        return;
-                                    }
-                                }
-                                catch (IgniteException e) {
-                                    U.error(log, "Failed to verify node permissions consistency (will drop the node): " + node, e);
-
-                                    joinRes.set(authFail);
-
-                                    spiState = AUTH_FAILED;
-
-                                    mux.notifyAll();
-
-                                    return;
-                                }
-                            }
-
                             for (TcpDiscoveryNode n : top) {
                                 assert n.internalOrder() < node.internalOrder() :
                                     "Invalid node [topNode=" + n + ", added=" + node + ']';
@@ -5205,17 +5133,6 @@ else if (spiState == CONNECTING)
                 sendMessageAcrossRing(msg);
         }
 
-        /**
-         * @param secCtx Security context.
-         * @return Security permission set.
-         */
-        private @Nullable SecurityPermissionSet getPermissions(SecurityContext secCtx) {
-            if (secCtx == null || secCtx.subject() == null)
-                return null;
-
-            return secCtx.subject().permissions();
-        }
-
         /**
          * Processes node add finished message.
          *