github: bug_report.yml: Improve bug report template structure

V1: Perform a yaml "face lift" on the old bug report md template, making bug reporting more efficient.

Add dedicated textarea fields for problem description and expected behavior
Include pre-filled placeholders to guide issue reporting
Add formatted log output section with shell syntax highlighting

V2: updated the contact details of scylla and performed some code cleanup.

.clang-format

@@ -0,0 +1,209 @@
+---
+Language: Cpp
+AccessModifierOffset: -4
+AlignAfterOpenBracket: DontAlign
+AlignArrayOfStructures: None
+AlignConsecutiveAssignments:
+  Enabled: false
+  AcrossEmptyLines: false
+  AcrossComments: false
+  AlignCompound: false
+  PadOperators: true
+AlignConsecutiveBitFields:
+  Enabled: false
+  AcrossEmptyLines: false
+  AcrossComments: false
+  AlignCompound: false
+  PadOperators: false
+AlignConsecutiveDeclarations:
+  Enabled: false
+  AcrossEmptyLines: false
+  AcrossComments: false
+  AlignCompound: false
+  PadOperators: false
+AlignConsecutiveMacros:
+  Enabled: false
+  AcrossEmptyLines: false
+  AcrossComments: false
+  AlignCompound: false
+  PadOperators: false
+AlignConsecutiveShortCaseStatements:
+  Enabled: false
+  AcrossEmptyLines: false
+  AcrossComments: false
+  AlignCaseColons: false
+AlignEscapedNewlines: Right
+AlignOperands: Align
+AlignTrailingComments:
+  Kind: Always
+  OverEmptyLines: 0
+AllowAllArgumentsOnNextLine: true
+AllowAllParametersOfDeclarationOnNextLine: true
+AllowShortBlocksOnASingleLine: Never
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortEnumsOnASingleLine: true
+AllowShortFunctionsOnASingleLine: None
+AllowShortIfStatementsOnASingleLine: Never
+AllowShortLambdasOnASingleLine: Empty
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterDefinitionReturnType: None
+AlwaysBreakAfterReturnType: None
+AlwaysBreakBeforeMultilineStrings: false
+AlwaysBreakTemplateDeclarations: Yes
+AttributeMacros:
+  - __capability
+BinPackArguments: true
+BinPackParameters: true
+BitFieldColonSpacing: Both
+BraceWrapping:
+  AfterCaseLabel: false
+  AfterClass: false
+  AfterControlStatement: Never
+  AfterEnum: false
+  AfterExternBlock: false
+  AfterFunction: false
+  AfterNamespace: false
+  AfterObjCDeclaration: false
+  AfterStruct: false
+  AfterUnion: false
+  BeforeCatch: false
+  BeforeElse: false
+  BeforeLambdaBody: false
+  BeforeWhile: false
+  IndentBraces: false
+  SplitEmptyFunction: true
+  SplitEmptyRecord: true
+  SplitEmptyNamespace: true
+BreakAfterAttributes: Never
+BreakAfterJavaFieldAnnotations: false
+BreakArrays: true
+BreakBeforeBinaryOperators: None
+BreakBeforeConceptDeclarations: Always
+BreakBeforeBraces: Attach
+BreakBeforeInlineASMColon: OnlyMultiline
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializers: BeforeComma
+BreakInheritanceList: BeforeColon
+BreakStringLiterals: true
+ColumnLimit: 160
+CommentPragmas: '^ IWYU pragma:'
+CompactNamespaces: false
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 8
+Cpp11BracedListStyle: true
+DerivePointerAlignment: false
+DisableFormat: false
+EmptyLineAfterAccessModifier: Never
+EmptyLineBeforeAccessModifier: LogicalBlock
+ExperimentalAutoDetectBinPacking: false
+FixNamespaceComments: true
+ForEachMacros:
+  - foreach
+  - Q_FOREACH
+  - BOOST_FOREACH
+IfMacros:
+  - KJ_IF_MAYBE
+IndentAccessModifiers: false
+IndentCaseBlocks: false
+IndentCaseLabels: false
+IndentExternBlock: AfterExternBlock
+IndentGotoLabels: true
+IndentPPDirectives: None
+IndentRequiresClause: true
+IndentWidth: 4
+IndentWrappedFunctionNames: false
+InsertBraces: false
+InsertNewlineAtEOF: true
+InsertTrailingCommas: None
+IntegerLiteralSeparator:
+  Binary: 0
+  BinaryMinDigits: 0
+  Decimal: 0
+  DecimalMinDigits: 0
+  Hex: 0
+  HexMinDigits: 0
+JavaScriptQuotes: Leave
+JavaScriptWrapImports: true
+KeepEmptyLinesAtTheStartOfBlocks: true
+KeepEmptyLinesAtEOF: false
+LambdaBodyIndentation: Signature
+LineEnding: DeriveLF
+MacroBlockBegin: ''
+MacroBlockEnd: ''
+MaxEmptyLinesToKeep: 2
+NamespaceIndentation: None
+PackConstructorInitializers: BinPack
+PenaltyBreakAssignment: 2
+PenaltyBreakBeforeFirstCallParameter: 19
+PenaltyBreakComment: 300
+PenaltyBreakFirstLessLess: 120
+PenaltyBreakOpenParenthesis: 0
+PenaltyBreakString: 1000
+PenaltyBreakTemplateDeclaration: 10
+PenaltyExcessCharacter: 1000000
+PenaltyIndentedWhitespace: 0
+PenaltyReturnTypeOnItsOwnLine: 60
+PointerAlignment: Left
+PPIndentWidth: -1
+QualifierAlignment: Leave
+ReferenceAlignment: Pointer
+ReflowComments: true
+RemoveBracesLLVM: false
+RemoveParentheses: Leave
+RemoveSemicolon: false
+RequiresClausePosition: OwnLine
+RequiresExpressionIndentation: OuterScope
+SeparateDefinitionBlocks: Leave
+ShortNamespaceLines: 1
+SortIncludes: Never
+SortJavaStaticImport: Before
+SortUsingDeclarations: Never
+SpaceAfterCStyleCast: false
+SpaceAfterLogicalNot: false
+SpaceAfterTemplateKeyword: true
+SpaceAroundPointerQualifiers: Default
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeCaseColon: false
+SpaceBeforeCpp11BracedList: false
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeInheritanceColon: true
+SpaceBeforeJsonColon: false
+SpaceBeforeParens: ControlStatements
+SpaceBeforeParensOptions:
+  AfterControlStatements: true
+  AfterForeachMacros: true
+  AfterFunctionDefinitionName: false
+  AfterFunctionDeclarationName: false
+  AfterIfMacros: true
+  AfterOverloadedOperator: false
+  AfterRequiresInClause: false
+  AfterRequiresInExpression: false
+  BeforeNonEmptyParentheses: false
+SpaceBeforeRangeBasedForLoopColon: true
+SpaceBeforeSquareBrackets: false
+SpaceInEmptyBlock: false
+SpacesBeforeTrailingComments: 1
+SpacesInAngles: Never
+SpacesInContainerLiterals: true
+SpacesInLineCommentPrefix:
+  Minimum: 1
+  Maximum: -1
+SpacesInParens: Never
+SpacesInParensOptions:
+  InCStyleCasts: false
+  InConditionalStatements: false
+  InEmptyParentheses: false
+  Other: false
+SpacesInSquareBrackets: false
+Standard: Latest
+TabWidth: 8
+UseTab: Never
+VerilogBreakBetweenInstancePorts: true
+WhitespaceSensitiveMacros:
+  - BOOST_PP_STRINGIZE
+  - CF_SWIFT_NAME
+  - NS_SWIFT_NAME
+  - PP_STRINGIZE
+  - STRINGIZE
+...
+

.github/CODEOWNERS

@@ -1,5 +1,5 @@
 # AUTH
-auth/* @elcallio @vladzcloudius
+auth/* @nuivall @ptrsmrn @KrzaQ
 
 # CACHE
 row_cache* @tgrabiec
@@ -7,9 +7,9 @@ row_cache* @tgrabiec
 test/boost/mvcc* @tgrabiec
 
 # CDC
-cdc/* @kbr- @elcallio @piodul @jul-stas
-test/cql/cdc_* @kbr- @elcallio @piodul @jul-stas
-test/boost/cdc_* @kbr- @elcallio @piodul @jul-stas
+cdc/* @kbr-scylla @elcallio @piodul
+test/cql/cdc_* @kbr-scylla @elcallio @piodul
+test/boost/cdc_* @kbr-scylla @elcallio @piodul
 
 # COMMITLOG / BATCHLOG
 db/commitlog/* @elcallio @eliransin
@@ -25,18 +25,18 @@ compaction/* @raphaelsc
 transport/*
 
 # CQL QUERY LANGUAGE
-cql3/* @tgrabiec
+cql3/* @tgrabiec @nuivall @ptrsmrn @KrzaQ
 
 # COUNTERS
-counters* @jul-stas
-tests/counter_test* @jul-stas
+counters* @nuivall @ptrsmrn @KrzaQ
+tests/counter_test* @nuivall @ptrsmrn @KrzaQ
 
 # DOCS
 docs/* @annastuchlik @tzach
-docs/alternator @annastuchlik @tzach @nyh @havaker @nuivall
+docs/alternator @annastuchlik @tzach @nyh @nuivall @ptrsmrn @KrzaQ
 
 # GOSSIP
-gms/* @tgrabiec @asias
+gms/* @tgrabiec @asias @kbr-scylla
 
 # DOCKER
 dist/docker/*
@@ -74,8 +74,8 @@ streaming/* @tgrabiec @asias
 service/storage_service.* @tgrabiec @asias
 
 # ALTERNATOR
-alternator/* @havaker @nuivall
-test/alternator/* @havaker @nuivall
+alternator/* @nyh @nuivall @ptrsmrn @KrzaQ
+test/alternator/* @nyh @nuivall @ptrsmrn @KrzaQ
 
 # HINTED HANDOFF
 db/hints/* @piodul @vladzcloudius @eliransin
@@ -91,11 +91,14 @@ test/boost/mutation_reader_test.cc @denesb
 test/boost/querier_cache_test.cc @denesb
 
 # PYTEST-BASED CQL TESTS
-test/cql-pytest/* @nyh
+test/cqlpy/* @nyh
 
 # RAFT
-raft/* @kbr- @gleb-cloudius @kostja
-test/raft/* @kbr- @gleb-cloudius @kostja
+raft/* @kbr-scylla @gleb-cloudius @kostja
+test/raft/* @kbr-scylla @gleb-cloudius @kostja
 
 # HEAT-WEIGHTED LOAD BALANCING
 db/heat_load_balance.* @nyh @gleb-cloudius
+
+# Tools
+tools/* @denesb

.github/ISSUE_TEMPLATE.md

@@ -1,15 +0,0 @@
-This is Scylla's bug tracker, to be used for reporting bugs only.
-If you have a question about Scylla, and not a bug, please ask it in
-our mailing-list at scylladb-dev@googlegroups.com or in our slack channel.
-
-- [] I have read the disclaimer above, and I am reporting a suspected malfunction in Scylla.
-
-*Installation details*
-Scylla version (or git commit hash):
-Cluster size:
-OS (RHEL/CentOS/Ubuntu/AWS AMI):
-
-*Hardware details (for performance issues)*          Delete if unneeded
-Platform (physical/VM/cloud instance type/docker):
-Hardware: sockets= cores= hyperthreading= memory=
-Disks: (SSD/HDD, count)

