You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

IDIEP-105
Author
Mikhail Pochatkin 
Sponsor

Aleksandr Pakhomov 

Created

 

Status


DRAFT

 

Motivation and requirements

This document describes the mechanisms for user authentication on the side of the Ignite cluster and provides different mechanisms of authentication for AI3 and GG9 specifically.

The main goal of authentication will be to set restrictions on the use of various functions of the Ignite through various public APIs (REST API, CLI, clients, etc) and restrict unwanted access to various parts of the cluster.

  1. Authentication configuration should be on cluster level and initial authentication information should be provided on cluster init operation. Applying auth configuration to cluster should be atomic with cluster init operation, it means that when cluster initialization finished authentication should be enabled immediately and no node in cluster will have timestamp after cluster initialization and auth config applying when any connections is possible without authentication. 
  2. Authentication configuration may be changed on cluster runtime without any restarts. This operation should be under authentication and the user should be authenticated to change it. In case when authentication configuration is changed and open  authenticated connections exist they should be closed.

Apache Ignite 3 basic authentication

As a base solution Apache Ignite 3 will have a basic authentication mechanism. This is cluster side configuration and it should be provided on the cluster initialization step. 

Users should specify login and password on cluster initialization step and after cluster will be initialized any connection should be protected via basic authentication and any request should contain login and password. 

After cluster initialization login and password may be changed in cluster configuration but it will be required previous login and password

CLI

Users can enable (disable) authentication and change credentials in runtime using the CLI command  cluster config set

"security": {
    "rest": {
        "auth": {
            "enabled": true,
            "basic": {
                "login": "string",
                "password": "string"
            }
        }
    }
}

The password should be masked as a secret (as ****) in the CLI’s history and when a user executes ‘cluster config show’. 

The CLI should ask a user to provide credentials on connecting to a node and try to reuse them on connecting to another one. 

In case when authentication fails, CLI should map a REST response with a failed reason and show to the user formatted message with details. This mechanism already exist and using in different situations in CLI.

Thin client



Micronaut

Also, we need to make some changes on the server side: 

  • Add @Secured(SecurityRule.IS_AUTHENTICATED) annotation to controllers
  • Implement AuthenticationProvider

See https://guides.micronaut.io/latest/micronaut-security-basicauth-gradle-java.html.

"security": {
    "rest": {
        "auth": {
            "enabled": true,
            "basic": {
                "login": "string",
                "password": "string"
             }
        }
    }
}

Client Authentication

Server

ClientInboundMessageHandler handler should

  1. Authenticate clients on a handshake. 
  2. Store information about authentication: authentication provider name.
  3. Listen to authentication configuration updates. If the provider is changed or removed, the connection must be closed. 
  4. If the authentication was disabled when connected, the connection should be closed when authentication is enabled.

Client

  1. Add credentials to ConnectionProperties
  2. Authenticate on handshake org.apache.ignite.internal.client.TcpClientChannel#handshakeAsync
  3. If the client can’t authenticate, it should throw AuthenticationException

Then the REST client’s exchange with the node will follow the flow:

  1. Client posts the client-id and client-secret to the token endpoint URL using specified authentication type and receives an access token or error message. At this point implementation should cache the token.
  2. Client sends the access token to the REST API endpoint using the client_secret_basic authentication type.
  3. REST API implementation validates the token using the JWKS URL.

Solution with Control Center

Proposed solution complicates clients configuration and functionality - they need to be configured for each different auth provider and include the functionality of retrieving the access token from the provider.

This could be simplified by implementing the authentication service. In this case the user will get the access token from the Control Center and will pass it to the node, which will verify it in the auth service.

CLI extension

CLI may have special command ignite cluster openid connect which will open a browser with Control Center page where user may specify a 3rd party connector and authenticate via 3rd party cloud provider. After the authentication process will be finished response can be catched via CLI and CC token may automatically stored to CLI configuration.

This is technically not easy to achieve, because the OpenId pipeline requires a callback of success authentication in the form of URL to redirect and it should be mapped to CLI somehow. This is possible to achieve with several options 

  1. Start HTTP server on CLI side and generate redirect URL to this server. This approach has problems with port availability for this HTTP server and firewall permissions. 
  2. Extend OpenID protocol and create a special polling endpoint on CC side with unique session ID parameter which will be polled from CLI side and trying to get the openID token. This approach has problems with security because it should be a non-authenticated endpoint with only session id validation. 

Tickets





  • No labels

Apache Ignite