IGNITE-12843 Don't send statically configured encrypted cache on join.

Author: xtern

modules/core/src/main/java/org/apache/ignite/internal/managers/encryption/GridEncryptionManager.java

@@ -54,7 +54,6 @@
 import org.apache.ignite.internal.processors.cache.persistence.metastorage.ReadOnlyMetastorage;
 import org.apache.ignite.internal.processors.cache.persistence.metastorage.ReadWriteMetastorage;
 import org.apache.ignite.internal.processors.cluster.IgniteChangeGlobalStateSupport;
-import org.apache.ignite.internal.util.GridConcurrentHashSet;
 import org.apache.ignite.internal.util.distributed.DistributedProcess;
 import org.apache.ignite.internal.util.future.GridFinishedFuture;
 import org.apache.ignite.internal.util.future.GridFutureAdapter;
@@ -164,9 +163,6 @@ public class GridEncryptionManager extends GridManagerAdapter<EncryptionSpi> imp
     /** Group encryption keys. */
     private final ConcurrentHashMap<Integer, Serializable> grpEncKeys = new ConcurrentHashMap<>();
 
-    /** Cache groups for which the key has been generated (updates on client node). */
-    private final Set<Integer> readyToStartOnClientGrps = new GridConcurrentHashSet<>();
-
     /** Pending generate encryption key futures. */
     private ConcurrentMap<IgniteUuid, GenerateEncryptionKeyFuture> genEncKeyFuts = new ConcurrentHashMap<>();
 
@@ -465,14 +461,8 @@ public void onLocalJoin() {
     @Override public void onJoiningNodeDataReceived(JoiningNodeDiscoveryData data) {
         NodeEncryptionKeys nodeEncryptionKeys = (NodeEncryptionKeys)data.joiningNodeData();
 
-        if (nodeEncryptionKeys == null || nodeEncryptionKeys.newKeys == null)
-            return;
-
-        if (ctx.clientNode()) {
-            readyToStartOnClientGrps.addAll(nodeEncryptionKeys.newKeys.keySet());
-
+        if (nodeEncryptionKeys == null || nodeEncryptionKeys.newKeys == null || ctx.clientNode())
             return;
-        }
 
         for (Map.Entry<Integer, byte[]> entry : nodeEncryptionKeys.newKeys.entrySet()) {
             if (groupKey(entry.getKey()) == null) {
@@ -514,16 +504,13 @@ else if (newKeys != null) {
 
     /** {@inheritDoc} */
     @Override public void onGridDataReceived(GridDiscoveryData data) {
-        Map<Integer, byte[]> encKeysFromCluster = (Map<Integer, byte[]>)data.commonData();
-
-        if (F.isEmpty(encKeysFromCluster))
+        if (ctx.clientNode())
             return;
 
-        if (ctx.clientNode()) {
-            readyToStartOnClientGrps.addAll(encKeysFromCluster.keySet());
+        Map<Integer, byte[]> encKeysFromCluster = (Map<Integer, byte[]>)data.commonData();
 
+        if (F.isEmpty(encKeysFromCluster))
             return;
-        }
 
         for (Map.Entry<Integer, byte[]> entry : encKeysFromCluster.entrySet()) {
             if (groupKey(entry.getKey()) == null) {
@@ -538,17 +525,6 @@ else if (newKeys != null) {
         }
     }
 
-    /**
-     * @param grpId Cache group ID.
-     * @return {@code True} if for specified cache group encryption key has been generated.
-     */
-    public boolean hasEncryptionKeyForGroup(int grpId) {
-        if (ctx.clientNode())
-            return readyToStartOnClientGrps.contains(grpId);
-
-        return groupKey(grpId) != null;
-    }
-
     /**
      * Returns group encryption key.
      *

modules/core/src/main/java/org/apache/ignite/internal/processors/cache/ClusterCachesInfo.java

@@ -1405,6 +1405,15 @@ public void validateNoNewCachesWithNewFormat(CacheNodeCommonDiscoveryData cluste
             }
         }
 