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,86 @@
+name: "Report a bug"
+description: "File a bug report."
+title: "[Bug]: "
+type: "bug"
+labels: bug
+body:
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: "This is Scylla's bug tracker, to be used for reporting bugs only.
+If you have a question about Scylla, and not a bug, please ask it in
+our forum at https://forum.scylladb.com/ or in our slack channel https://slack.scylladb.com/ "
+      options:
+        - label: I have read the disclaimer above and am reporting a suspected malfunction in Scylla.
+          required: true
+
+  - type: input
+    id: product-version
+    attributes:
+      label: product version
+      description: Scylla version (or git commit hash)
+      placeholder: ex. scylla-6.1.1
+    validations:
+      required: true
+      
+  - type: input
+    id: cluster-size
+    attributes:
+      label: Cluster Size
+    validations:
+      required: true  
+      
+  - type: input
+    id: os
+    attributes:
+      label: OS
+      placeholder: RHEL/CentOS/Ubuntu/AWS AMI
+    validations:
+      required: true
+      
+  - type: textarea
+    id: additional-data
+    attributes:
+      label: Additional Environmental Data
+      #description: 
+      placeholder: Add additional data
+      value: "Platform (physical/VM/cloud instance type/docker):\n
+Hardware: sockets=   cores=   hyperthreading=   memory=\n
+Disks: (SSD/HDD, count)"
+    validations:
+      required: false
+      
+  - type: textarea
+    id: reproducer-steps
+    attributes:
+      label: Reproduction Steps
+      placeholder: Describe how to reproduce the problem
+      value: "The steps to reproduce the problem are:"
+    validations:
+      required: true
+      
+  - type: textarea
+    id: the-problem
+    attributes:
+      label: What is the problem?
+      placeholder: Describe the problem you found
+      value: "The problem is that"
+    validations:
+      required: true
+      
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: Expected behavior?
+      placeholder: Describe what should have happened
+      value: "I expected that "
+    validations:
+      required: true
+      
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      render: shell

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+- package-ecosystem: "pip"
+  directory: "/docs"
+  schedule:
+    interval: "daily"
+  allow:
+  - dependency-name: "sphinx-scylladb-theme"
+  - dependency-name: "sphinx-multiversion-scylla"

.github/mergify.yml

@@ -15,7 +15,7 @@ pull_request_rules:
         - closed
     actions:
       delete_head_branch:
-  - name: Automate backport pull request 5.2
+  - name: Automate backport pull request 6.2
     conditions:
       - or:
         - closed
@@ -23,36 +23,11 @@ pull_request_rules:
       - or:
           - base=master
           - base=next
-      - label=backport/5.2 # The PR must have this label to trigger the backport
+      - label=backport/6.2 # The PR must have this label to trigger the backport
       - label=promoted-to-master
     actions:
       copy:
-        title: "[Backport 5.2] {{ title }}"
-        body: |
-          {{ body }}
-
-          {% for c in commits %}
-          (cherry picked from commit {{ c.sha }})
-          {% endfor %}
-
-           Refs #{{number}}
-        branches:
-          - branch-5.2
-        assignees:
-          - "{{ author }}"
-  - name: Automate backport pull request 5.4
-    conditions:
-      - or:
-        - closed
-        - merged
-      - or:
-          - base=master
-          - base=next
-      - label=backport/5.4 # The PR must have this label to trigger the backport
-      - label=promoted-to-master
-    actions:
-      copy:
-        title: "[Backport 5.4] {{ title }}"
+        title: "[Backport 6.2] {{ title }}"
         body: |
           {{ body }}
 
@@ -62,7 +37,32 @@ pull_request_rules:
 
           Refs #{{number}}
         branches:
-          - branch-5.4
+          - branch-6.2
+        assignees:
+          - "{{ author }}"
+  - name: Automate backport pull request 6.1
+    conditions:
+      - or:
+        - closed
+        - merged
+      - or:
+          - base=master
+          - base=next
+      - label=backport/6.1 # The PR must have this label to trigger the backport
+      - label=promoted-to-master
+    actions:
+      copy:
+        title: "[Backport 6.1] {{ title }}"
+        body: |
+          {{ body }}
+
+          {% for c in commits %}
+          (cherry picked from commit {{ c.sha }})
+          {% endfor %}
+
+           Refs #{{number}}
+        branches:
+          - branch-6.1
         assignees:
           - "{{ author }}"
   - name: Automate backport pull request 6.0

.github/scripts/auto-backport.py

@@ -0,0 +1,181 @@
+#!/usr/bin/env python3
+
+import argparse
+import os
+import re
+import sys
+import tempfile
+import logging
+
+from github import Github, GithubException
+from git import Repo, GitCommandError
+
+logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
+try:
+    github_token = os.environ["GITHUB_TOKEN"]
+except KeyError:
+    print("Please set the 'GITHUB_TOKEN' environment variable")
+    sys.exit(1)
+
+
+def is_pull_request():
+    return '--pull-request' in sys.argv[1:]
+
+
+def parse_args():
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--repo', type=str, required=True, help='Github repository name')
+    parser.add_argument('--base-branch', type=str, default='refs/heads/master', help='Base branch')
+    parser.add_argument('--commits', default=None, type=str, help='Range of promoted commits.')
+    parser.add_argument('--pull-request', type=int, help='Pull request number to be backported')
+    parser.add_argument('--head-commit', type=str, required=is_pull_request(), help='The HEAD of target branch after the pull request specified by --pull-request is merged')
+    return parser.parse_args()
+
+
+def create_pull_request(repo, new_branch_name, base_branch_name, pr, backport_pr_title, commits, is_draft=False):
+    pr_body = f'{pr.body}\n\n'
+    for commit in commits:
+        pr_body += f'- (cherry picked from commit {commit})\n\n'
+    pr_body += f'Parent PR: #{pr.number}'
+    try:
+        backport_pr = repo.create_pull(
+            title=backport_pr_title,
+            body=pr_body,
+            head=f'scylladbbot:{new_branch_name}',
+            base=base_branch_name,
+            draft=is_draft
+        )
+        logging.info(f"Pull request created: {backport_pr.html_url}")
+        backport_pr.add_to_assignees(pr.user)
+        logging.info(f"Assigned PR to original author: {pr.user}")
+        return backport_pr
+    except GithubException as e:
+        if 'A pull request already exists' in str(e):
+            logging.warning(f'A pull request already exists for {pr.user}:{new_branch_name}')
+        else:
+            logging.error(f'Failed to create PR: {e}')
+
+
+def get_pr_commits(repo, pr, stable_branch, start_commit=None):
+    commits = []
+    if pr.merged:
+        merge_commit = repo.get_commit(pr.merge_commit_sha)
+        if len(merge_commit.parents) > 1:  # Check if this merge commit includes multiple commits
+            commits.append(pr.merge_commit_sha)
+        else:
+            if start_commit:
+                promoted_commits = repo.compare(start_commit, stable_branch).commits
+            else:
+                promoted_commits = repo.get_commits(sha=stable_branch)
+            for commit in pr.get_commits():
+                for promoted_commit in promoted_commits:
+                    commit_title = commit.commit.message.splitlines()[0]
+                    # In Scylla-pkg and scylla-dtest, for example,
+                    # we don't create a merge commit for a PR with multiple commits,
+                    # according to the GitHub API, the last commit will be the merge commit,
+                    # which is not what we need when backporting (we need all the commits).
+                    # So here, we are validating the correct SHA for each commit so we can cherry-pick
+                    if promoted_commit.commit.message.startswith(commit_title):
+                        commits.append(promoted_commit.sha)
+
+    elif pr.state == 'closed':
+        events = pr.get_issue_events()
+        for event in events:
+            if event.event == 'closed':
+                commits.append(event.commit_id)
+    return commits
+
+
+def create_pr_comment_and_remove_label(pr, comment_body):
+    labels = pr.get_labels()
+    pattern = re.compile(r"backport/\d+\.\d+$")
+    for label in labels:
+        if pattern.match(label.name):
+            print(f"Removing label: {label.name}")
+            comment_body += f'- {label.name}\n'
+            pr.remove_from_labels(label)
+    pr.create_issue_comment(comment_body)
+
+
+def backport(repo, pr, version, commits, backport_base_branch):
+    new_branch_name = f'backport/{pr.number}/to-{version}'
+    backport_pr_title = f'[Backport {version}] {pr.title}'
+    repo_url = f'https://scylladbbot:{github_token}@github.com/{repo.full_name}.git'
+    fork_repo = f'https://scylladbbot:{github_token}@github.com/scylladbbot/{repo.name}.git'
+    with (tempfile.TemporaryDirectory() as local_repo_path):
+        try:
+            repo_local = Repo.clone_from(repo_url, local_repo_path, branch=backport_base_branch)
+            repo_local.git.checkout(b=new_branch_name)
+            is_draft = False
+            for commit in commits:
+                try:
+                    repo_local.git.cherry_pick(commit, '-m1', '-x')
+                except GitCommandError as e:
+                    logging.warning(f'Cherry-pick conflict on commit {commit}: {e}')
+                    is_draft = True
+                    repo_local.git.add(A=True)
+                    repo_local.git.cherry_pick('--continue')
+            if not repo.private and not repo.has_in_collaborators(pr.user.login):
+                repo.add_to_collaborators(pr.user.login, permission="push")
+                comment = f':warning:  @{pr.user.login} you have been added as collaborator to scylladbbot fork '
+                comment += f'Please check your inbox and approve the invitation, once it is done, please add the backport labels again'
+                create_pr_comment_and_remove_label(pr, comment)
+                return
+            repo_local.git.push(fork_repo, new_branch_name, force=True)
+            create_pull_request(repo, new_branch_name, backport_base_branch, pr, backport_pr_title, commits,
+                                is_draft=is_draft)
+
+        except GitCommandError as e:
+            logging.warning(f"GitCommandError: {e}")
+
+
+def main():
+    args = parse_args()
+    base_branch = args.base_branch.split('/')[2]
+    promoted_label = 'promoted-to-master'
+    repo_name = args.repo
+    if 'scylla-enterprise' in args.repo:
+        promoted_label = 'promoted-to-enterprise'
+    stable_branch = base_branch
+    backport_branch = 'branch-'
+
+    backport_label_pattern = re.compile(r'backport/\d+\.\d+$')
+
+    g = Github(github_token)
+    repo = g.get_repo(repo_name)
+    closed_prs = []
+    start_commit = None
+
+    if args.commits:
+        start_commit, end_commit = args.commits.split('..')
+        commits = repo.compare(start_commit, end_commit).commits
+        for commit in commits:
+            match = re.search(rf"Closes .*#([0-9]+)", commit.commit.message, re.IGNORECASE)
+            if match:
+                pr_number = int(match.group(1))
+                pr = repo.get_pull(pr_number)
+                closed_prs.append(pr)
+    if args.pull_request:
+        start_commit = args.head_commit
+        pr = repo.get_pull(args.pull_request)
+        closed_prs = [pr]
+
+    for pr in closed_prs:
+        labels = [label.name for label in pr.labels]
+        backport_labels = [label for label in labels if backport_label_pattern.match(label)]
+        if promoted_label not in labels:
+            print(f'no {promoted_label} label: {pr.number}')
+            continue
+        if not backport_labels:
+            print(f'no backport label: {pr.number}')
+            continue
+        commits = get_pr_commits(repo, pr, stable_branch, start_commit)
+        logging.info(f"Found PR #{pr.number} with commit {commits} and the following labels: {backport_labels}")
+        for backport_label in backport_labels:
+            version = backport_label.replace('backport/', '')
+            backport_base_branch = backport_label.replace('backport/', backport_branch)
+            backport(repo, pr, version, commits, backport_base_branch)
+
+
+if __name__ == "__main__":
+    main()

.github/scripts/label_promoted_commits.py

@@ -16,13 +16,8 @@ def parser():
     parser = argparse.ArgumentParser()
     parser.add_argument('--repository', type=str, required=True,
                         help='Github repository name (e.g., scylladb/scylladb)')
-    parser.add_argument('--commit_before_merge', type=str, required=True, help='Git commit ID to start labeling from ('
-                                                                               'newest commit).')
-    parser.add_argument('--commit_after_merge', type=str, required=True,
-                        help='Git commit ID to end labeling at (oldest '
-                             'commit, exclusive).')
-    parser.add_argument('--update_issue', type=bool, default=False, help='Set True to update issues when backport was '
-                                                                         'done')
+    parser.add_argument('--commits', type=str, required=True, help='Range of promoted commits.')
+    parser.add_argument('--label', type=str, default='promoted-to-master', help='Label to use')
     parser.add_argument('--ref', type=str, required=True, help='PR target branch')
     return parser.parse_args()
 
