apache
diff --git a/‎modules/calcite/src/test/java/org/apache/ignite/internal/processors/query/calcite/jdbc/JdbcConnectionEnabledPropertyTest.java‎
Lines changed: 71 additions & 0 deletions b/‎modules/calcite/src/test/java/org/apache/ignite/internal/processors/query/calcite/jdbc/JdbcConnectionEnabledPropertyTest.java‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎modules/calcite/src/test/java/org/apache/ignite/internal/processors/query/calcite/jdbc/JdbcThinTransactionalSelfTest.java‎
Lines changed: 1 addition & 1 deletion b/‎modules/calcite/src/test/java/org/apache/ignite/internal/processors/query/calcite/jdbc/JdbcThinTransactionalSelfTest.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/calcite/src/test/java/org/apache/ignite/testsuites/IgniteCalciteTestSuite.java‎
Lines changed: 2 additions & 0 deletions b/‎modules/calcite/src/test/java/org/apache/ignite/testsuites/IgniteCalciteTestSuite.java‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎modules/core/src/main/java/org/apache/ignite/internal/cluster/DistributedConfigurationUtils.java‎
Lines changed: 45 additions & 0 deletions b/‎modules/core/src/main/java/org/apache/ignite/internal/cluster/DistributedConfigurationUtils.java‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerConnectionContext.java‎
Lines changed: 9 additions & 0 deletions b/‎modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerConnectionContext.java‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerNioListener.java‎
Lines changed: 57 additions & 4 deletions b/‎modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerNioListener.java‎
Lines changed: 57 additions & 4 deletions
diff --git a/‎modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerProcessor.java‎
Lines changed: 39 additions & 1 deletion b/‎modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerProcessor.java‎
Lines changed: 39 additions & 1 deletion
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.query.calcite.jdbc;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.SQLException;
+import org.apache.ignite.calcite.CalciteQueryEngineConfiguration;
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.testframework.junits.common.GridCommonAbstractTest;
+import org.junit.Test;
+
+import static org.apache.ignite.internal.cluster.DistributedConfigurationUtils.CONN_DISABLED_BY_ADMIN_ERR_MSG;
+import static org.apache.ignite.internal.processors.configuration.distributed.DistributedConfigurationProcessor.toMetaStorageKey;
+import static org.apache.ignite.internal.processors.query.calcite.jdbc.JdbcThinTransactionalSelfTest.URL;
+import static org.apache.ignite.testframework.GridTestUtils.assertThrows;
+
+/** */
+public class JdbcConnectionEnabledPropertyTest extends GridCommonAbstractTest {
+    /** */
+    private static final String JDBC_CONN_ENABLED_PROP = "newJdbcConnectionsEnabled";
+
+    /** {@inheritDoc} */
+    @Override protected IgniteConfiguration getConfiguration(String igniteInstanceName) throws Exception {
+        IgniteConfiguration cfg = super.getConfiguration(igniteInstanceName);
+
+        cfg.getSqlConfiguration().setQueryEnginesConfiguration(new CalciteQueryEngineConfiguration());
+
+        return cfg;
+    }
+
+    /** {@inheritDoc} */
+    @Override protected void beforeTestsStarted() throws Exception {
+        super.beforeTestsStarted();
+
+        startGrid();
+    }
+
+    /** */
+    @Test
+    public void testConnectionEnabledProperty() throws Exception {
+        try (Connection conn = DriverManager.getConnection(URL)) {
+            assertTrue(conn.isValid(3));
+        }
+
+        grid().context().distributedMetastorage().write(toMetaStorageKey(JDBC_CONN_ENABLED_PROP), false);
+
+        assertThrows(log, () -> DriverManager.getConnection(URL), SQLException.class, CONN_DISABLED_BY_ADMIN_ERR_MSG);
+
+        grid().context().distributedMetastorage().write(toMetaStorageKey(JDBC_CONN_ENABLED_PROP), true);
+
+        try (Connection conn = DriverManager.getConnection(URL)) {
+            assertTrue(conn.isValid(3));
+        }
+    }
+}
@@ -49,7 +49,7 @@
 /** */
 public class JdbcThinTransactionalSelfTest extends GridCommonAbstractTest {
     /** URL. */
-    private static final String URL = "jdbc:ignite:thin://127.0.0.1";
+    public static final String URL = "jdbc:ignite:thin://127.0.0.1";
 
     /** {@inheritDoc} */
     @Override protected IgniteConfiguration getConfiguration(String igniteInstanceName) throws Exception {
 