+        for (CacheConfiguration<?, ?> cfg : ctx.config().getCacheConfiguration()) {
+            if (!cfg.isEncryptionEnabled() || registeredCaches.containsKey(cfg.getName()))
+                continue;
+
+            log.warning("Encrypted cache statically configured on a client node " +
+                "cannot be started when the node joining to the cluster, it will " +
+                "start dynamically after the node will be joined [cacheName=" + cfg.getName() + ']');
+        }
+
         return conflictErr;
     }
 
@@ -2003,12 +2012,6 @@ private String processJoiningNode(CacheJoinNodeDiscoveryData joinData, UUID node
             if (!registeredCaches.containsKey(cfg.getName())) {
                 String conflictErr = checkCacheConflict(cfg);
 
-                if (conflictErr == null && !locJoin && cfg.isEncryptionEnabled() &&
-                    !ctx.encryption().hasEncryptionKeyForGroup(CU.cacheGroupId(cfg.getName(), cfg.getGroupName()))) {
-                    conflictErr = "Encryption key for the cache cannot be generated on the client node, this node " +
-                        "will dynamically start this cache after join to topology [cacheName=" + cfg.getName() + ']';
-                }
-
                 if (conflictErr != null) {
                     if (locJoin)
                         return conflictErr;

modules/core/src/main/java/org/apache/ignite/internal/processors/cache/GridLocalConfigManager.java

@@ -159,6 +159,11 @@ private void restoreCaches(
         CacheConfiguration[] cfgs = config.getCacheConfiguration();
 
         for (int i = 0; i < cfgs.length; i++) {
+            // Encrypted cache statically configured on a client node cannot be started when the node joining
+            // to the cluster, it will start dynamically after the node will be joined.
+            if (cfgs[i].isEncryptionEnabled() && ctx.clientNode())
+                continue;
+
             CacheConfiguration<?, ?> cfg = new CacheConfiguration(cfgs[i]);
 
             // Replace original configuration value.

modules/core/src/test/java/org/apache/ignite/internal/encryption/EncryptedCacheNodeJoinTest.java

@@ -241,18 +241,7 @@ public void testClientNodeJoinWithStaticCacheConfig() throws Exception {
     /** */
     @Test
     public void testClientNodeJoinWithNewStaticCacheConfig() throws Exception {
-        listeningLog = new ListeningTestLogger(log);
-
-        LogListener lsnr = LogListener.matches(s -> s.contains("Ignore cache received from joining node. " +
-            "Encryption key for the cache cannot be generated on the client node, this node will dynamically start " +
-            "this cache after join to topology [cacheName=" + cacheName() + ']')).times(3).build();
-
-        listeningLog.registerListener(lsnr);
-
         checkNodeJoinWithNewStaticCacheConfig(true);
-
-        // An encrypted cache statically defined on the client must be dynamically started.
-        assertTrue(lsnr.check());
     }
 
     /** */
@@ -265,6 +254,14 @@ public void testServerNodeJoinWithNewStaticCacheConfig() throws Exception {
      * @param client {@code True} to test client node join, {@code False} to test server node join.
      */
     public void checkNodeJoinWithNewStaticCacheConfig(boolean client) throws Exception {
+        listeningLog = new ListeningTestLogger(log);
+
+        LogListener lsnr = LogListener.matches(s -> s.contains("Encrypted cache statically configured on a client " +
+            "node cannot be started when the node joining to the cluster, it will start dynamically after the node " +
+            "will be joined [cacheName=" + cacheName() + ']')).times(client ? 1 : 0).build();
+
+        listeningLog.registerListener(lsnr);
+
         startGrid(GRID_0);
         startGrid(GRID_3);
 
@@ -299,6 +296,9 @@ public void checkNodeJoinWithNewStaticCacheConfig(boolean client) throws Excepti
         }
 
         checkEncryptedCaches(node, grid(GRID_0));
+
+        // An encrypted cache statically defined on the client must be dynamically started.
+        assertTrue(lsnr.check());
     }
 
     /** */