alternator: add extracting key from system_auth.roles

As a first step towards coupling alternator authorization with Scylla authorization, a helper function for extracting the key (salted_hash) belonging to the user is added.
2026-05-29 11:10:40 +00:00 · 2019-10-16 09:36:14 +02:00
parent dfac542466
commit dc310baa2d
2 changed files with 31 additions and 0 deletions
--- a/alternator/auth.cc
+++ b/alternator/auth.cc
@@ -29,6 +29,11 @@
 #include "bytes.hh"
 #include "alternator/auth.hh"
 #include <fmt/format.h>
+#include "auth/common.hh"
+#include "auth/password_authenticator.hh"
+#include "auth/roles-metadata.hh"
+#include "cql3/query_processor.hh"
+#include "cql3/untyped_result_set.hh"

 namespace alternator {

@@ -85,4 +90,24 @@ std::string get_signature(std::string_view access_key_id, std::string_view secre
    return to_hex(bytes_view(reinterpret_cast<const int8_t*>(signature.data()), signature.size()));
 }

+future<std::string> get_key_from_roles(cql3::query_processor& qp, std::string username) {
+    static const sstring query = format("SELECT salted_hash FROM {} WHERE {} = ?",
+            auth::meta::roles_table::qualified_name(), auth::meta::roles_table::role_col_name);
+
+    auto cl = auth::password_authenticator::consistency_for_user(username);
+    auto timeout = auth::internal_distributed_timeout_config();
+    return qp.process(query, cl, timeout, {sstring(username)}, true).then_wrapped([username = std::move(username)] (future<::shared_ptr<cql3::untyped_result_set>> f) {
+        auto res = f.get0();
+        auto salted_hash = std::optional<sstring>();
+        if (res->empty()) {
+            throw api_error("UnrecognizedClientException", fmt::format("User not found: {}", username));
+        }
+        salted_hash = res->one().get_opt<sstring>("salted_hash");
+        if (!salted_hash) {
+            throw api_error("UnrecognizedClientException", fmt::format("No password found for user: {}", username));
+        }
+        return make_ready_future<std::string>(*salted_hash);
+    });
+}
+
 }
--- a/alternator/auth.hh
+++ b/alternator/auth.hh
@@ -25,6 +25,10 @@
 #include <string_view>
 #include <array>

+namespace cql3 {
+class query_processor;
+}
+
 namespace alternator {

 using hmac_sha256_digest = std::array<char, 32>;
@@ -32,4 +36,6 @@ using hmac_sha256_digest = std::array<char, 32>;
 std::string get_signature(std::string_view access_key_id, std::string_view secret_access_key, std::string_view host, std::string_view method, std::string_view signed_headers_str,
        const std::map<std::string_view, std::string_view>& signed_headers_map, std::string_view body_content, std::string_view region, std::string_view service, std::string_view query_string);

+future<std::string> get_key_from_roles(cql3::query_processor& qp, std::string username);
+
 }