@@ -24,6 +24,7 @@
 import org.apache.ignite.internal.processors.query.calcite.exec.NumericTypesPrecisionsTest;
 import org.apache.ignite.internal.processors.query.calcite.exec.exp.IgniteSqlFunctionsTest;
 import org.apache.ignite.internal.processors.query.calcite.exec.tracker.MemoryTrackerTest;
+import org.apache.ignite.internal.processors.query.calcite.jdbc.JdbcConnectionEnabledPropertyTest;
 import org.apache.ignite.internal.processors.query.calcite.jdbc.JdbcSetClientInfoTest;
 import org.apache.ignite.internal.processors.query.calcite.jdbc.JdbcThinTransactionalSelfTest;
 import org.apache.ignite.internal.processors.query.calcite.message.CalciteCommunicationMessageSerializationTest;
@@ -62,6 +63,7 @@
 
     JdbcThinTransactionalSelfTest.class,
     JdbcSetClientInfoTest.class,
+    JdbcConnectionEnabledPropertyTest.class
 })
 public class IgniteCalciteTestSuite {
 }
@@ -18,12 +18,19 @@
 package org.apache.ignite.internal.cluster;
 
 import java.io.Serializable;
+import java.util.Arrays;
+import java.util.List;
 import java.util.Objects;
+import java.util.stream.Collectors;
 import org.apache.ignite.IgniteCheckedException;
 import org.apache.ignite.IgniteLogger;
 import org.apache.ignite.internal.IgniteInternalFuture;
 import org.apache.ignite.internal.processors.configuration.distributed.DistributePropertyListener;
+import org.apache.ignite.internal.processors.configuration.distributed.DistributedBooleanProperty;
+import org.apache.ignite.internal.processors.configuration.distributed.DistributedConfigurationLifecycleListener;
 import org.apache.ignite.internal.processors.configuration.distributed.DistributedProperty;
+import org.apache.ignite.internal.processors.configuration.distributed.DistributedPropertyDispatcher;
+import org.apache.ignite.internal.processors.subscription.GridInternalSubscriptionProcessor;
 import org.apache.ignite.internal.util.future.GridFinishedFuture;
 import org.jetbrains.annotations.NotNull;
 
@@ -33,6 +40,9 @@
  * Distributed configuration utilities methods.
  */
 public final class DistributedConfigurationUtils {
+    /** */
+    public static final String CONN_DISABLED_BY_ADMIN_ERR_MSG = "Connection disabled by administrator";
+
     /**
      */
     private DistributedConfigurationUtils() {
@@ -95,4 +105,39 @@ public static <T extends Serializable> IgniteInternalFuture<Void> setDefaultValu
             }
         };
     }
+
+    /**
+     * Creates and registers distributed properties to enable connection by type.
+     * @param subscriptionProcessor Processor to register properties.
+     * @param log Logger to log default values.
+     * @param types Connection types.
+     * @return Detached distributed property.
+     */
+    public static List<DistributedBooleanProperty> newConnectionEnabledProperty(
+        GridInternalSubscriptionProcessor subscriptionProcessor,
+        IgniteLogger log,
+        String... types
+    ) {
+        List<DistributedBooleanProperty> props = Arrays.stream(types).map(type -> DistributedBooleanProperty.detachedBooleanProperty(
+            "new" + type + "ConnectionsEnabled",
+            "If true then new " + type.toUpperCase() + " connections allowed."
+        )).collect(Collectors.toList());
+
+        subscriptionProcessor.registerDistributedConfigurationListener(new DistributedConfigurationLifecycleListener() {
+            @Override public void onReadyToRegister(DistributedPropertyDispatcher dispatcher) {
+                props.forEach(p -> {
+                    if (dispatcher.property(p.getName()) != null)
+                        return;
+
+                    dispatcher.registerProperty(p);
+                });
+            }
+
+            @Override public void onReadyToWrite() {
+                props.forEach(prop -> setDefaultValue(prop, true, log));
+            }
+        });
+
+        return props;
+    }
 }
@@ -24,6 +24,8 @@
 import org.apache.ignite.internal.util.nio.GridNioSession;
 import org.jetbrains.annotations.Nullable;
 