@@ -53,12 +48,14 @@ def main():
     target_branch = re.search(r'branch-(\d+\.\d+)', args.ref)
     g = Github(github_token)
     repo = g.get_repo(args.repository, lazy=False)
-    commits = repo.compare(head=args.commit_after_merge, base=args.commit_before_merge)
+    start_commit, end_commit = args.commits.split('..')
+    commits = repo.compare(start_commit, end_commit).commits
     processed_prs = set()
     # Print commit information
-    for commit in commits.commits:
+    for commit in commits:
         print(f'Commit sha is: {commit.sha}')
-        match = pr_pattern.search(commit.commit.message)
+        pr_last_line = commit.commit.message.splitlines()[-1]
+        match = pr_pattern.search(pr_last_line)
         if match:
             pr_number = int(match.group(1))
             if pr_number in processed_prs:
@@ -66,13 +63,13 @@ def main():
             if target_branch:
                 pr = repo.get_pull(pr_number)
                 branch_name = target_branch[1]
-                refs_pr = re.findall(r'Refs (?:#|https.*?)(\d+)', pr.body)
+                refs_pr = re.findall(r'Parent PR: (?:#|https.*?)(\d+)', pr.body)
                 if refs_pr:
                     print(f'branch-{target_branch.group(1)}, pr number is: {pr_number}')
                     # 1. change the backport label of the parent PR to note that
-                    #    we've merge the corresponding backport PR
+                    #    we've merged the corresponding backport PR
                     # 2. close the backport PR and leave a comment on it to note
-                    #    that it has been merged with a certain git commit,
+                    #    that it has been merged with a certain git commit.
                     ref_pr_number = refs_pr[0]
                     mark_backport_done(repo, ref_pr_number, branch_name)
                     comment = f'Closed via {commit.sha}'

.github/workflows/add-label-when-promoted.yaml

@@ -5,9 +5,10 @@ on:
     branches:
       - master
       - branch-*.*
-
-env:
-  DEFAULT_BRANCH: 'master'
+      - enterprise
+    pull_request_target:
+      types: [labeled]
+      branches: [master, next, enterprise]
 
 jobs:
   check-commit:
@@ -20,17 +21,51 @@ jobs:
         env:
           GITHUB_CONTEXT: ${{ toJson(github) }}
         run: echo "$GITHUB_CONTEXT"
+      - name: Set Default Branch
+        id: set_branch
+        run: |
+          if [[ "${{ github.repository }}" == *enterprise* ]]; then
+            echo "DEFAULT_BRANCH=enterprise" >> $GITHUB_ENV
+          else
+            echo "DEFAULT_BRANCH=master" >> $GITHUB_ENV
+          fi
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           repository: ${{ github.repository }}
           ref: ${{ env.DEFAULT_BRANCH }}
+          token: ${{ secrets.AUTO_BACKPORT_TOKEN }}
           fetch-depth: 0  # Fetch all history for all tags and branches
-
+      - name: Set up Git identity
+        run: |
+          git config --global user.name "GitHub Action"
+          git config --global user.email "action@github.com"
+          git config --global merge.conflictstyle diff3
       - name: Install dependencies
-        run: sudo apt-get install -y python3-github
-
+        run: sudo apt-get install -y python3-github python3-git
       - name: Run python script
+        if: github.event_name == 'push'
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: python .github/scripts/label_promoted_commits.py --commit_before_merge ${{ github.event.before }} --commit_after_merge ${{ github.event.after }} --repository ${{ github.repository }} --ref ${{ github.ref }}
+          GITHUB_TOKEN: ${{ secrets.AUTO_BACKPORT_TOKEN }}
+        run: python .github/scripts/label_promoted_commits.py  --commits ${{ github.event.before }}..${{ github.sha }} --repository ${{ github.repository }} --ref ${{ github.ref }}
+      - name: Run auto-backport.py when promotion completed
+        if: github.event_name == 'push' && github.ref == 'refs/heads/${{ env.DEFAULT_BRANCH }}'
+        env:
+          GITHUB_TOKEN: ${{ secrets.AUTO_BACKPORT_TOKEN }}
+        run: python .github/scripts/auto-backport.py --repo ${{ github.repository }} --base-branch ${{ github.ref }} --commits ${{ github.event.before }}..${{ github.sha }}
+      - name: Check if label starts with 'backport/' and contains digits
+        id: check_label
+        run: |
+          label_name="${{ github.event.label.name }}"
+          if [[ "$label_name" =~ ^backport/[0-9]+\.[0-9]+$ ]]; then
+            echo "Label matches backport/X.X pattern."
+            echo "backport_label=true" >> $GITHUB_OUTPUT
+          else
+            echo "Label does not match the required pattern."
+            echo "backport_label=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Run auto-backport.py when label was added
+        if: github.event_name == 'pull_request_target' && steps.check_label.outputs.backport_label == 'true' && (github.event.pull_request.state == 'closed' && github.event.pull_request.merged == true)
+        env:
+          GITHUB_TOKEN: ${{ secrets.AUTO_BACKPORT_TOKEN }}
+        run: python .github/scripts/auto-backport.py --repo ${{ github.repository }} --base-branch ${{ github.ref }} --pull-request ${{ github.event.pull_request.number }} --head-commit ${{ github.event.pull_request.base.sha }}

.github/workflows/backport-pr-fixes-validation.yaml

@@ -22,5 +22,12 @@ jobs:
             const regex = new RegExp(pattern);
             
             if (!regex.test(body)) {
-              core.setFailed("PR body does not contain a valid 'Fixes' reference.");
+              const error = "PR body does not contain a valid 'Fixes' reference.";
+              core.setFailed(error);
+              await github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: `:warning: ${error}`
+              });
             }

.github/workflows/build-scylla.yaml

@@ -13,10 +13,14 @@ on:
         value: ${{ jobs.build.outputs.md5sum }}
 
 jobs:
+  read-toolchain:
+    uses: ./.github/workflows/read-toolchain.yaml
   build:
+    if: github.repository == 'scylladb/scylladb'
+    needs:
+      - read-toolchain
     runs-on: ubuntu-latest
-    # be consistent with tools/toolchain/image
-    container: scylladb/scylla-toolchain:fedora-40-20240621
+    container: ${{ needs.read-toolchain.outputs.image }}
     outputs:
       md5sum: ${{ steps.checksum.outputs.md5sum }}
     steps:

.github/workflows/clang-nightly.yaml

@@ -7,7 +7,7 @@ on:
 
 env:
   # use the development branch explicitly
-  CLANG_VERSION: 19
+  CLANG_VERSION: 20
   BUILD_DIR: build
 
 permissions: {}
@@ -20,6 +20,7 @@ concurrency:
 jobs:
   clang-dev:
     name: Build with clang nightly
+    if: github.repository == 'scylladb/scylladb'
     runs-on: ubuntu-latest
     container: fedora:40
     strategy:

.github/workflows/clang-tidy.yaml

@@ -10,9 +10,9 @@ on:
       - 'docs/**'
       - '.github/**'
   workflow_dispatch:
-  schedule:
-    # only at 5AM Saturday
-    - cron: '0 5 * * SAT'
+  issue_comment:
+    types:
+      - created
 
 env:
   BUILD_TYPE: RelWithDebInfo
@@ -28,6 +28,7 @@ concurrency:
 
 jobs:
   read-toolchain:
+    if: github.event_name == 'pull_request' || (github.event.issue.pull_request && startsWith(github.event.comment.body, '/clang-tidy'))
     uses: ./.github/workflows/read-toolchain.yaml
   clang-tidy:
     name: Run clang-tidy

.github/workflows/conflict_reminder.yaml

@@ -0,0 +1,45 @@
+name: Notify PR Authors of Conflicts
+
+on:
+  schedule:
+    - cron: '0 10 * * 1,4'  # Runs every Monday and Thursday at 10:00am
+  workflow_dispatch:      # Manual trigger for testing
+
+jobs:
+  notify_conflict_prs:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Notify PR Authors of Conflicts
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const prs = await github.paginate(github.rest.pulls.list, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              per_page: 100
+            });
+            const branchPrefix = 'branch-';
+            const threeDaysAgo = new Date();
+            const conflictLabel = 'conflicts';          
+            threeDaysAgo.setDate(threeDaysAgo.getDate() - 3);
+            for (const pr of prs) {
+              if (!pr.base.ref.startsWith(branchPrefix)) continue;
+              const hasConflictLabel = pr.labels.some(label => label.name === conflictLabel);
+              if (!hasConflictLabel) continue;
+              const updatedDate = new Date(pr.updated_at);
+              if (updatedDate >= threeDaysAgo) continue;
+              if (pr.assignee === null) continue;
+              const assignee = pr.assignee;
+              if (assignee) {
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pr.number,
+                  body: `@${assignee}, this PR has been open with conflicts. Please resolve the conflicts so we can merge it.`,
+                });
+                console.log(`Notified @${assignee} for PR #${pr.number}`);
+              } 
+            }
+            console.log(`Total PRs checked: ${prs.length}`);

.github/workflows/docs-pr.yaml

@@ -12,7 +12,8 @@ on:
       - enterprise
     paths:
       - "docs/**"
-
+      - "db/config.hh"
+      - "db/config.cc"
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/iwyu.yaml

@@ -9,7 +9,9 @@ env:
   BUILD_TYPE: RelWithDebInfo
   BUILD_DIR: build
   CLEANER_OUTPUT_PATH: build/clang-include-cleaner.log
-  CLEANER_DIRS: test/unit exceptions alternator api auth cdc compaction
+  # the "idl" subdirectory does not contain C++ source code. the .hh files in it are
+  # supposed to be processed by idl-compiler.py, so we don't check them using the cleaner
+  CLEANER_DIRS: test/unit exceptions alternator api auth cdc compaction db dht gms index lang
 
 permissions: {}
 

.github/workflows/reproducible-build.yaml

@@ -19,6 +19,7 @@ jobs:
     with:
       build_mode: release
   compare-checksum:
+    if: github.repository == 'scylladb/scylladb'
     runs-on: ubuntu-latest
     needs:
       - build-a

.gitignore

@@ -3,6 +3,7 @@
 .settings
 build
 build.ninja
+cmake-build-*
 build.ninja.new
 cscope.*
 /debian/
@@ -13,13 +14,14 @@ dist/ami/scylla_deploy.sh
 Cql.tokens
 .kdev4
 *.kdev4
+.idea
 CMakeLists.txt.user
 .cache
 .tox
 *.egg-info
 __pycache__CMakeLists.txt.user
 .gdbinit
-resources
+/resources
 .pytest_cache
 /expressions.tokens
 tags
@@ -32,3 +34,4 @@ compile_commands.json
 .mypy_cache
 .envrc
 clang_build
+.idea/

.gitmodules

@@ -9,9 +9,6 @@
 [submodule "abseil"]
 	path = abseil
 	url = ../abseil-cpp
-[submodule "scylla-jmx"]
-	path = tools/jmx
-	url = ../scylla-jmx
 [submodule "scylla-tools"]
 	path = tools/java
 	url = ../scylla-tools-java

CMakeLists.txt

@@ -2,8 +2,6 @@ cmake_minimum_required(VERSION 3.27)
 
 project(scylla)
 
-include(CTest)
-
 list(APPEND CMAKE_MODULE_PATH
   ${CMAKE_CURRENT_SOURCE_DIR}/cmake
   ${CMAKE_CURRENT_SOURCE_DIR}/seastar/cmake)
@@ -25,7 +23,8 @@ if(DEFINED CMAKE_BUILD_TYPE)
 endif(DEFINED CMAKE_BUILD_TYPE)
 
 include(mode.common)
-if(CMAKE_CONFIGURATION_TYPES)
+get_property(is_multi_config GLOBAL PROPERTY GENERATOR_IS_MULTI_CONFIG)
+if(is_multi_config)
     foreach(config ${CMAKE_CONFIGURATION_TYPES})
         include(mode.${config})
         list(APPEND scylla_build_modes ${scylla_build_mode_${config}})
@@ -49,26 +48,70 @@ set(CMAKE_CXX_EXTENSIONS ON CACHE INTERNAL "")
 set(CMAKE_CXX_SCAN_FOR_MODULES OFF CACHE INTERNAL "")
 set(CMAKE_CXX_VISIBILITY_PRESET hidden)
 
