IGNITE-27216 Added capturing of cluster node certificates during join process

Author: petrov-mg

modules/core/src/main/java/org/apache/ignite/internal/managers/discovery/GridDiscoveryManager.java

@@ -18,6 +18,7 @@
 package org.apache.ignite.internal.managers.discovery;
 
 import java.io.Serializable;
+import java.security.cert.Certificate;
 import java.util.ArrayDeque;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -121,6 +122,7 @@
 import org.apache.ignite.lang.IgniteProductVersion;
 import org.apache.ignite.lang.IgniteUuid;
 import org.apache.ignite.marshaller.Marshaller;
+import org.apache.ignite.plugin.security.AuthenticationContext;
 import org.apache.ignite.plugin.security.SecurityCredentials;
 import org.apache.ignite.plugin.segmentation.SegmentationPolicy;
 import org.apache.ignite.spi.IgniteSpiException;
@@ -518,9 +520,9 @@ private void updateClientNodes(UUID leftNodeId) {
                 ctx.addNodeAttribute(ATTR_SECURITY_COMPATIBILITY_MODE, true);
 
             spi.setAuthenticator(new DiscoverySpiNodeAuthenticator() {
-                @Override public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) {
+                @Override public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred, Certificate[] certs) {
                     try {
-                        return ctx.security().authenticateNode(node, cred);
+                        return ctx.security().authenticate(new AuthenticationContext(node, cred, certs));
                     }
                     catch (IgniteCheckedException e) {
                         throw U.convertException(e);

modules/core/src/main/java/org/apache/ignite/internal/processors/security/GridSecurityProcessor.java

@@ -29,6 +29,8 @@
 import org.apache.ignite.plugin.security.SecurityPermission;
 import org.apache.ignite.plugin.security.SecuritySubject;
 
+import static org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_NODE;
+
 /**
  * This interface is responsible for:
  * <ul>
@@ -46,30 +48,52 @@
  */
 public interface GridSecurityProcessor extends GridProcessor {
     /**
-     * Authenticates grid node with it's attributes via underlying Authenticator.
+     * Authenticates grid node.
      *
-     * @param node Node id to authenticate.
-     * @param cred Security credentials.
-     * @return {@code True} if succeeded, {@code false} otherwise.
+     * @param node Cluster node.
+     * @param cred Credentials of the node user.
+     * @return {@code null} if authentication failed or {@link SecurityContext} instance that represents successfully authenticated user.
      * @throws IgniteCheckedException If error occurred.
+     * @deprecated Use {@link #performAuthentication(AuthenticationContext)} instead.
      */
-    public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteCheckedException;
+    @Deprecated
+    public default SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteCheckedException {
+        throw new UnsupportedOperationException();
+    }
 
     /**
-     * Gets flag indicating whether all nodes or coordinator only should run the authentication for joining node.
+     * Authenticates subject.
      *
-     * @return {@code True} if all nodes should run authentication process, {@code false} otherwise.
+     * @param ctx Authentication context.
+     * @return {@code null} if authentication failed or {@link SecurityContext} instance that represents successfully authenticated user.
+     * @throws IgniteCheckedException If error occurred.
+     * @deprecated Use {@link #performAuthentication(AuthenticationContext)} instead.
      */
-    public boolean isGlobalNodeAuthentication();
+    @Deprecated
+    public default SecurityContext authenticate(AuthenticationContext ctx) throws IgniteCheckedException {
+        throw new UnsupportedOperationException();
+    }
 