+import static org.apache.ignite.internal.processors.odbc.ClientListenerNioListener.MANAGEMENT_CLIENT_ATTR;
+
 /**
  * SQL listener connection context.
  */
@@ -88,4 +90,11 @@ void initializeFromHandshake(GridNioSession ses, ClientListenerProtocolVersion v
      * Connection attributes.
      */
     Map<String, String> attributes();
+
+    /**
+     * @return {@code True} if client is management.
+     */
+    default boolean managementClient() {
+        return Boolean.parseBoolean(attributes().get(MANAGEMENT_CLIENT_ATTR));
+    }
 }
@@ -19,6 +19,7 @@
 
 import java.io.Closeable;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.util.function.Predicate;
 import org.apache.ignite.IgniteCheckedException;
 import org.apache.ignite.IgniteLogger;
 import org.apache.ignite.configuration.ClientConnectorConfiguration;
@@ -47,8 +48,11 @@
 import org.apache.ignite.internal.util.nio.GridNioSession;
 import org.apache.ignite.internal.util.nio.GridNioSessionMetaKey;
 import org.apache.ignite.internal.util.typedef.internal.U;
+import org.apache.ignite.plugin.security.SecurityException;
+import org.apache.ignite.plugin.security.SecurityPermission;
 import org.jetbrains.annotations.Nullable;
 
+import static org.apache.ignite.internal.cluster.DistributedConfigurationUtils.CONN_DISABLED_BY_ADMIN_ERR_MSG;
 import static org.apache.ignite.internal.processors.odbc.ClientListenerMetrics.clientTypeLabel;
 
 /**
@@ -103,19 +107,31 @@ public class ClientListenerNioListener extends GridNioServerListenerAdapter<Clie
     /** Metrics. */
     private final ClientListenerMetrics metrics;
 
+    /**
+     * If return {@code true} then specifi protocol connections enabled.
+     * Predicate checks distributed property value.
+     *
+     * @see ClientListenerNioListener#ODBC_CLIENT
+     * @see ClientListenerNioListener#JDBC_CLIENT
+     * @see ClientListenerNioListener#THIN_CLIENT
+     */
+    private final Predicate<Byte> newConnEnabled;
+
     /**
      * Constructor.
      *
      * @param ctx Context.
      * @param busyLock Shutdown busy lock.
      * @param cliConnCfg Client connector configuration.
      * @param metrics Client listener metrics.
+     * @param newConnEnabled Predicate to check if connection of specified type enabled.
      */
     public ClientListenerNioListener(
         GridKernalContext ctx,
         GridSpinBusyLock busyLock,
         ClientConnectorConfiguration cliConnCfg,
-        ClientListenerMetrics metrics
+        ClientListenerMetrics metrics,
+        Predicate<Byte> newConnEnabled
     ) {
         assert cliConnCfg != null;
 
@@ -126,10 +142,12 @@ public ClientListenerNioListener(
         maxCursors = cliConnCfg.getMaxOpenCursorsPerConnection();
         log = ctx.log(getClass());
 
-        thinCfg = cliConnCfg.getThinClientConfiguration() == null ? new ThinClientConfiguration()
+        thinCfg = cliConnCfg.getThinClientConfiguration() == null
+            ? new ThinClientConfiguration()
             : new ThinClientConfiguration(cliConnCfg.getThinClientConfiguration());
 
         this.metrics = metrics;
+        this.newConnEnabled = newConnEnabled;
     }
 
     /** {@inheritDoc} */
@@ -380,8 +398,7 @@ private void onHandshake(GridNioSession ses, ClientMessage msg) {
             if (connCtx.isVersionSupported(ver)) {
                 connCtx.initializeFromHandshake(ses, ver, reader);
 
-                if (nodeInRecoveryMode() && !Boolean.parseBoolean(connCtx.attributes().get(MANAGEMENT_CLIENT_ATTR)))
-                    throw new ClientConnectionNodeRecoveryException("Node in recovery mode.");
+                ensureConnectionAllowed(connCtx);
 
