IGNITE-23563 Fix node fails while checking security permission for ac…

…tivation during join (#11631)
apache · Oct 31, 2024 · 9f4f738 · 9f4f738
1 parent 3aa13c0
commit 9f4f738
Show file tree

Hide file tree

Showing 4 changed files with 117 additions and 3 deletions.
diff --git a/...rc/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java b/...rc/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java
@@ -1109,7 +1109,12 @@ public IgniteInternalFuture<?> changeGlobalState(
         boolean forceChangeBaselineTopology,
         boolean isAutoAdjust
     ) {
-        ctx.security().authorize(SecurityPermission.ADMIN_CLUSTER_STATE);
+        try {
+            ctx.security().authorize(SecurityPermission.ADMIN_CLUSTER_STATE);
+        }
+        catch (org.apache.ignite.plugin.security.SecurityException secEx) {
+            return new GridFinishedFuture<>(secEx);
+        }
 
         if (ctx.maintenanceRegistry().isMaintenanceMode()) {
             return new GridFinishedFuture<>(

diff --git a/...al/processors/security/cluster/ActivationOnJoinWithoutPermissionsWithPersistenceTest.java b/...al/processors/security/cluster/ActivationOnJoinWithoutPermissionsWithPersistenceTest.java
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security.cluster;
+
+import org.apache.ignite.configuration.DataRegionConfiguration;
+import org.apache.ignite.configuration.DataStorageConfiguration;
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.failure.StopNodeFailureHandler;
+import org.apache.ignite.internal.processors.security.AbstractSecurityTest;
+import org.apache.ignite.internal.processors.security.impl.TestSecurityPluginProvider;
+import org.apache.ignite.internal.util.typedef.F;
+import org.apache.ignite.internal.util.typedef.G;
+import org.apache.ignite.plugin.security.SecurityPermission;
+import org.junit.Test;
+
+import static org.apache.ignite.cluster.ClusterState.ACTIVE;
+import static org.apache.ignite.cluster.ClusterState.INACTIVE;
+import static org.apache.ignite.plugin.security.SecurityPermission.ADMIN_CLUSTER_STATE;
+import static org.apache.ignite.plugin.security.SecurityPermission.JOIN_AS_SERVER;
+import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.create;
+
+/**
+ * Tests joining baseline node without permissions. It should join successfully, but
+ * cluster must be left in INACTIVE state. {@link org.apache.ignite.internal.processors.cluster.GridClusterStateProcessor#onLocalJoin}
+ * must not complete exceptionally.
+ */
+public class ActivationOnJoinWithoutPermissionsWithPersistenceTest extends AbstractSecurityTest {
+    /** */
+    private static final int NUM_NODES = 3;
+
+    /** {@inheritDoc} */
+    @Override protected IgniteConfiguration getConfiguration(String instanceName) throws Exception {
+        SecurityPermission[] srvPerms = F.asArray(ADMIN_CLUSTER_STATE);
+
+        return getConfiguration(instanceName, srvPerms);
+    }
+
+    /**
+     * @return Ignite configuration with given server and client permissions.
+     */
+    private IgniteConfiguration getConfiguration(
+        String instanceName,
+        SecurityPermission[] srvPerms
+    ) throws Exception {
+        IgniteConfiguration cfg = super.getConfiguration(instanceName);
+
+        cfg.setConsistentId(instanceName);
+
+        TestSecurityPluginProvider secPlugin = new TestSecurityPluginProvider(
+            instanceName,
+            "",
+            create().defaultAllowAll(false).appendSystemPermissions(F.concat(srvPerms, JOIN_AS_SERVER)).build(),
+            false,
+            EMPTY_SECURITY_DATA
+        );
+
+        cfg.setPluginProviders(secPlugin);
+
+        cfg.setFailureHandler(new StopNodeFailureHandler());
+
+        cfg.setDataStorageConfiguration(new DataStorageConfiguration()
+                .setDefaultDataRegionConfiguration(new DataRegionConfiguration().setPersistenceEnabled(true)));
+
+        return cfg;
+    }
+
+    /** */
+    @Test
+    public void testNodeJoinWithoutPermissions() throws Exception {
+        // Start grids and activate them.
+        startGrids(NUM_NODES);
+
+        grid(0).cluster().state(ACTIVE);
+        assertEquals(ACTIVE, grid(0).cluster().state());
+
+        // Stop all of them and restart just the firsts.
+        G.stopAll(true);
+
+        startGrids(NUM_NODES - 1);
+
+        // Start the last one with empty permissions.
+        startGrid(getConfiguration(getTestIgniteInstanceName(NUM_NODES - 1), EMPTY_PERMS));
+
+        // Check for state and topology.
+        waitForTopology(NUM_NODES);
+
+        assertEquals(INACTIVE, grid(0).cluster().state());
+        assertEquals(NUM_NODES, grid(0).cluster().forServers().nodes().size());
+    }
+}
diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
@@ -39,6 +39,7 @@
 import org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckTest;
 import org.apache.ignite.internal.processors.security.client.ThinClientSecurityContextOnRemoteNodeTest;
 import org.apache.ignite.internal.processors.security.client.ThinClientSslPermissionCheckTest;
+import org.apache.ignite.internal.processors.security.cluster.ActivationOnJoinWithoutPermissionsWithPersistenceTest;
 import org.apache.ignite.internal.processors.security.cluster.ClusterNodeOperationPermissionTest;
 import org.apache.ignite.internal.processors.security.cluster.ClusterStatePermissionTest;
 import org.apache.ignite.internal.processors.security.cluster.NodeJoinPermissionsTest;
@@ -140,7 +141,8 @@
     ServiceStaticConfigTest.class,
     ClusterNodeOperationPermissionTest.class,
     NodeSecurityContextPropagationTest.class,
-    NodeJoinPermissionsTest.class
+    NodeJoinPermissionsTest.class,
+    ActivationOnJoinWithoutPermissionsWithPersistenceTest.class,
 })
 public class SecurityTestSuite {
     /** */

diff --git a/...per/src/test/java/org/apache/ignite/spi/discovery/zk/ZookeeperDiscoverySpiTestSuite4.java b/...per/src/test/java/org/apache/ignite/spi/discovery/zk/ZookeeperDiscoverySpiTestSuite4.java
@@ -27,6 +27,7 @@
 import org.apache.ignite.internal.processors.cache.distributed.replicated.IgniteCacheReplicatedQuerySelfTest;
 import org.apache.ignite.internal.processors.metastorage.DistributedMetaStoragePersistentTest;
 import org.apache.ignite.internal.processors.metastorage.DistributedMetaStorageTest;
+import org.apache.ignite.internal.processors.security.cluster.ActivationOnJoinWithoutPermissionsWithPersistenceTest;
 import org.apache.ignite.internal.processors.security.cluster.NodeJoinPermissionsTest;
 import org.apache.ignite.spi.discovery.DiscoverySpiDataExchangeTest;
 import org.junit.BeforeClass;
@@ -50,7 +51,8 @@
     IgniteNodeValidationFailedEventTest.class,
     DiscoverySpiDataExchangeTest.class,
     CacheCreateDestroyEventSecurityContextTest.class,
-    NodeJoinPermissionsTest.class
+    NodeJoinPermissionsTest.class,
+    ActivationOnJoinWithoutPermissionsWithPersistenceTest.class,
 })
 public class ZookeeperDiscoverySpiTestSuite4 {
     /** */