     /**
-     * Authenticates subject via underlying Authenticator.
+     * Authenticates subject.
      *
      * @param ctx Authentication context.
-     * @return {@code True} if succeeded, {@code false} otherwise.
+     * @return {@code null} if authentication failed or {@link SecurityContext} instance that represents successfully authenticated user.
      * @throws IgniteCheckedException If error occurred.
      */
-    public SecurityContext authenticate(AuthenticationContext ctx) throws IgniteCheckedException;
+    public default SecurityContext performAuthentication(AuthenticationContext ctx) throws IgniteCheckedException {
+        if (ctx.subjectType() == REMOTE_NODE)
+            return authenticateNode(ctx.node(), ctx.credentials());
+
+        return authenticate(ctx);
+    }
+
+    /**
+     * Gets flag indicating whether all nodes or coordinator only should run the authentication for joining node.
+     *
+     * @return {@code True} if all nodes should run authentication process, {@code false} otherwise.
+     */
+    public boolean isGlobalNodeAuthentication();
 
     /**
      * Gets collection of authenticated nodes.

modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurity.java

@@ -20,10 +20,8 @@
 import java.util.Collection;
 import java.util.UUID;
 import org.apache.ignite.IgniteCheckedException;
-import org.apache.ignite.cluster.ClusterNode;
 import org.apache.ignite.internal.processors.security.sandbox.IgniteSandbox;
 import org.apache.ignite.plugin.security.AuthenticationContext;
-import org.apache.ignite.plugin.security.SecurityCredentials;
 import org.apache.ignite.plugin.security.SecurityException;
 import org.apache.ignite.plugin.security.SecurityPermission;
 import org.apache.ignite.plugin.security.SecuritySubject;
@@ -69,19 +67,13 @@ public interface IgniteSecurity {
      */
     public SecurityContext securityContext();
 
-    /**
-     * Delegates call to {@link GridSecurityProcessor#authenticateNode(org.apache.ignite.cluster.ClusterNode,
-     * org.apache.ignite.plugin.security.SecurityCredentials)}
-     */
-    public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteCheckedException;
-
     /**
      * Delegates call to {@link GridSecurityProcessor#isGlobalNodeAuthentication()}
      */
     public boolean isGlobalNodeAuthentication();
 
     /**
-     * Delegates call to {@link GridSecurityProcessor#authenticate(AuthenticationContext)}
+     * Delegates call to {@link GridSecurityProcessor#performAuthentication(AuthenticationContext)}
      */
     public SecurityContext authenticate(AuthenticationContext ctx) throws IgniteCheckedException;
 

modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java

@@ -37,7 +37,6 @@
 import org.apache.ignite.lang.IgniteFuture;
 import org.apache.ignite.marshaller.jdk.JdkMarshaller;
 import org.apache.ignite.plugin.security.AuthenticationContext;
-import org.apache.ignite.plugin.security.SecurityCredentials;
 import org.apache.ignite.plugin.security.SecurityException;
 import org.apache.ignite.plugin.security.SecurityPermission;
 import org.apache.ignite.plugin.security.SecuritySubject;
@@ -204,20 +203,14 @@ void restoreDefaultContext() {
         return res == null ? dfltSecCtx : res;
     }
 
-    /** {@inheritDoc} */
-    @Override public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred)
-        throws IgniteCheckedException {
-        return secPrc.authenticateNode(node, cred);
-    }
-
     /** {@inheritDoc} */
     @Override public boolean isGlobalNodeAuthentication() {
         return secPrc.isGlobalNodeAuthentication();
     }
 
     /** {@inheritDoc} */
     @Override public SecurityContext authenticate(AuthenticationContext ctx) throws IgniteCheckedException {
-        return secPrc.authenticate(ctx);
+        return secPrc.performAuthentication(ctx);
     }
 
     /** {@inheritDoc} */

modules/core/src/main/java/org/apache/ignite/internal/processors/security/NoOpIgniteSecurityProcessor.java

@@ -26,7 +26,6 @@
 import org.apache.ignite.internal.processors.security.sandbox.IgniteSandbox;
 import org.apache.ignite.internal.processors.security.sandbox.NoOpSandbox;
 import org.apache.ignite.plugin.security.AuthenticationContext;
-import org.apache.ignite.plugin.security.SecurityCredentials;
 import org.apache.ignite.plugin.security.SecurityException;
 import org.apache.ignite.plugin.security.SecurityPermission;
 import org.apache.ignite.plugin.security.SecuritySubject;
@@ -81,11 +80,6 @@ public NoOpIgniteSecurityProcessor(GridKernalContext ctx) {
         return null;
     }
 
