Custom authentication security plug-in in Ignite

　　After Ignite Cluster Setup is complete, the application can access the cluster perform various operations, but the default cluster, there is no security mechanism, any application that supports JDBC client, as long as know the IP address of the cluster nodes can access the cluster this caused some security risks, which for the user to hold sensitive data, is clearly unacceptable.
　　
　　Ignite itself has a simple security module provides an authentication mechanism based on username / password, but in actual business scenarios, the needs are often more complex, paper white list authentication, for example, about how custom security plug-ins way to meet their business needs.
　　
　　Plug
　　
　　Ignite has a well-designed modular architecture and plug-in mechanism, you can configure different modules, you can also customize your own plug-ins. This article will explain how to replace the default security implementation.
　　
　　The first step is to inject a plug-in IgniteConfiguration, the present exemplary XML-based configuration, configured as follows:
　　
　　<the bean ID = "Ignite" class = "org.apache.ignite.configuration.IgniteConfiguration"
　　
　　P: gridName = "mygrid">
　　
　　<Property name = "pluginConfigurations">
　　
　　<the bean class = "ignite.WhiteListPluginConfiguration" />
　　
　　</ Property>
　　
　　</ the bean>
　　

　　

　　

　　
　　Class public <the extends PluginProvider?> providerClass () {
　　
　　return WhiteListPluginProvider.class;
　　
　　}
　　
　　}
　　
　　widget class is initialized by the provider IgniteKernal at startup, different interfaces can be created to support plug-ins. In this paper, security plug-interest, it will create the implementation of GridSecurityProcessor:
　　
　　public class WhiteListPluginProvider
　　
　　the implements PluginProvider <WhiteListPluginConfiguration> {
　　
　　@Override
　　
　　public String name () {
　　
　　return "WhiteListSecurity";
　
　　@Override
　　
　　public String Version (www.hongyangpt.cn) {
　　
　　return "1.0.0";
　　
　　@Nullable
　　
　　@Override
　　
　　public Object the createComponent (PluginContext CTX, Class CLS) {
　　
　　IF (cls.isAssignableFrom (GridSecurityProcessor.class)) {
　　
　　return new new WhiteListSecurityProcessor ();
　　
　　The else {}
　　
　　return null;
　　
　　@Override
　　
　　public IgnitePlugin plugin () {
　　
　　return new new WhiteListAuthenticator (www.yuntianyul.com);
　　
　　// Methods All OTHER NO-OP are
　　
　　noted createComponent plugin methods and methods herein.
　　
　　Other methods of this class, most of them are empty implementation.
　　
　　WhiteListSecurityProcessor
　　
　　so far, has been created in Ignite and install the security plug-in, the rest is to achieve specific authentication and authorization logic, this article focuses on grants all privileges after certification, certification.
　　
　　The following are the main code segment:
　　
　　public class WhiteListSecurityProcessor
　　
　　the implements DiscoverySpiNodeAuthenticator,
　　
　　GridSecurityProcessor,
　　
　　IgnitePlugin {
　　
　　// The Will BE that allowed the hosts to the Join The Cluster
　　
　　Private the Set <String> = whitelist new new HashSet <www.pingguoyul.cn> ();
　　
　　Private Boolean isAddressOk (Collection <String> addresses) {
　　
　　//return true if the address is in the whitelist
　　
　　}
　　
　　@Override
　　
　　public SecurityContext authenticateNode(jintianxuesha.com ClusterNode node,
　　
　　SecurityCredentials cred)
　　
　　throws IgniteException {
　　
　　return new SecurityContext(new SecuritySubject() {
　　
　　@Override
　　
　　public SecurityPermissionSet permissions() {
　　
　　if (isAddressOk(node.addresses())) {
　　
　　return WhiteListPermissionSets.ALLOW_ALL;
　　
　　} else {
　　
　　return WhiteListPermissionSets.ALLOW_NONE;
　　
　　//all other methods are noop
　　
　　@Override
　　
　　public boolean isGlobalNodeAuthentication() {
　　
　　//allow any node to perform the authentication
　　
　　return true;
　　
　　@Override
　　
　　void Start public (www.sanguoyoux.cn) throws IgniteCheckedException {
　　
　　// Load The whitelist http://jintianxuesha.com/?id=190
　　
　　// Check that the this running IS ON A Process White listed Server
　　
　　// A problem the throw IF there apos IgniteCheckedException new new
　　
　　@Nullable
　　
　　@Override
　　
　　public IgniteSpiNodeValidationResult validateNode (ClusterNode Node) {
　　
　　IF {(isAddressOk (node.addresses ())!)
　　
　　return new new IgniteSpiNodeValidationResult (node.id (),
　　
　　"Access denied",
　　
　　"Access denied");
　　
　　} the else {
　　
　　return null;
　　
　　this is only a section of pseudo code, the specific implementation requires developers to play according to their needs.
　　
　　start method will be called when the Ignite started, so here is a loaded place whitelist IP addresses. Here can also be used to verify whether this process running on the server whitelist list, if you have any questions, you can throw IgniteCheckedException abnormalities, which can lead to process terminates with an error message.
　　
　　When a new node attempts to access and start, and will call authenticateNode validateNode sequential method. Call authenticateNode need to return a security context that identifies the security context of the process to grant permission. For safety reasons, if the IP address is not on the white list, it returns a ALLOW_NONE strategy. Then call validateNode, where you can obtain the IP address of the connecting node, and determine whether it can be added to the cluster.
　　
　　As an example of how to create a list of policies, please see the Ignite GridOsSecurityProcessor class.
　　
　　Similarly, there are many methods of operation without the need to achieve, but it has nothing to do with the subject of this article.
　　
　　Finally,
　　
　　this is just a simple example, describes how to customize the Ignite plug-ins, especially authentication plug-ins. If a node fails authentication process, it will select a new node and recovery services.