-set(Seastar_TESTING ON CACHE BOOL "" FORCE)
-set(Seastar_API_LEVEL 7 CACHE STRING "" FORCE)
-set(Seastar_DEPRECATED_OSTREAM_FORMATTERS OFF CACHE BOOL "" FORCE)
-set(Seastar_APPS ON CACHE BOOL "" FORCE)
-set(Seastar_EXCLUDE_APPS_FROM_ALL ON CACHE BOOL "" FORCE)
-set(Seastar_EXCLUDE_TESTS_FROM_ALL ON CACHE BOOL "" FORCE)
-set(Seastar_UNUSED_RESULT_ERROR ON CACHE BOOL "" FORCE)
-add_subdirectory(seastar)
+if(is_multi_config)
+    find_package(Seastar)
+    # this is atypical compared to standard ExternalProject usage:
+    # - Seastar's build system should already be configured at this point.
+    # - We maintain separate project variants for each configuration type.
+    #
+    # Benefits of this approach:
+    # - Allows the parent project to consume the compile options exposed by
+    #   .pc file. as the compile options vary from one config to another.
+    # - Allows application of config-specific settings
+    # - Enables building Seastar within the parent project's build system
+    # - Facilitates linking of artifacts with the external project target,
+    #   establishing proper dependencies between them
+    include(ExternalProject)
+
+    ExternalProject_Add(Seastar
+        SOURCE_DIR "${PROJECT_SOURCE_DIR}/seastar"
+        BINARY_DIR "${CMAKE_BINARY_DIR}/$<CONFIG>/seastar"
+        CONFIGURE_COMMAND ""
+        BUILD_COMMAND ${CMAKE_COMMAND} --build <BINARY_DIR>
+          --target seastar
+          --target seastar_testing
+          --target seastar_perf_testing
+          --target app_iotune
+        BUILD_ALWAYS ON
+        BUILD_BYPRODUCTS
+          <BINARY_DIR>/libseastar.$<IF:$<CONFIG:Debug,Dev>,so,a>
+          <BINARY_DIR>/libseastar_testing.$<IF:$<CONFIG:Debug,Dev>,so,a>
+          <BINARY_DIR>/libseastar_perf_testing.$<IF:$<CONFIG:Debug,Dev>,so,a>
+          <BINARY_DIR>/apps/iotune/iotune
+          <BINARY_DIR>/gen/include/seastar/http/chunk_parsers.hh
+          <BINARY_DIR>/gen/include/seastar/http/request_parser.hh
+          <BINARY_DIR>/gen/include/seastar/http/response_parser.hh
+        INSTALL_COMMAND "")
+    add_dependencies(Seastar::seastar Seastar)
+    add_dependencies(Seastar::seastar_testing Seastar)
+else()
+    set(Seastar_TESTING ON CACHE BOOL "" FORCE)
+    set(Seastar_API_LEVEL 7 CACHE STRING "" FORCE)
+    set(Seastar_DEPRECATED_OSTREAM_FORMATTERS OFF CACHE BOOL "" FORCE)
+    set(Seastar_APPS ON CACHE BOOL "" FORCE)
+    set(Seastar_EXCLUDE_APPS_FROM_ALL ON CACHE BOOL "" FORCE)
+    set(Seastar_EXCLUDE_TESTS_FROM_ALL ON CACHE BOOL "" FORCE)
+    set(Seastar_IO_URING OFF CACHE BOOL "" FORCE)
+    set(Seastar_SCHEDULING_GROUPS_COUNT 16 CACHE STRING "" FORCE)
+    set(Seastar_UNUSED_RESULT_ERROR ON CACHE BOOL "" FORCE)
+    add_subdirectory(seastar)
+    target_compile_definitions (seastar
+      PRIVATE
+        SEASTAR_NO_EXCEPTION_HACK)
+endif()
+
 set(ABSL_PROPAGATE_CXX_STD ON CACHE BOOL "" FORCE)
 
 find_package(Sanitizers QUIET)
 set(sanitizer_cxx_flags
-    $<$<IN_LIST:$<CONFIG>,Debug;Sanitize>:$<TARGET_PROPERTY:Sanitizers::address,INTERFACE_COMPILE_OPTIONS>;$<TARGET_PROPERTY:Sanitizers::undefined_behavior,INTERFACE_COMPILE_OPTIONS>>)
+    $<$<CONFIG:Debug,Sanitize>:$<TARGET_PROPERTY:Sanitizers::address,INTERFACE_COMPILE_OPTIONS>;$<TARGET_PROPERTY:Sanitizers::undefined_behavior,INTERFACE_COMPILE_OPTIONS>>)
 if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
     set(ABSL_GCC_FLAGS ${sanitizer_cxx_flags})
 elseif(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
     set(ABSL_LLVM_FLAGS ${sanitizer_cxx_flags})
 endif()
 set(ABSL_DEFAULT_LINKOPTS
-    $<$<IN_LIST:$<CONFIG>,Debug;Sanitize>:$<TARGET_PROPERTY:Sanitizers::address,INTERFACE_LINK_LIBRARIES>;$<TARGET_PROPERTY:Sanitizers::undefined_behavior,INTERFACE_LINK_LIBRARIES>>)
+    $<$<CONFIG:Debug,Sanitize>:$<TARGET_PROPERTY:Sanitizers::address,INTERFACE_LINK_LIBRARIES>;$<TARGET_PROPERTY:Sanitizers::undefined_behavior,INTERFACE_LINK_LIBRARIES>>)
 add_subdirectory(abseil)
 add_library(absl-headers INTERFACE)
 target_include_directories(absl-headers SYSTEM INTERFACE
@@ -95,12 +138,13 @@ target_link_libraries(Boost::regex
 find_package(Lua REQUIRED)
 find_package(ZLIB REQUIRED)
 find_package(ICU COMPONENTS uc i18n REQUIRED)
-find_package(fmt 9.0.0 REQUIRED)
+find_package(fmt 10.0.0 REQUIRED)
 find_package(libdeflate REQUIRED)
 find_package(libxcrypt REQUIRED)
 find_package(Snappy REQUIRED)
 find_package(RapidJSON REQUIRED)
 find_package(xxHash REQUIRED)
+find_package(yaml-cpp REQUIRED)
 find_package(zstd REQUIRED)
 
 set(scylla_gen_build_dir "${CMAKE_BINARY_DIR}/gen")
@@ -138,6 +182,7 @@ target_sources(scylla-main
     keys.cc
     multishard_mutation_query.cc
     mutation_query.cc
+    node_ops/task_manager_module.cc
     partition_slice_builder.cc
     querier.cc
     query.cc
@@ -151,6 +196,7 @@ target_sources(scylla-main
     serializer.cc
     sstables_loader.cc
     table_helper.cc
+    tasks/task_handler.cc
     tasks/task_manager.cc
     timeout_config.cc
     unimplemented.cc
@@ -194,6 +240,12 @@ include(check_headers)
 check_headers(check-headers scylla-main
   GLOB ${CMAKE_CURRENT_SOURCE_DIR}/*.hh)
 
+option(Scylla_DIST
+  "Build dist targets"
+  ON)
+
+add_custom_target(compiler-training)
+
 add_subdirectory(api)
 add_subdirectory(alternator)
 add_subdirectory(db)
@@ -270,12 +322,20 @@ target_link_libraries(scylla PRIVATE
     utils)
 
 target_link_libraries(scylla PRIVATE
-    seastar
+    Seastar::seastar
     absl::headers
+    yaml-cpp::yaml-cpp
     Boost::program_options)
 
 target_include_directories(scylla PRIVATE
     "${CMAKE_CURRENT_SOURCE_DIR}"
     "${scylla_gen_build_dir}")
 
-add_subdirectory(dist)
+add_custom_target(maybe-scylla
+  DEPENDS $<$<CONFIG:Dev>:$<TARGET_FILE:scylla>>)
+add_dependencies(compiler-training
+  maybe-scylla)
+
+if(Scylla_DIST)
+  add_subdirectory(dist)
+endif()

HACKING.md

@@ -19,18 +19,18 @@ $ git submodule update --init --recursive
 ### Dependencies
 
 Scylla is fairly fussy about its build environment, requiring a very recent
-version of the C++20 compiler and numerous tools and libraries to build.
+version of the C++23 compiler and numerous tools and libraries to build.
 
 Run `./install-dependencies.sh` (as root) to use your Linux distributions's
 package manager to install the appropriate packages on your build machine.
 However, this will only work on very recent distributions. For example,
 currently Fedora users must upgrade to Fedora 32 otherwise the C++ compiler
-will be too old, and not support the new C++20 standard that Scylla uses.
+will be too old, and not support the new C++23 standard that Scylla uses.
 
 Alternatively, to avoid having to upgrade your build machine or install
 various packages on it, we provide another option - the **frozen toolchain**.
 This is a script, `./tools/toolchain/dbuild`, that can execute build or run
-commands inside a Docker image that contains exactly the right build tools and
+commands inside a container that contains exactly the right build tools and
 libraries. The `dbuild` technique is useful for beginners, but is also the way
 in which ScyllaDB produces official releases, so it is highly recommended.
 
@@ -43,6 +43,12 @@ $ ./tools/toolchain/dbuild ninja build/release/scylla
 $ ./tools/toolchain/dbuild ./build/release/scylla --developer-mode 1
 ```
 
+Note: do not mix environemtns - either perform all your work with dbuild, or natively on the host.
+Note2: you can get to an interactive shell within dbuild by running it without any parameters:
+```bash
+$ ./tools/toolchain/dbuild
+```
+
 ### Build system
 
 **Note**: Compiling Scylla requires, conservatively, 2 GB of memory per native
@@ -116,6 +122,13 @@ Run all tests through the test execution wrapper with
 $ ./test.py --mode={debug,release}
 ```
 
+or, if you are using `dbuild`, you need to build the code and the tests and then you can run them at will:
+
+```bash
+$ ./tools/toolchain/dbuild ninja {debug,release,dev}-build
+$ ./tools/toolchain/dbuild ./test.py --mode {debug,release,dev}
+```
+
 The `--name` argument can be specified to run a particular test.
 
 Alternatively, you can execute the test executable directly. For example,

README.md

@@ -15,7 +15,7 @@ For more information, please see the [ScyllaDB web site].
 ## Build Prerequisites
 
 Scylla is fairly fussy about its build environment, requiring very recent
-versions of the C++20 compiler and of many libraries to build. The document
+versions of the C++23 compiler and of many libraries to build. The document
 [HACKING.md](HACKING.md) includes detailed information on building and
 developing Scylla, but to get Scylla building quickly on (almost) any build
 machine, Scylla offers a [frozen toolchain](tools/toolchain/README.md),
@@ -84,11 +84,11 @@ Documentation can be found [here](docs/dev/README.md).
 Seastar documentation can be found [here](http://docs.seastar.io/master/index.html).
 User documentation can be found [here](https://docs.scylladb.com/).
 
-## Training 
+## Training
 
-Training material and online courses can be found at [Scylla University](https://university.scylladb.com/). 
-The courses are free, self-paced and include hands-on examples. They cover a variety of topics including Scylla data modeling, 
-administration, architecture, basic NoSQL concepts, using drivers for application development, Scylla setup, failover, compactions, 
+Training material and online courses can be found at [Scylla University](https://university.scylladb.com/).
+The courses are free, self-paced and include hands-on examples. They cover a variety of topics including Scylla data modeling,
+administration, architecture, basic NoSQL concepts, using drivers for application development, Scylla setup, failover, compactions,
 multi-datacenters and how Scylla integrates with third-party applications.
 
