IGNITE-18819 Added cluster state change permission (apache#10558)

modules/clients/src/test/java/org/apache/ignite/jdbc/JdbcAuthorizationTest.java

@@ -38,6 +38,7 @@
 import static org.apache.ignite.cache.CacheMode.REPLICATED;
 import static org.apache.ignite.cluster.ClusterState.ACTIVE;
 import static org.apache.ignite.internal.util.IgniteUtils.resolveIgnitePath;
+import static org.apache.ignite.plugin.security.SecurityPermission.ADMIN_CLUSTER_STATE;
 import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_CREATE;
 import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_DESTROY;
 import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_PUT;
@@ -377,7 +378,7 @@ private SecurityPermissionSet systemPermissions(SecurityPermission... perms) {
     private SecurityPermissionSet serverPermissions() {
         return create()
             .defaultAllowAll(false)
-            .appendSystemPermissions(CACHE_CREATE, JOIN_AS_SERVER)
+            .appendSystemPermissions(CACHE_CREATE, JOIN_AS_SERVER, ADMIN_CLUSTER_STATE)
             .build();
     }
 

modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridClusterStateProcessor.java

@@ -94,6 +94,7 @@
 import org.apache.ignite.lang.IgniteProductVersion;
 import org.apache.ignite.lang.IgniteUuid;
 import org.apache.ignite.marshaller.jdk.JdkMarshaller;
+import org.apache.ignite.plugin.security.SecurityPermission;
 import org.apache.ignite.spi.IgniteNodeValidationResult;
 import org.apache.ignite.spi.discovery.DiscoveryDataBag;
 import org.apache.ignite.spi.systemview.view.BaselineNodeAttributeView;
@@ -1106,6 +1107,8 @@ public IgniteInternalFuture<?> changeGlobalState(
         boolean forceChangeBaselineTopology,
         boolean isAutoAdjust
     ) {
+        ctx.security().authorize(SecurityPermission.ADMIN_CLUSTER_STATE);
+
         if (ctx.maintenanceRegistry().isMaintenanceMode()) {
             return new GridFinishedFuture<>(
                 new IgniteCheckedException("Failed to " + prettyStr(state) + " (node is in maintenance mode).")

modules/core/src/main/java/org/apache/ignite/internal/processors/rest/GridRestProcessor.java

@@ -916,14 +916,9 @@ private void authorize(GridRestRequest req) throws SecurityException {
 
                 break;
 
-            case CLUSTER_ACTIVE:
-            case CLUSTER_INACTIVE:
-            case CLUSTER_ACTIVATE:
-            case CLUSTER_DEACTIVATE:
             case BASELINE_SET:
             case BASELINE_ADD:
             case BASELINE_REMOVE:
-            case CLUSTER_SET_STATE:
                 perm = SecurityPermission.ADMIN_OPS;
 
                 break;
@@ -943,6 +938,11 @@ private void authorize(GridRestRequest req) throws SecurityException {
             case NAME:
             case LOG:
             case CLUSTER_CURRENT_STATE:
+            case CLUSTER_ACTIVE:
+            case CLUSTER_INACTIVE:
+            case CLUSTER_ACTIVATE:
+            case CLUSTER_DEACTIVATE:
+            case CLUSTER_SET_STATE:
             case CLUSTER_NAME:
             case BASELINE_CURRENT_STATE:
             case CLUSTER_STATE:

modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java

@@ -17,6 +17,7 @@
 
 package org.apache.ignite.plugin.security;
 
+import org.apache.ignite.cluster.ClusterState;
 import org.jetbrains.annotations.Nullable;
 
 /**
@@ -90,6 +91,13 @@ public enum SecurityPermission {
     /** Administration operation with cluster snapshots (create, cancel, check). */
     ADMIN_SNAPSHOT,
 
+    /**
+     * Administration operation: changing cluster state.
+     *
+     * @see ClusterState
+     */
+    ADMIN_CLUSTER_STATE,
+
     /** Permission to execute REFRESH STATISTICS command. */
     REFRESH_STATISTICS,
 

modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/CommonSecurityCheckTest.java

@@ -44,6 +44,7 @@
 import org.junit.runners.JUnit4;
 
 import static org.apache.ignite.internal.processors.security.impl.TestAdditionalSecurityProcessor.CLIENT;
+import static org.apache.ignite.plugin.security.SecurityPermission.ADMIN_CLUSTER_STATE;
 import static org.apache.ignite.plugin.security.SecurityPermission.ADMIN_OPS;
 import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_CREATE;
 import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALL_PERMISSIONS;
@@ -72,7 +73,7 @@ public abstract class CommonSecurityCheckTest extends AbstractSecurityTest {
     protected TestSecurityData[] clientData() {
         return new TestSecurityData[]{new TestSecurityData(CLIENT,
             SecurityPermissionSetBuilder.create().defaultAllowAll(false)
-                .appendSystemPermissions(ADMIN_OPS, CACHE_CREATE)
+                .appendSystemPermissions(ADMIN_OPS, CACHE_CREATE, ADMIN_CLUSTER_STATE)
                 .build()
         )};
     }