                 ses.addMeta(CONN_CTX_META_KEY, connCtx);
             }
@@ -534,4 +551,40 @@ private void ensureClientPermissions(byte clientType) throws IgniteCheckedExcept
                 throw new IgniteCheckedException("Unknown client type: " + clientType);
         }
     }
+
+    /**
+     * Ensures if the client are allowed to connect.
+     *
+     * @param connCtx Connection context.
+     * @throws IgniteCheckedException If failed.
+     */
+    private void ensureConnectionAllowed(ClientListenerConnectionContext connCtx) throws IgniteCheckedException {
+        boolean isControlUtility = connCtx.clientType() == THIN_CLIENT && connCtx.managementClient();
+
+        if (nodeInRecoveryMode()) {
+            if (!isControlUtility)
+                throw new ClientConnectionNodeRecoveryException("Node in recovery mode.");
+
+            return;
+        }
+
+        // If security enabled then only admin allowed to connect as management.
+        if (isControlUtility) {
+            if (connCtx.securityContext() != null) {
+                try (OperationSecurityContext ignored = ctx.security().withContext(connCtx.securityContext())) {
+                    ctx.security().authorize(SecurityPermission.ADMIN_OPS);
+                }
+                catch (SecurityException e) {
+                    throw new IgniteAccessControlException("ADMIN_OPS permission required");
+                }
+            }
+
+            // Allow to connect control utility even if connection disabled.
+            // Must provide a way to invoke commands.
+            return;
+        }
+
+        if (!newConnEnabled.test(connCtx.clientType()))
+            throw new IgniteAccessControlException(CONN_DISABLED_BY_ADMIN_ERR_MSG);
+    }
 }
@@ -23,11 +23,13 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.function.Function;
+import java.util.function.Predicate;
 import javax.cache.configuration.Factory;
 import javax.management.JMException;
 import javax.management.ObjectName;
@@ -42,6 +44,7 @@
 import org.apache.ignite.internal.managers.systemview.walker.ClientConnectionAttributeViewWalker;
 import org.apache.ignite.internal.managers.systemview.walker.ClientConnectionViewWalker;
 import org.apache.ignite.internal.processors.GridProcessorAdapter;
+import org.apache.ignite.internal.processors.configuration.distributed.DistributedBooleanProperty;
 import org.apache.ignite.internal.processors.configuration.distributed.DistributedThinClientConfiguration;
 import org.apache.ignite.internal.processors.metric.MetricRegistryImpl;
 import org.apache.ignite.internal.processors.odbc.jdbc.JdbcConnectionContext;
@@ -66,11 +69,15 @@
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 
+import static org.apache.ignite.internal.cluster.DistributedConfigurationUtils.newConnectionEnabledProperty;
 import static org.apache.ignite.internal.processors.metric.GridMetricManager.CLIENT_CONNECTOR_METRICS;
 import static org.apache.ignite.internal.processors.metric.impl.MetricUtils.metricName;
 import static org.apache.ignite.internal.processors.odbc.ClientListenerMetrics.clientTypeLabel;
 import static org.apache.ignite.internal.processors.odbc.ClientListenerNioListener.CLI_TYPES;
 import static org.apache.ignite.internal.processors.odbc.ClientListenerNioListener.CONN_CTX_META_KEY;
+import static org.apache.ignite.internal.processors.odbc.ClientListenerNioListener.JDBC_CLIENT;
+import static org.apache.ignite.internal.processors.odbc.ClientListenerNioListener.ODBC_CLIENT;
+import static org.apache.ignite.internal.processors.odbc.ClientListenerNioListener.THIN_CLIENT;
 
 /**
  * Client connector processor.
@@ -177,12 +184,14 @@ public ClientListenerProcessor(GridKernalContext ctx) {
                         ? this::onOutboundMessageOffered
                         : null;
 
+                Predicate<Byte> newConnEnabled = connectionEnabledPredicate();
+
                 for (int port = cliConnCfg.getPort(); port <= portTo && port <= 65535; port++) {
                     try {
                         srv = GridNioServer.<ClientMessage>builder()
                             .address(hostAddr)
                             .port(port)
-                            .listener(new ClientListenerNioListener(ctx, busyLock, cliConnCfg, metrics))
+                            .listener(new ClientListenerNioListener(ctx, busyLock, cliConnCfg, metrics, newConnEnabled))
                             .logger(log)
                             .selectorCount(selectorCnt)
                             .igniteInstanceName(ctx.igniteInstanceName())
@@ -248,6 +257,35 @@ public ClientListenerProcessor(GridKernalContext ctx) {
         }
     }
 
+    /**
+     * @return Predicate to check is connection for specific client type enabled.
+     * @see ClientListenerNioListener#ODBC_CLIENT
+     * @see ClientListenerNioListener#JDBC_CLIENT
+     * @see ClientListenerNioListener#THIN_CLIENT
+     */
+    private Predicate<Byte> connectionEnabledPredicate() {
+        Map<Byte, DistributedBooleanProperty> connEnabledMap = new HashMap<>();
+
+        List<DistributedBooleanProperty> props = newConnectionEnabledProperty(
+            ctx.internalSubscriptionProcessor(),
+            log,
+            "Odbc",
+            "Jdbc",
+            "Thin"
+        );
+
+        connEnabledMap.put(ODBC_CLIENT, props.get(0));
+        connEnabledMap.put(JDBC_CLIENT, props.get(1));
+        connEnabledMap.put(THIN_CLIENT, props.get(2));
+
+        return type -> {
+            assert type != null : "Connection type is null";
+            assert connEnabledMap.containsKey(type) : "Unknown connection type: " + type;
+
+            return connEnabledMap.get(type).getOrDefault(true);
+        };
+    }
+
     /** */
     private Iterable<ClientConnectionAttributeView> connectionAttributeViewSupplier(Map<String, Object> filter) {
         Long connId = (Long)filter.get(ClientConnectionAttributeViewWalker.CONNECTION_ID_FILTER);