 ## Contributing to Scylla

SCYLLA-VERSION-GEN

@@ -78,7 +78,7 @@ fi
 
 # Default scylla product/version tags
 PRODUCT=scylla
-VERSION=6.1.0-dev
+VERSION=6.3.0-dev
 
 if test -f version
 then
@@ -104,7 +104,7 @@ else
 fi
 
 if [ -f "$OUTPUT_DIR/SCYLLA-RELEASE-FILE" ]; then
-	GIT_COMMIT_FILE=$(cat "$OUTPUT_DIR/SCYLLA-RELEASE-FILE" |cut -d . -f 3)
+	GIT_COMMIT_FILE=$(cat "$OUTPUT_DIR/SCYLLA-RELEASE-FILE" | rev | cut -d . -f 1 | rev)
 	if [ "$GIT_COMMIT" = "$GIT_COMMIT_FILE" ]; then
 		exit 0
 	fi

alternator/auth.cc

@@ -8,7 +8,7 @@
 
 #include "alternator/error.hh"
 #include "auth/common.hh"
-#include "log.hh"
+#include "utils/log.hh"
 #include <string>
 #include <string_view>
 #include "bytes.hh"
@@ -19,6 +19,7 @@
 #include "alternator/executor.hh"
 #include "cql3/selection/selection.hh"
 #include "cql3/result_set.hh"
+#include "types/types.hh"
 #include <seastar/core/coroutine.hh>
 
 namespace alternator {
@@ -31,11 +32,12 @@ future<std::string> get_key_from_roles(service::storage_proxy& proxy, auth::serv
     dht::partition_range_vector partition_ranges{dht::partition_range(dht::decorate_key(*schema, pk))};
     std::vector<query::clustering_range> bounds{query::clustering_range::make_open_ended_both_sides()};
     const column_definition* salted_hash_col = schema->get_column_definition(bytes("salted_hash"));
-    if (!salted_hash_col) {
-        co_await coroutine::return_exception(api_error::unrecognized_client(format("Credentials cannot be fetched for: {}", username)));
+    const column_definition* can_login_col = schema->get_column_definition(bytes("can_login"));
+    if (!salted_hash_col || !can_login_col) {
+        co_await coroutine::return_exception(api_error::unrecognized_client(fmt::format("Credentials cannot be fetched for: {}", username)));
     }
-    auto selection = cql3::selection::selection::for_columns(schema, {salted_hash_col});
-    auto partition_slice = query::partition_slice(std::move(bounds), {}, query::column_id_vector{salted_hash_col->id}, selection->get_query_options());
+    auto selection = cql3::selection::selection::for_columns(schema, {salted_hash_col, can_login_col});
+    auto partition_slice = query::partition_slice(std::move(bounds), {}, query::column_id_vector{salted_hash_col->id, can_login_col->id}, selection->get_query_options());
     auto command = ::make_lw_shared<query::read_command>(schema->id(), schema->version(), partition_slice,
             proxy.get_max_result_size(partition_slice), query::tombstone_limit(proxy.get_tombstone_limit()));
     auto cl = auth::password_authenticator::consistency_for_user(username);
@@ -49,11 +51,18 @@ future<std::string> get_key_from_roles(service::storage_proxy& proxy, auth::serv
 
     auto result_set = builder.build();
     if (result_set->empty()) {
-        co_await coroutine::return_exception(api_error::unrecognized_client(format("User not found: {}", username)));
+        co_await coroutine::return_exception(api_error::unrecognized_client(fmt::format("User not found: {}", username)));
     }
-    const managed_bytes_opt& salted_hash = result_set->rows().front().front(); // We only asked for 1 row and 1 column
+    const auto& result = result_set->rows().front();
+    bool can_login = result[1] && value_cast<bool>(boolean_type->deserialize(*result[1]));
+    if (!can_login) {
+        // This is a valid role name, but has "login=False" so should not be
+        // usable for authentication (see #19735).
+        co_await coroutine::return_exception(api_error::unrecognized_client(fmt::format("Role {} has login=false so cannot be used for login", username)));
+    }
+    const managed_bytes_opt& salted_hash = result.front();
     if (!salted_hash) {
-        co_await coroutine::return_exception(api_error::unrecognized_client(format("No password found for user: {}", username)));
+        co_await coroutine::return_exception(api_error::unrecognized_client(fmt::format("No password found for user: {}", username)));
     }
     co_return value_cast<sstring>(utf8_type->deserialize(*salted_hash));
 }

alternator/conditions.cc

@@ -15,8 +15,6 @@
 #include "utils/base64.hh"
 #include "utils/rjson.hh"
 #include <stdexcept>
-#include <boost/algorithm/cxx11/all_of.hpp>
-#include <boost/algorithm/cxx11/any_of.hpp>
 #include "utils/overloaded_functor.hh"
 
 #include "expressions.hh"
@@ -42,12 +40,12 @@ comparison_operator_type get_comparison_operator(const rjson::value& comparison_
             {"NOT_CONTAINS", comparison_operator_type::NOT_CONTAINS},
     };
     if (!comparison_operator.IsString()) {
-        throw api_error::validation(format("Invalid comparison operator definition {}", rjson::print(comparison_operator)));
+        throw api_error::validation(fmt::format("Invalid comparison operator definition {}", rjson::print(comparison_operator)));
     }
     std::string op = comparison_operator.GetString();
     auto it = ops.find(op);
     if (it == ops.end()) {
-        throw api_error::validation(format("Unsupported comparison operator {}", op));
+        throw api_error::validation(fmt::format("Unsupported comparison operator {}", op));
     }
     return it->second;
 }
@@ -429,7 +427,7 @@ static bool check_BETWEEN(const T& v, const T& lb, const T& ub, bool bounds_from
     if (cmp_lt()(ub, lb)) {
         if (bounds_from_query) {
             throw api_error::validation(
-                format("BETWEEN operator requires lower_bound <= upper_bound, but {} > {}", lb, ub));
+                fmt::format("BETWEEN operator requires lower_bound <= upper_bound, but {} > {}", lb, ub));
         } else {
             return false;
         }
@@ -613,7 +611,7 @@ conditional_operator_type get_conditional_operator(const rjson::value& req) {
         return conditional_operator_type::OR;
     } else {
         throw api_error::validation(
-                format("'ConditionalOperator' parameter must be AND, OR or missing. Found {}.", s));
+                fmt::format("'ConditionalOperator' parameter must be AND, OR or missing. Found {}.", s));
     }
 }
 
@@ -743,9 +741,9 @@ bool verify_condition_expression(
             };
             switch (list.op) {
             case '&':
-                return boost::algorithm::all_of(list.conditions, verify_condition);
+                return std::ranges::all_of(list.conditions, verify_condition);
             case '|':
-                return boost::algorithm::any_of(list.conditions, verify_condition);
+                return std::ranges::any_of(list.conditions, verify_condition);
             default:
                 // Shouldn't happen unless we have a bug in the parser
                 throw std::logic_error("bad operator in condition_list");

alternator/controller.cc

@@ -130,10 +130,10 @@ future<> controller::start_server() {
                 std::throw_with_nested(std::runtime_error("Failed to set up Alternator TLS credentials"));
             }
         }
-        bool alternator_enforce_authorization = _config.alternator_enforce_authorization();
         _server.invoke_on_all(
-                [this, addr, alternator_port, alternator_https_port, creds = std::move(creds), alternator_enforce_authorization] (server& server) mutable {
-            return server.init(addr, alternator_port, alternator_https_port, creds, alternator_enforce_authorization,
+                [this, addr, alternator_port, alternator_https_port, creds = std::move(creds)] (server& server) mutable {
+            return server.init(addr, alternator_port, alternator_https_port, creds,
+                    _config.alternator_enforce_authorization,
                     &_memory_limiter.local().get_semaphore(),
                     _config.max_concurrent_requests_per_shard);
         }).handle_exception([this, addr, alternator_port, alternator_https_port] (std::exception_ptr ep) {

alternator/executor.hh

@@ -23,6 +23,8 @@
 #include "utils/rjson.hh"
 #include "utils/updateable_value.hh"
 
+#include "tracing/trace_state.hh"
+
 namespace db {
     class system_distributed_keyspace;
 }
@@ -50,6 +52,8 @@ class gossiper;
 
 }
 
+class schema_builder;
+
 namespace alternator {
 
 class rmw_operation;
@@ -158,6 +162,7 @@ class executor : public peering_sharded_service<executor> {
     service::migration_manager& _mm;
     db::system_distributed_keyspace& _sdks;
     cdc::metadata& _cdc_metadata;
+    utils::updateable_value<bool> _enforce_authorization;
     // An smp_service_group to be used for limiting the concurrency when
     // forwarding Alternator request between shards - if necessary for LWT.
     smp_service_group _ssg;
@@ -176,10 +181,7 @@ public:
              db::system_distributed_keyspace& sdks,
              cdc::metadata& cdc_metadata,
              smp_service_group ssg,
-             utils::updateable_value<uint32_t> default_timeout_in_ms)
-        : _gossiper(gossiper), _proxy(proxy), _mm(mm), _sdks(sdks), _cdc_metadata(cdc_metadata), _ssg(ssg) {
-        s_default_timeout_in_ms = std::move(default_timeout_in_ms);
-    }
+             utils::updateable_value<uint32_t> default_timeout_in_ms);
 
     future<request_return_type> create_table(client_state& client_state, tracing::trace_state_ptr trace_state, service_permit permit, rjson::value request);
     future<request_return_type> describe_table(client_state& client_state, tracing::trace_state_ptr trace_state, service_permit permit, rjson::value request);
@@ -262,4 +264,9 @@ public:
 // add more than a couple of levels in its own output construction.
 bool is_big(const rjson::value& val, int big_size = 100'000);
 
+// Check CQL's Role-Based Access Control (RBAC) permission (MODIFY,
+// SELECT, DROP, etc.) on the given table. When permission is denied an
+// appropriate user-readable api_error::access_denied is thrown.
+future<> verify_permission(bool enforce_authorization, const service::client_state&, const schema_ptr&, auth::permission);
+
 }

alternator/expressions.cc

@@ -20,9 +20,6 @@
 #include <seastar/core/print.hh>
 #include <seastar/util/log.hh>
 
-#include <boost/algorithm/cxx11/any_of.hpp>
-#include <boost/algorithm/cxx11/all_of.hpp>
-
 #include <functional>
 #include <unordered_map>
 
@@ -57,10 +54,10 @@ static Result parse(const char* input_name, std::string_view input, Func&& f) {
         // TODO: displayRecognitionError could set a position inside the
         // expressions_syntax_error in throws, and we could use it here to
         // mark the broken position in 'input'.
-        throw expressions_syntax_error(format("Failed parsing {} '{}': {}",
+        throw expressions_syntax_error(fmt::format("Failed parsing {} '{}': {}",
             input_name, input, e.what()));
     } catch (...) {
-        throw expressions_syntax_error(format("Failed parsing {} '{}': {}",
+        throw expressions_syntax_error(fmt::format("Failed parsing {} '{}': {}",
             input_name, input, std::current_exception()));
     }
 }
@@ -160,12 +157,12 @@ static std::optional<std::string> resolve_path_component(const std::string& colu
     if (column_name.size() > 0 && column_name.front() == '#') {
         if (!expression_attribute_names) {
             throw api_error::validation(
-                    format("ExpressionAttributeNames missing, entry '{}' required by expression", column_name));
+                    fmt::format("ExpressionAttributeNames missing, entry '{}' required by expression", column_name));
         }
         const rjson::value* value = rjson::find(*expression_attribute_names, column_name);
         if (!value || !value->IsString()) {
             throw api_error::validation(
-                    format("ExpressionAttributeNames missing entry '{}' required by expression", column_name));
+                    fmt::format("ExpressionAttributeNames missing entry '{}' required by expression", column_name));
         }
         used_attribute_names.emplace(column_name);
         return std::string(rjson::to_string_view(*value));
@@ -202,16 +199,16 @@ static void resolve_constant(parsed::constant& c,
         [&] (const std::string& valref) {
             if (!expression_attribute_values) {
                 throw api_error::validation(
-                        format("ExpressionAttributeValues missing, entry '{}' required by expression", valref));
+                        fmt::format("ExpressionAttributeValues missing, entry '{}' required by expression", valref));
             }
             const rjson::value* value = rjson::find(*expression_attribute_values, valref);
             if (!value) {
                 throw api_error::validation(
-                        format("ExpressionAttributeValues missing entry '{}' required by expression", valref));
+                        fmt::format("ExpressionAttributeValues missing entry '{}' required by expression", valref));
             }
             if (value->IsNull()) {
                 throw api_error::validation(
-                        format("ExpressionAttributeValues null value for entry '{}' required by expression", valref));
+                        fmt::format("ExpressionAttributeValues null value for entry '{}' required by expression", valref));
             }
             validate_value(*value, "ExpressionAttributeValues");
             used_attribute_values.emplace(valref);
@@ -708,7 +705,7 @@ rjson::value calculate_value(const parsed::value& v,
             auto function_it = function_handlers.find(std::string_view(f._function_name));
             if (function_it == function_handlers.end()) {
                 throw api_error::validation(
-                        format("{}: unknown function '{}' called.", caller, f._function_name));
+                        fmt::format("{}: unknown function '{}' called.", caller, f._function_name));
             }
             return function_it->second(caller, previous_item, f);
         },