-    /** {@inheritDoc} */
-    @Override public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) {
-        return null;
-    }
-
     /** {@inheritDoc} */
     @Override public boolean isGlobalNodeAuthentication() {
         return false;

modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityUtils.java

@@ -374,7 +374,7 @@ public static SecurityContext authenticateLocalNode(
         assert nodeAuth != null;
         assert cred != null || node.attribute(IgniteNodeAttributes.ATTR_AUTHENTICATION_ENABLED) != null;
 
-        SecurityContext secCtx = nodeAuth.authenticateNode(node, cred);
+        SecurityContext secCtx = nodeAuth.authenticateNode(node, cred, null);
 
         if (secCtx == null)
             throw new IgniteSpiException("Authentication failed for local node: " + node.id());

modules/core/src/main/java/org/apache/ignite/plugin/security/AuthenticationContext.java

@@ -23,7 +23,11 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.UUID;
+import org.apache.ignite.cluster.ClusterNode;
 import org.apache.ignite.internal.util.typedef.F;
+import org.jetbrains.annotations.Nullable;
+
+import static org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_NODE;
 
 /**
  * Authentication context.
@@ -32,7 +36,7 @@ public class AuthenticationContext {
     /** Subject type. */
     private SecuritySubjectType subjType;
 
-    /** Subject ID.w */
+    /** Subject ID. */
     private UUID subjId;
 
     /** Credentials. */
@@ -47,8 +51,52 @@ public class AuthenticationContext {
     /** True if this is a client node context. */
     private boolean client;
 
-    /** Client SSL certificates. */
-    private Certificate[] certs;
+    /** User SSL certificates. */
+    @Nullable private Certificate[] certs;
+
+    /** Instance of the authenticated node. {@code null} if authenticated subject type is not {@link SecuritySubjectType#REMOTE_NODE}. */
+    @Nullable private ClusterNode node;
+
+    /** */
+    public AuthenticationContext() {
+        // No-op.
+    }
+
+    /**
+     * @param node Authenticating cluster node.
+     * @param creds Credentials of the node's user.
+     * @param certs Certificates that the node used to establish a connection to the cluster. {@code null} if certificates
+     *              could not be obtained.
+     */
+    public AuthenticationContext(ClusterNode node, SecurityCredentials creds, @Nullable Certificate[] certs) {
+        this.node = node;
+        this.creds = creds;
+        this.certs = certs;
+
+        subjType = REMOTE_NODE;
+        subjId = node.id();
+        client = node.isClient();
+        nodeAttrs = node.attributes();
+        addr = new InetSocketAddress(F.first(node.addresses()), 0);
+    }
+
+    /**
+     * @return Cluster node being authenticated or {@code null} if authenticated subject type is not
+     * {@link SecuritySubjectType#REMOTE_NODE}.
+     */
+    @Nullable public ClusterNode node() {
+        return node;
+    }
+
+    /**
+     * @param node Cluster node being authenticated.
+     * @return {@code this} for chaining.
+     */
+    public AuthenticationContext node(ClusterNode node) {
+        this.node = node;
+
+        return this;
+    }
 
     /**
      * Gets subject type.

modules/core/src/main/java/org/apache/ignite/spi/discovery/DiscoverySpiNodeAuthenticator.java

@@ -17,25 +17,50 @@
 
 package org.apache.ignite.spi.discovery;
 
+import java.security.cert.Certificate;
 import org.apache.ignite.IgniteException;
 import org.apache.ignite.cluster.ClusterNode;
 import org.apache.ignite.internal.processors.security.SecurityContext;
 import org.apache.ignite.plugin.security.SecurityCredentials;
+import org.jetbrains.annotations.Nullable;
 
