ID | IEP-105 |
Author | |
Sponsor | |
Created |
|
Status |
This document describes the mechanisms for user authentication on the side of the Ignite cluster and provides different mechanisms of authentication for AI3 and GG9 specifically.
The main goal of authentication will be to set restrictions on the use of various functions of the Ignite through various public APIs (REST API, CLI, clients, etc) and restrict unwanted access to various parts of the cluster.
As a base solution Apache Ignite 3 will have a basic authentication mechanism. This is cluster side configuration and it should be provided on the cluster initialization step.
Users should specify login and password on cluster initialization step and after cluster will be initialized any connection should be protected via basic authentication and any request should contain login and password.
After cluster initialization login and password may be changed in cluster configuration but it will be required previous login and password
Users can enable (disable) authentication and change credentials in runtime using the CLI command cluster config set
"security": { "rest": { "auth": { "enabled": true, "basic": { "login": "string", "password": "string" } } } }
The password should be masked as a secret (as ****) in the CLI’s history and when a user executes ‘cluster config show’.
The CLI should ask a user to provide credentials on connecting to a node and try to reuse them on connecting to another one.
In case when authentication fails, CLI should map a REST response with a failed reason and show to the user formatted message with details. This mechanism already exist and using in different situations in CLI.
Also, we need to make some changes on the server side:
See https://guides.micronaut.io/latest/micronaut-security-basicauth-gradle-java.html.
"security": { "rest": { "auth": { "enabled": true, "basic": { "login": "string", "password": "string" } } } }
ClientInboundMessageHandler handler should
Then the REST client’s exchange with the node will follow the flow:
[IGNITE-19597] Ignite3 Basic Authentication Support - ASF JIRA (apache.org)