alternator/rmw_operation.hh

@@ -12,6 +12,8 @@
 #include "service/paxos/cas_request.hh"
 #include "utils/rjson.hh"
 #include "executor.hh"
+#include "tracing/trace_state.hh"
+#include "keys.hh"
 
 namespace alternator {
 

alternator/serialization.cc

@@ -8,7 +8,7 @@
 
 #include "utils/base64.hh"
 #include "utils/rjson.hh"
-#include "log.hh"
+#include "utils/log.hh"
 #include "serialization.hh"
 #include "error.hh"
 #include "concrete_types.hh"
@@ -143,17 +143,17 @@ static big_decimal parse_and_validate_number(std::string_view s) {
         big_decimal ret(s);
         auto [magnitude, precision] = internal::get_magnitude_and_precision(s);
         if (magnitude > 125) {
-            throw api_error::validation(format("Number overflow: {}. Attempting to store a number with magnitude larger than supported range.", s));
+            throw api_error::validation(fmt::format("Number overflow: {}. Attempting to store a number with magnitude larger than supported range.", s));
         }
         if (magnitude < -130) {
-            throw api_error::validation(format("Number underflow: {}. Attempting to store a number with magnitude lower than supported range.", s));
+            throw api_error::validation(fmt::format("Number underflow: {}. Attempting to store a number with magnitude lower than supported range.", s));
         }
         if (precision > 38) {
-            throw api_error::validation(format("Number too precise: {}. Attempting to store a number with more significant digits than supported.", s));
+            throw api_error::validation(fmt::format("Number too precise: {}. Attempting to store a number with more significant digits than supported.", s));
         }
         return ret;
     } catch (const marshal_exception& e) {
-        throw api_error::validation(format("The parameter cannot be converted to a numeric value: {}", s));
+        throw api_error::validation(fmt::format("The parameter cannot be converted to a numeric value: {}", s));
     }
 
 }
@@ -265,7 +265,7 @@ bytes get_key_column_value(const rjson::value& item, const column_definition& co
     std::string column_name = column.name_as_text();
     const rjson::value* key_typed_value = rjson::find(item, column_name);
     if (!key_typed_value) {
-        throw api_error::validation(format("Key column {} not found", column_name));
+        throw api_error::validation(fmt::format("Key column {} not found", column_name));
     }
     return get_key_from_typed_value(*key_typed_value, column);
 }
@@ -277,19 +277,26 @@ bytes get_key_column_value(const rjson::value& item, const column_definition& co
 // mentioned in the exception message).
 // If the type does match, a reference to the encoded value is returned.
 static const rjson::value& get_typed_value(const rjson::value& key_typed_value, std::string_view type_str, std::string_view name, std::string_view value_name) {
-    if (!key_typed_value.IsObject() || key_typed_value.MemberCount() != 1 ||
-            !key_typed_value.MemberBegin()->value.IsString()) {
+    if (!key_typed_value.IsObject() || key_typed_value.MemberCount() != 1) {
         throw api_error::validation(
-                format("Malformed value object for {} {}: {}",
+                fmt::format("Malformed value object for {} {}: {}",
                         value_name, name, key_typed_value));
     }
 
     auto it = key_typed_value.MemberBegin();
     if (rjson::to_string_view(it->name) != type_str) {
         throw api_error::validation(
-                format("Type mismatch: expected type {} for {} {}, got type {}",
+                fmt::format("Type mismatch: expected type {} for {} {}, got type {}",
                         type_str, value_name, name, it->name));
     }
+    // We assume this function is called just for key types (S, B, N), and
+    // all of those always have a string value in the JSON.
+    if (!it->value.IsString()) {
+        throw api_error::validation(
+            fmt::format("Malformed value object for {} {}: {}",
+                    value_name, name, key_typed_value));
+
+    }
     return it->value;
 }
 
@@ -395,16 +402,16 @@ position_in_partition pos_from_json(const rjson::value& item, schema_ptr schema)
 
 big_decimal unwrap_number(const rjson::value& v, std::string_view diagnostic) {
     if (!v.IsObject() || v.MemberCount() != 1) {
-        throw api_error::validation(format("{}: invalid number object", diagnostic));
+        throw api_error::validation(fmt::format("{}: invalid number object", diagnostic));
     }
     auto it = v.MemberBegin();
     if (it->name != "N") {
-        throw api_error::validation(format("{}: expected number, found type '{}'", diagnostic, it->name));
+        throw api_error::validation(fmt::format("{}: expected number, found type '{}'", diagnostic, it->name));
     }
     if (!it->value.IsString()) {
         // We shouldn't reach here. Callers normally validate their input
         // earlier with validate_value().
-        throw api_error::validation(format("{}: improperly formatted number constant", diagnostic));
+        throw api_error::validation(fmt::format("{}: improperly formatted number constant", diagnostic));
     }
     big_decimal ret = parse_and_validate_number(rjson::to_string_view(it->value));
     return ret;
@@ -485,7 +492,7 @@ rjson::value set_sum(const rjson::value& v1, const rjson::value& v2) {
     auto [set1_type, set1] = unwrap_set(v1);
     auto [set2_type, set2] = unwrap_set(v2);
     if (set1_type != set2_type) {
-        throw api_error::validation(format("Mismatched set types: {} and {}", set1_type, set2_type));
+        throw api_error::validation(fmt::format("Mismatched set types: {} and {}", set1_type, set2_type));
     }
     if (!set1 || !set2) {
         throw api_error::validation("UpdateExpression: ADD operation for sets must be given sets as arguments");
@@ -513,7 +520,7 @@ std::optional<rjson::value> set_diff(const rjson::value& v1, const rjson::value&
     auto [set1_type, set1] = unwrap_set(v1);
     auto [set2_type, set2] = unwrap_set(v2);
     if (set1_type != set2_type) {
-        throw api_error::validation(format("Set DELETE type mismatch: {} and {}", set1_type, set2_type));
+        throw api_error::validation(fmt::format("Set DELETE type mismatch: {} and {}", set1_type, set2_type));
     }
     if (!set1 || !set2) {
         throw api_error::validation("UpdateExpression: DELETE operation can only be performed on a set");

alternator/server.cc

@@ -7,7 +7,8 @@
  */
 
 #include "alternator/server.hh"
-#include "log.hh"
+#include "gms/application_state.hh"
+#include "utils/log.hh"
 #include <fmt/ranges.h>
 #include <seastar/http/function_handlers.hh>
 #include <seastar/http/short_streams.hh>
@@ -17,7 +18,10 @@
 #include <seastar/util/short_streams.hh>
 #include "seastarx.hh"
 #include "error.hh"
+#include "service/client_state.hh"
 #include "service/qos/service_level_controller.hh"
+#include "utils/assert.hh"
+#include "timeout_config.hh"
 #include "utils/rjson.hh"
 #include "auth.hh"
 #include <cctype>
@@ -208,10 +212,32 @@ protected:
         // using _gossiper().get_live_members(). But getting
         // just the list of live nodes in this DC needs more elaborate code:
         auto& topology = _proxy.get_token_metadata_ptr()->get_topology();
-        sstring local_dc = topology.get_datacenter();
-        std::unordered_set<gms::inet_address> local_dc_nodes = topology.get_datacenter_endpoints().at(local_dc);
+        // /localnodes lists nodes in a single DC. By default the DC of this
+        // server is used, but it can be overridden by a "dc" query option.
+        // If the DC does not exist, we return an empty list - not an error.
+        sstring query_dc = req->get_query_param("dc");
+        sstring local_dc = query_dc.empty() ? topology.get_datacenter() : query_dc;
+        std::unordered_set<gms::inet_address> local_dc_nodes;
+        const auto& endpoints = topology.get_datacenter_endpoints();
+        auto dc_it = endpoints.find(local_dc);
+        if (dc_it != endpoints.end()) {
+            local_dc_nodes = dc_it->second;
+        }
+        // By default, /localnodes lists the nodes of all racks in the given
+        // DC, unless a single rack is selected by the "rack" query option.
+        // If the rack does not exist, we return an empty list - not an error.
+        sstring query_rack = req->get_query_param("rack");
         for (auto& ip : local_dc_nodes) {
-            if (_gossiper.is_alive(ip)) {
+            if (!query_rack.empty()) {
+                auto rack = _gossiper.get_application_state_value(ip, gms::application_state::RACK);
+                if (rack != query_rack) {
+                    continue;
+                }
+            }
+            // Note that it's not enough for the node to be is_alive() - a
+            // node joining the cluster is also "alive" but not responsive to
+            // requests. We need the node to be in normal state. See #19694.
+            if (_gossiper.is_normal(ip)) {
                 // Use the gossiped broadcast_rpc_address if available instead
                 // of the internal IP address "ip". See discussion in #18711.
                 rjson::push_back(results, rjson::from_string(_gossiper.get_rpc_address(ip)));
@@ -257,7 +283,7 @@ future<std::string> server::verify_signature(const request& req, const chunked_c
     std::string_view authorization_header = authorization_it->second;
     auto pos = authorization_header.find_first_of(' ');
     if (pos == std::string_view::npos || authorization_header.substr(0, pos) != "AWS4-HMAC-SHA256") {
-        throw api_error::invalid_signature(format("Authorization header must use AWS4-HMAC-SHA256 algorithm: {}", authorization_header));
+        throw api_error::invalid_signature(fmt::format("Authorization header must use AWS4-HMAC-SHA256 algorithm: {}", authorization_header));
     }
     authorization_header.remove_prefix(pos+1);
     std::string credential;
@@ -292,7 +318,7 @@ future<std::string> server::verify_signature(const request& req, const chunked_c
 
     std::vector<std::string_view> credential_split = split(credential, '/');
     if (credential_split.size() != 5) {
-        throw api_error::validation(format("Incorrect credential information format: {}", credential));
+        throw api_error::validation(fmt::format("Incorrect credential information format: {}", credential));
     }
     std::string user(credential_split[0]);
     std::string datestamp(credential_split[1]);
@@ -377,7 +403,7 @@ static tracing::trace_state_ptr maybe_trace_query(service::client_state& client_
         std::string buf;
         tracing::add_session_param(trace_state, "alternator_op", op);
         tracing::add_query(trace_state, truncated_content_view(query, buf));
-        tracing::begin(trace_state, format("Alternator {}", op), client_state.get_client_address());
+        tracing::begin(trace_state, seastar::format("Alternator {}", op), client_state.get_client_address());
         if (!username.empty()) {
             tracing::set_username(trace_state, auth::authenticated_user(username));
         }
@@ -402,7 +428,7 @@ future<executor::request_return_type> server::handle_api_request(std::unique_ptr
         ++_executor._stats.requests_blocked_memory;
     }
     auto units = co_await std::move(units_fut);
-    assert(req->content_stream);
+    SCYLLA_ASSERT(req->content_stream);
     chunked_content content = co_await util::read_entire_stream(*req->content_stream);
     auto username = co_await verify_signature(*req, content);
 