 /**
  * Node authenticator.
  */
 public interface DiscoverySpiNodeAuthenticator {
     /**
-     * Security credentials.
+     * Authenticates new cluster node before it joins the cluster.
      *
      * @param node Node to authenticate.
      * @param cred Security credentials.
      * @return Security context if authentication succeeded or {@code null} if authentication failed.
      * @throws IgniteException If authentication process failed
      *      (invalid credentials should not lead to this exception).
+     * @deprecated Use {@link #authenticateNode(ClusterNode, SecurityCredentials, Certificate[])} instead.
      */
-    public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteException;
+    @Deprecated
+    public default SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) throws IgniteException {
+        throw new UnsupportedOperationException();
+    }
+
+    /**
+     * Authenticates new cluster node before it joins the cluster.
+     *
+     * @param node Node to authenticate.
+     * @param cred Security credentials.
+     * @param certs Certificates that the node used to establish a connection to the cluster. {@code null} if SSL is
+     *              disabled, it is local node authentication or Ignite Discovery implementation does not support
+     *              capturing of joining node certificates.
+     * @return Security context if authentication succeeded or {@code null} if authentication failed.
+     * @throws IgniteException If authentication process failed (invalid credentials should not lead to this exception).
+     */
+    public default SecurityContext authenticateNode(
+        ClusterNode node,
+        SecurityCredentials cred,
+        @Nullable Certificate[] certs
+    ) throws IgniteException {
+        return authenticateNode(node, cred);
+    }
 
     /**
      * Gets global node authentication flag.

modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java

@@ -4324,7 +4324,7 @@ else if (log.isDebugEnabled())
                     try {
                         SecurityCredentials cred = unmarshalCredentials(node);
 
-                        SecurityContext subj = spi.nodeAuth.authenticateNode(node, cred);
+                        SecurityContext subj = spi.nodeAuth.authenticateNode(node, cred, msg.nodeCertificates());
 
                         if (subj == null) {
                             // Node has not pass authentication.
@@ -4774,8 +4774,13 @@ else if (log.isDebugEnabled())
 
                 DiscoveryDataPacket data = msg.gridDiscoveryData();
 
-                TcpDiscoveryNodeAddedMessage nodeAddedMsg = new TcpDiscoveryNodeAddedMessage(locNodeId,
-                    node, data, spi.gridStartTime);
+                TcpDiscoveryNodeAddedMessage nodeAddedMsg = new TcpDiscoveryNodeAddedMessage(
+                    locNodeId,
+                    node,
+                    data,
+                    spi.gridStartTime,
+                    msg.nodeCertificates()
+                );
 
                 nodeAddedMsg = tracing.messages().branch(nodeAddedMsg, msg);
 
@@ -5084,7 +5089,7 @@ else if (!locNodeId.equals(node.id()) && ring.node(node.id()) != null) {
                             authFailed = false;
                         }
                         else {
-                            SecurityContext subj = spi.nodeAuth.authenticateNode(node, cred);
+                            SecurityContext subj = spi.nodeAuth.authenticateNode(node, cred, msg.nodeCertificates());
 
                             if (subj == null) {
                                 // Node has not pass authentication.
@@ -7072,6 +7077,11 @@ else if (e.hasCause(ObjectStreamException.class) ||
                         else if (msg instanceof TcpDiscoveryJoinRequestMessage) {
                             TcpDiscoveryJoinRequestMessage req = (TcpDiscoveryJoinRequestMessage)msg;
 
+                            // We are holding connection with the node that is joining the cluster. Therefore, we can save
+                            // certificates with which the connection was established.
+                            if (nodeId.equals(req.node().id()))
+                                req.nodeCertificates(ses.extractCertificates());
+
                             if (!req.responded()) {
                                 boolean ok = processJoinRequestMessage(req, clientMsgWrk);