From 7008b71acca4de80e54233af481fea6efafd2a4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Zakrzewski?= Date: Fri, 4 Oct 2024 14:42:11 +0200 Subject: [PATCH] auth: standard_role_manager allows awaiting superuser creation This change implements the ability to await superuser creation in the function ensure_superuser_is_created(). This means that Scylla will not be serving CQL connections until the superuser is created. Fixes #10481 --- auth/standard_role_manager.cc | 43 +++++++++++++++++++---------------- auth/standard_role_manager.hh | 1 + 2 files changed, 24 insertions(+), 20 deletions(-) diff --git a/auth/standard_role_manager.cc b/auth/standard_role_manager.cc index 69e08e2d60..ffd9f5fe6a 100644 --- a/auth/standard_role_manager.cc +++ b/auth/standard_role_manager.cc @@ -249,26 +249,28 @@ future<> standard_role_manager::start() { } auto handler = [this] () -> future<> { - try { - if (legacy_mode(_qp)) { - co_await _migration_manager.wait_for_schema_agreement(_qp.db().real_database(), db::timeout_clock::time_point::max(), &_as); - - if (co_await any_nondefault_role_row_satisfies(_qp, &has_can_login)) { - if (legacy_metadata_exists()) { - log.warn("Ignoring legacy user metadata since nondefault roles already exist."); - } - co_return; - } - - if (legacy_metadata_exists()) { - co_await migrate_legacy_metadata(); - co_return; - } + const bool legacy = legacy_mode(_qp); + if (legacy) { + if (!_superuser_created_promise.available()) { + _superuser_created_promise.set_value(); } - co_await create_default_role_if_missing(); - } catch (...) { - log.error("Failed to create default role: unknown error"); - throw; + co_await _migration_manager.wait_for_schema_agreement(_qp.db().real_database(), db::timeout_clock::time_point::max(), &_as); + + if (co_await any_nondefault_role_row_satisfies(_qp, &has_can_login)) { + if (legacy_metadata_exists()) { + log.warn("Ignoring legacy user metadata since nondefault roles already exist."); + } + co_return; + } + + if (legacy_metadata_exists()) { + co_await migrate_legacy_metadata(); + co_return; + } + } + co_await create_default_role_if_missing(); + if (!legacy) { + _superuser_created_promise.set_value(); } }; @@ -283,7 +285,8 @@ future<> standard_role_manager::stop() { } future<> standard_role_manager::ensure_superuser_is_created() { - co_return; + SCYLLA_ASSERT(this_shard_id() == 0); + return _superuser_created_promise.get_shared_future(); } future<> standard_role_manager::create_or_replace(std::string_view role_name, const role_config& c, ::service::group0_batch& mc) { diff --git a/auth/standard_role_manager.hh b/auth/standard_role_manager.hh index 7cff5f569e..17ff4b3e5a 100644 --- a/auth/standard_role_manager.hh +++ b/auth/standard_role_manager.hh @@ -38,6 +38,7 @@ class standard_role_manager final : public role_manager { future<> _stopped; abort_source _as; std::string _superuser; + shared_promise<> _superuser_created_promise; public: standard_role_manager(cql3::query_processor&, ::service::raft_group0_client&, ::service::migration_manager&);