@@ -413,7 +439,7 @@ future<executor::request_return_type> server::handle_api_request(std::unique_ptr
     auto callback_it = _callbacks.find(op);
     if (callback_it == _callbacks.end()) {
         _executor._stats.unsupported_operations++;
-        co_return api_error::unknown_operation(format("Unsupported operation {}", op));
+        co_return api_error::unknown_operation(fmt::format("Unsupported operation {}", op));
     }
     if (_pending_requests.get_count() >= _max_concurrent_requests) {
         _executor._stats.requests_shed++;
@@ -421,11 +447,11 @@ future<executor::request_return_type> server::handle_api_request(std::unique_ptr
     }
     _pending_requests.enter();
     auto leave = defer([this] () noexcept { _pending_requests.leave(); });
-    //FIXME: Client state can provide more context, e.g. client's endpoint address
-    // We use unique_ptr because client_state cannot be moved or copied
-    executor::client_state client_state = username.empty()
-        ? service::client_state{service::client_state::internal_tag()}
-        : service::client_state{service::client_state::internal_tag(), _auth_service, _sl_controller, username};
+    executor::client_state client_state(service::client_state::external_tag(),
+        _auth_service, &_sl_controller, _timeout_config.current_values(), req->get_client_address());
+    if (!username.empty()) {
+        client_state.set_login(auth::authenticated_user(username));
+    }
     co_await client_state.maybe_update_per_service_level_params();
 
     tracing::trace_state_ptr trace_state = maybe_trace_query(client_state, username, op, content);
@@ -472,6 +498,7 @@ server::server(executor& exec, service::storage_proxy& proxy, gms::gossiper& gos
         , _enforce_authorization(false)
         , _enabled_servers{}
         , _pending_requests{}
+        , _timeout_config(_proxy.data_dictionary().get_config())
       , _callbacks{
         {"CreateTable", [] (executor& e, executor::client_state& client_state, tracing::trace_state_ptr trace_state, service_permit permit, rjson::value json_request, std::unique_ptr<request> req) {
             return e.create_table(client_state, std::move(trace_state), std::move(permit), std::move(json_request));
@@ -549,9 +576,9 @@ server::server(executor& exec, service::storage_proxy& proxy, gms::gossiper& gos
 }
 
 future<> server::init(net::inet_address addr, std::optional<uint16_t> port, std::optional<uint16_t> https_port, std::optional<tls::credentials_builder> creds,
-        bool enforce_authorization, semaphore* memory_limiter, utils::updateable_value<uint32_t> max_concurrent_requests) {
+        utils::updateable_value<bool> enforce_authorization, semaphore* memory_limiter, utils::updateable_value<uint32_t> max_concurrent_requests) {
     _memory_limiter = memory_limiter;
-    _enforce_authorization = enforce_authorization;
+    _enforce_authorization = std::move(enforce_authorization);
     _max_concurrent_requests = std::move(max_concurrent_requests);
     if (!port && !https_port) {
         return make_exception_future<>(std::runtime_error("Either regular port or TLS port"
@@ -636,7 +663,7 @@ future<> server::json_parser::stop() {
 
 const char* api_error::what() const noexcept {
     if (_what_string.empty()) {
-        _what_string = format("{} {}: {}", std::to_underlying(_http_code), _type, _msg);
+        _what_string = fmt::format("{} {}: {}", std::to_underlying(_http_code), _type, _msg);
     }
     return _what_string.c_str();
 }

alternator/server.hh

@@ -39,9 +39,14 @@ class server {
     qos::service_level_controller& _sl_controller;
 
     key_cache _key_cache;
-    bool _enforce_authorization;
+    utils::updateable_value<bool> _enforce_authorization;
     utils::small_vector<std::reference_wrapper<seastar::httpd::http_server>, 2> _enabled_servers;
     gate _pending_requests;
+    // In some places we will need a CQL updateable_timeout_config object even
+    // though it isn't really relevant for Alternator which defines its own
+    // timeouts separately. We can create this object only once.
+    updateable_timeout_config _timeout_config;
+
     alternator_callbacks_map _callbacks;
 
     semaphore* _memory_limiter;
@@ -71,7 +76,7 @@ public:
     server(executor& executor, service::storage_proxy& proxy, gms::gossiper& gossiper, auth::service& service, qos::service_level_controller& sl_controller);
 
     future<> init(net::inet_address addr, std::optional<uint16_t> port, std::optional<uint16_t> https_port, std::optional<tls::credentials_builder> creds,
-            bool enforce_authorization, semaphore* memory_limiter, utils::updateable_value<uint32_t> max_concurrent_requests);
+            utils::updateable_value<bool> enforce_authorization, semaphore* memory_limiter, utils::updateable_value<uint32_t> max_concurrent_requests);
     future<> stop();
 private:
     void set_routes(seastar::httpd::routes& r);

alternator/stats.cc

@@ -67,6 +67,8 @@ stats::stats() : api_operations{} {
             OPERATION_LATENCY(get_item_latency, "GetItem")
             OPERATION_LATENCY(delete_item_latency, "DeleteItem")
             OPERATION_LATENCY(update_item_latency, "UpdateItem")
+            OPERATION_LATENCY(batch_write_item_latency, "BatchWriteItem")
+            OPERATION_LATENCY(batch_get_item_latency, "BatchGetItem")
             OPERATION(list_streams, "ListStreams")
             OPERATION(describe_stream, "DescribeStream")
             OPERATION(get_shard_iterator, "GetShardIterator")
@@ -94,6 +96,10 @@ stats::stats() : api_operations{} {
                     seastar::metrics::description("number of rows read and matched during filtering operations")),
             seastar::metrics::make_total_operations("filtered_rows_dropped_total", [this] { return cql_stats.filtered_rows_read_total - cql_stats.filtered_rows_matched_total; },
                     seastar::metrics::description("number of rows read and dropped during filtering operations")),
+                    seastar::metrics::make_counter("batch_item_count", seastar::metrics::description("The total number of items processed across all batches"),{op("BatchWriteItem")},
+                            api_operations.batch_write_item_batch_total).set_skip_when_empty(),
+                    seastar::metrics::make_counter("batch_item_count", seastar::metrics::description("The total number of items processed across all batches"),{op("BatchGetItem")},
+                            api_operations.batch_get_item_batch_total).set_skip_when_empty(),
     });
 }
 

alternator/stats.hh

@@ -26,6 +26,8 @@ public:
     struct {
         uint64_t batch_get_item = 0;
         uint64_t batch_write_item = 0;
+        uint64_t batch_get_item_batch_total = 0;
+        uint64_t batch_write_item_batch_total = 0;
         uint64_t create_backup = 0;
         uint64_t create_global_table = 0;
         uint64_t create_table = 0;
@@ -69,6 +71,8 @@ public:
         utils::timed_rate_moving_average_summary_and_histogram get_item_latency;
         utils::timed_rate_moving_average_summary_and_histogram delete_item_latency;
         utils::timed_rate_moving_average_summary_and_histogram update_item_latency;
+        utils::timed_rate_moving_average_summary_and_histogram batch_write_item_latency;
+        utils::timed_rate_moving_average_summary_and_histogram batch_get_item_latency;
         utils::timed_rate_moving_average_summary_and_histogram get_records_latency;
     } api_operations;
     // Miscellaneous event counters

alternator/streams.cc

@@ -13,6 +13,7 @@
 
 #include <seastar/json/formatter.hh>
 
+#include "auth/permission.hh"
 #include "db/config.hh"
 
 #include "cdc/log.hh"
@@ -818,11 +819,13 @@ future<executor::request_return_type> executor::get_records(client_state& client
     }
 
     if (!schema || !base || !is_alternator_keyspace(schema->ks_name())) {
-        throw api_error::resource_not_found(fmt::to_string(iter.table));
+        co_return api_error::resource_not_found(fmt::to_string(iter.table));
     }
 
     tracing::add_table_name(trace_state, schema->ks_name(), schema->cf_name());
 
+    co_await verify_permission(_enforce_authorization, client_state, schema, auth::permission::SELECT);
+
     db::consistency_level cl = db::consistency_level::LOCAL_QUORUM;
     partition_key pk = iter.shard.id.to_partition_key(*schema);
 
@@ -841,19 +844,21 @@ future<executor::request_return_type> executor::get_records(client_state& client
     static const bytes op_column_name = cdc::log_meta_column_name_bytes("operation");
     static const bytes eor_column_name = cdc::log_meta_column_name_bytes("end_of_batch");
 
-    std::optional<attrs_to_get> key_names = boost::copy_range<attrs_to_get>(
-        boost::range::join(std::move(base->partition_key_columns()), std::move(base->clustering_key_columns()))
-        | boost::adaptors::transformed([&] (const column_definition& cdef) {
+    std::optional<attrs_to_get> key_names =
+        base->primary_key_columns()
+        | std::views::transform([&] (const column_definition& cdef) {
             return std::make_pair<std::string, attrs_to_get_node>(cdef.name_as_text(), {}); })
-    );
+        | std::ranges::to<attrs_to_get>()
+    ;
     // Include all base table columns as values (in case pre or post is enabled).
     // This will include attributes not stored in the frozen map column
-    std::optional<attrs_to_get> attr_names = boost::copy_range<attrs_to_get>(base->regular_columns()
+    std::optional<attrs_to_get> attr_names = base->regular_columns()
         // this will include the :attrs column, which we will also force evaluating. 
         // But not having this set empty forces out any cdc columns from actual result 
-        | boost::adaptors::transformed([] (const column_definition& cdef) {
+        | std::views::transform([] (const column_definition& cdef) {
             return std::make_pair<std::string, attrs_to_get_node>(cdef.name_as_text(), {}); })
-    );
+        | std::ranges::to<attrs_to_get>()
+    ;
 
     std::vector<const column_definition*> columns;
     columns.reserve(schema->all_columns().size());
@@ -864,10 +869,11 @@ future<executor::request_return_type> executor::get_records(client_state& client
     std::transform(pks.begin(), pks.end(), std::back_inserter(columns), [](auto& c) { return &c; });
     std::transform(cks.begin(), cks.end(), std::back_inserter(columns), [](auto& c) { return &c; });
 
-    auto regular_columns = boost::copy_range<query::column_id_vector>(schema->regular_columns() 
-        | boost::adaptors::filtered([](const column_definition& cdef) { return cdef.name() == op_column_name || cdef.name() == eor_column_name || !cdc::is_cdc_metacolumn_name(cdef.name_as_text()); })
-        | boost::adaptors::transformed([&] (const column_definition& cdef) { columns.emplace_back(&cdef); return cdef.id; })
-    );
+    auto regular_columns = schema->regular_columns()
+        | std::views::filter([](const column_definition& cdef) { return cdef.name() == op_column_name || cdef.name() == eor_column_name || !cdc::is_cdc_metacolumn_name(cdef.name_as_text()); })
+        | std::views::transform([&] (const column_definition& cdef) { columns.emplace_back(&cdef); return cdef.id; })
+        | std::ranges::to<query::column_id_vector>()
+    ;
 
     stream_view_type type = cdc_options_to_steam_view_type(base->cdc_options());
 
@@ -887,7 +893,7 @@ future<executor::request_return_type> executor::get_records(client_state& client
     auto command = ::make_lw_shared<query::read_command>(schema->id(), schema->version(), partition_slice, _proxy.get_max_result_size(partition_slice),
             query::tombstone_limit(_proxy.get_tombstone_limit()), query::row_limit(limit * mul));
 
