Versions Compared

Old Version 7

changes.mady.by.user Mikhail Pochatkin

Saved on

compared with

New Version Current

changes.mady.by.user Mikhail Pochatkin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


IDIEP-105106
Author
Mikhail Pochatkin 
Sponsor

Aleksandr Pakhomov 

Created

 

Status


Status
colourBlue
titleDRAFT

Table of Contents

 

Motivation and requirements

This document describes the mechanisms for user authentication on the side of the Ignite cluster and provides different mechanisms of authentication for AI3.

...

  1. Authentication configuration should be on cluster level and initial authentication information should be provided on cluster init operation. Applying auth configuration to cluster should be atomic with cluster init operation, it means that when cluster initialization finished authentication should be enabled immediately and no node in cluster will have timestamp after cluster initialization and auth config applying when any connections is possible without authentication. 
  2. Authentication configuration may be changed on cluster runtime without any restarts. This operation should be under authentication and the user should be authenticated to change it. In case when authentication configuration is changed and open  authenticated connections exist they should be closed.

Apache Ignite 3 basic authentication

As a base solution Apache Ignite 3 will have a basic authentication mechanism. This is cluster side configuration and it should be provided on the cluster initialization step. 

...

After cluster initialization login and password may be changed in cluster configuration but it will be required previous login and password

Authentication information will be stored to cluster distributed configuration. Currently we have no any configuration data compression or ciphers and we store authentication info as is in plain format. But we should mark this properties as secrets and any read of configuration anyway should mask this properties.

CLI

Users can enable (disable) authentication and change credentials in runtime using the CLI command 

...

In case when authentication fails, CLI should map a REST response with a failed reason and show to the user formatted message with details. This mechanism already exist and using in different situations in CLI.

Thin client

Server

ClientInboundMessageHandler handler should

  1. Authenticate clients on a handshake. 
  2. Store information about authentication: authentication provider name.
  3. Listen to authentication configuration updates. If the provider is changed or removed, the connection must be closed. 
  4. If the authentication was disabled when connected, the connection should be closed when authentication is enabled.

Client

  1. Add credentials to ConnectionProperties
  2. Authenticate on handshake org.apache.ignite.internal.client.TcpClientChannel#handshakeAsync
  3. If the client can’t authenticate, it should throw AuthenticationException

...

  1. Client posts the client-id and client-secret to the token endpoint URL using specified authentication type and receives an access token or error message. At this point implementation should cache the token.
  2. Client sends the access token to the REST API endpoint using the client_secret_basic authentication type.
  3. REST API implementation validates the token using the JWKS URL.

Micronaut

Also, we need to make some changes on the server side: 

...

Code Block
"security": {
    "rest": {
        "auth": {
            "enabled": true,
            "basic": {
                "login": "string",
                "password": "string"
             }
        }
    }
}

Tickets


[IGNITE-19597] Ignite3 Basic Authentication Support - ASF JIRA (apache.org)


...