-    return _proxy.query(schema, std::move(command), std::move(partition_ranges), cl, service::storage_proxy::coordinator_query_options(default_timeout(), std::move(permit), client_state)).then(
+    co_return co_await _proxy.query(schema, std::move(command), std::move(partition_ranges), cl, service::storage_proxy::coordinator_query_options(default_timeout(), std::move(permit), client_state)).then(
             [this, schema, partition_slice = std::move(partition_slice), selection = std::move(selection), start_time = std::move(start_time), limit, key_names = std::move(key_names), attr_names = std::move(attr_names), type, iter, high_ts] (service::storage_proxy::coordinator_query_result qr) mutable {       
         cql3::selection::result_set_builder builder(*selection, gc_clock::now());
         query::result_view::consume(*qr.query_result, partition_slice, cql3::selection::result_set_builder::visitor(builder, *schema, *selection));

alternator/ttl.cc

@@ -23,9 +23,10 @@
 #include "gms/inet_address.hh"
 #include "inet_address_vectors.hh"
 #include "locator/abstract_replication_strategy.hh"
-#include "log.hh"
+#include "utils/log.hh"
 #include "gc_clock.hh"
 #include "replica/database.hh"
+#include "service/client_state.hh"
 #include "service_permit.hh"
 #include "timestamp.hh"
 #include "service/storage_proxy.hh"
@@ -35,6 +36,7 @@
 #include "mutation/mutation.hh"
 #include "types/types.hh"
 #include "types/map.hh"
+#include "utils/assert.hh"
 #include "utils/rjson.hh"
 #include "utils/big_decimal.hh"
 #include "cql3/selection/selection.hh"
@@ -97,6 +99,7 @@ future<executor::request_return_type> executor::update_time_to_live(client_state
     }
     sstring attribute_name(v->GetString(), v->GetStringLength());
 
+    co_await verify_permission(_enforce_authorization, client_state, schema, auth::permission::ALTER);
     co_await db::modify_tags(_mm, schema->ks_name(), schema->cf_name(), [&](std::map<sstring, sstring>& tags_map) {
         if (enabled) {
             if (tags_map.contains(TTL_TAG_KEY)) {
@@ -312,7 +315,7 @@ static size_t random_offset(size_t min, size_t max) {
 // this range's primary node is down. For this we need to return not just
 // a list of this node's secondary ranges - but also the primary owner of
 // each of those ranges.
-static std::vector<std::pair<dht::token_range, gms::inet_address>> get_secondary_ranges(
+static future<std::vector<std::pair<dht::token_range, gms::inet_address>>> get_secondary_ranges(
         const locator::effective_replication_map_ptr& erm,
         gms::inet_address ep) {
     const auto& tm = *erm->get_token_metadata_ptr();
@@ -323,6 +326,7 @@ static std::vector<std::pair<dht::token_range, gms::inet_address>> get_secondary
     }
     auto prev_tok = sorted_tokens.back();
     for (const auto& tok : sorted_tokens) {
+        co_await coroutine::maybe_yield();
         inet_address_vector_replica_set eps = erm->get_natural_endpoints(tok);
         if (eps.size() <= 1 || eps[1] != ep) {
             prev_tok = tok;
@@ -350,7 +354,7 @@ static std::vector<std::pair<dht::token_range, gms::inet_address>> get_secondary
         }
         prev_tok = tok;
     }
-    return ret;
+    co_return ret;
 }
 
 
@@ -386,63 +390,63 @@ static std::vector<std::pair<dht::token_range, gms::inet_address>> get_secondary
 //
 // FIXME: Check if this algorithm is safe with tablet migration.
 // https://github.com/scylladb/scylladb/issues/16567
-enum primary_or_secondary_t {primary, secondary};
-template<primary_or_secondary_t primary_or_secondary>
-class token_ranges_owned_by_this_shard {
-    // ranges_holder_primary holds just the primary ranges themselves
-    class ranges_holder_primary {
-        const dht::token_range_vector _token_ranges;
-     public:
-        ranges_holder_primary(const locator::vnode_effective_replication_map_ptr& erm, gms::gossiper& g, gms::inet_address ep)
-            : _token_ranges(erm->get_primary_ranges(ep)) {}
-        std::size_t size() const { return _token_ranges.size(); }
-        const dht::token_range& operator[](std::size_t i) const {
-            return _token_ranges[i];
-        }
-        bool should_skip(std::size_t i) const {
-            return false;
-        }
-    };
-    // ranges_holder<secondary> holds the secondary token ranges plus each
-    // range's primary owner, needed to implement should_skip().
-    class ranges_holder_secondary {
-        std::vector<std::pair<dht::token_range, gms::inet_address>> _token_ranges;
-        gms::gossiper& _gossiper;
-     public:
-        ranges_holder_secondary(const locator::effective_replication_map_ptr& erm, gms::gossiper& g, gms::inet_address ep)
-            : _token_ranges(get_secondary_ranges(erm, ep))
-            , _gossiper(g) {}
-        std::size_t size() const { return _token_ranges.size(); }
-        const dht::token_range& operator[](std::size_t i) const {
-            return _token_ranges[i].first;
-        }
-        // range i should be skipped if its primary owner is alive.
-        bool should_skip(std::size_t i) const {
-            return _gossiper.is_alive(_token_ranges[i].second);
-        }
-    };
 
+// ranges_holder_primary holds just the primary ranges themselves
+class ranges_holder_primary {
+    dht::token_range_vector _token_ranges;
+public:
+    explicit ranges_holder_primary(dht::token_range_vector token_ranges) : _token_ranges(std::move(token_ranges)) {}
+    static future<ranges_holder_primary> make(const locator::vnode_effective_replication_map_ptr& erm, gms::inet_address ep) {
+        co_return ranges_holder_primary(co_await erm->get_primary_ranges(ep));
+    }
+    std::size_t size() const { return _token_ranges.size(); }
+    const dht::token_range& operator[](std::size_t i) const {
+        return _token_ranges[i];
+    }
+    bool should_skip(std::size_t i) const {
+        return false;
+    }
+};
+// ranges_holder<secondary> holds the secondary token ranges plus each
+// range's primary owner, needed to implement should_skip().
+class ranges_holder_secondary {
+    std::vector<std::pair<dht::token_range, gms::inet_address>> _token_ranges;
+    const gms::gossiper& _gossiper;
+public:
+    explicit ranges_holder_secondary(std::vector<std::pair<dht::token_range, gms::inet_address>> token_ranges, const gms::gossiper& g)
+        : _token_ranges(std::move(token_ranges))
+        , _gossiper(g) {}
+    static future<ranges_holder_secondary> make(const locator::effective_replication_map_ptr& erm, gms::inet_address ep, const gms::gossiper& g) {
+        co_return ranges_holder_secondary(co_await get_secondary_ranges(erm, ep), g);
+    }
+    std::size_t size() const { return _token_ranges.size(); }
+    const dht::token_range& operator[](std::size_t i) const {
+        return _token_ranges[i].first;
+    }
+    // range i should be skipped if its primary owner is alive.
+    bool should_skip(std::size_t i) const {
+        return _gossiper.is_alive(_token_ranges[i].second);
+    }
+};
+
+template<class primary_or_secondary_t>
+class token_ranges_owned_by_this_shard {
     schema_ptr _s;
     locator::effective_replication_map_ptr _erm;
     // _token_ranges will contain a list of token ranges owned by this node.
     // We'll further need to split each such range to the pieces owned by
     // the current shard, using _intersecter.
-    using ranges_holder = std::conditional_t<
-            primary_or_secondary == primary_or_secondary_t::primary,
-            ranges_holder_primary,
-            ranges_holder_secondary>;
-    const ranges_holder _token_ranges;
+    const primary_or_secondary_t _token_ranges;
     // NOTICE: _range_idx is used modulo _token_ranges size when accessing
     // the data to ensure that it doesn't go out of bounds
     size_t _range_idx;
     size_t _end_idx;
     std::optional<dht::selective_token_range_sharder> _intersecter;
 public:
-    token_ranges_owned_by_this_shard(replica::database& db, gms::gossiper& g, schema_ptr s)
+    token_ranges_owned_by_this_shard(schema_ptr s, primary_or_secondary_t token_ranges)
         :  _s(s)
         , _erm(s->table().get_effective_replication_map())
-        , _token_ranges(db.find_keyspace(s->ks_name()).get_vnode_effective_replication_map(),
-                g, _erm->get_topology().my_address())
+        , _token_ranges(std::move(token_ranges))
         , _range_idx(random_offset(0, _token_ranges.size() - 1))
         , _end_idx(_range_idx + _token_ranges.size())
     {
@@ -498,6 +502,7 @@ struct scan_ranges_context {
     bytes column_name;
     std::optional<std::string> member;
 
+    service::client_state internal_client_state;
     ::shared_ptr<cql3::selection::selection> selection;
     std::unique_ptr<service::query_state> query_state_ptr;
     std::unique_ptr<cql3::query_options> query_options;
@@ -507,6 +512,7 @@ struct scan_ranges_context {
         : s(s)
         , column_name(column_name)
         , member(member)
+        , internal_client_state(service::client_state::internal_tag())
     {
         // FIXME: don't read the entire items - read only parts of it.
         // We must read the key columns (to be able to delete) and also
@@ -515,8 +521,9 @@ struct scan_ranges_context {
         // be good if we can read only the single item of the map - it
         // should be possible (and a must for issue #7751!).
         lw_shared_ptr<service::pager::paging_state> paging_state = nullptr;
-        auto regular_columns = boost::copy_range<query::column_id_vector>(
-            s->regular_columns() | boost::adaptors::transformed([] (const column_definition& cdef) { return cdef.id; }));
+        auto regular_columns =
+            s->regular_columns() | std::views::transform([] (const column_definition& cdef) { return cdef.id; })
+            | std::ranges::to<query::column_id_vector>();
         selection = cql3::selection::selection::wildcard(s);
         query::partition_slice::option_set opts = selection->get_query_options();
         opts.set<query::partition_slice::option::allow_short_read>();
@@ -525,10 +532,9 @@ struct scan_ranges_context {
         std::vector<query::clustering_range> ck_bounds{query::clustering_range::make_open_ended_both_sides()};
         auto partition_slice = query::partition_slice(std::move(ck_bounds), {}, std::move(regular_columns), opts);
         command = ::make_lw_shared<query::read_command>(s->id(), s->version(), partition_slice, proxy.get_max_result_size(partition_slice), query::tombstone_limit(proxy.get_tombstone_limit()));
-        executor::client_state client_state{executor::client_state::internal_tag()};
         tracing::trace_state_ptr trace_state;
         // NOTICE: empty_service_permit is used because the TTL service has fixed parallelism
-        query_state_ptr = std::make_unique<service::query_state>(client_state, trace_state, empty_service_permit());
+        query_state_ptr = std::make_unique<service::query_state>(internal_client_state, trace_state, empty_service_permit());
         // FIXME: What should we do on multi-DC? Will we run the expiration on the same ranges on all
         // DCs or only once for each range? If the latter, we need to change the CLs in the
         // scanner and deleter.
@@ -551,7 +557,7 @@ static future<> scan_table_ranges(
         expiration_service::stats& expiration_stats)
 {
     const schema_ptr& s = scan_ctx.s;
-    assert (partition_ranges.size() == 1); // otherwise issue #9167 will cause incorrect results.
+    SCYLLA_ASSERT (partition_ranges.size() == 1); // otherwise issue #9167 will cause incorrect results.
     auto p = service::pager::query_pagers::pager(proxy, s, scan_ctx.selection, *scan_ctx.query_state_ptr,
             *scan_ctx.query_options, scan_ctx.command, std::move(partition_ranges), nullptr);
     while (!p->is_exhausted()) {
@@ -724,7 +730,9 @@ static future<bool> scan_table(
     expiration_stats.scan_table++;
     // FIXME: need to pace the scan, not do it all at once.
     scan_ranges_context scan_ctx{s, proxy, std::move(column_name), std::move(member)};
-    token_ranges_owned_by_this_shard<primary> my_ranges(db.real_database(), gossiper, s);
+    auto erm = db.real_database().find_keyspace(s->ks_name()).get_vnode_effective_replication_map();
+    auto my_address = erm->get_topology().my_address();
+    token_ranges_owned_by_this_shard my_ranges(s, co_await ranges_holder_primary::make(erm, my_address));
     while (std::optional<dht::partition_range> range = my_ranges.next_partition_range()) {
         // Note that because of issue #9167 we need to run a separate
         // query on each partition range, and can't pass several of
@@ -744,7 +752,7 @@ static future<bool> scan_table(
     // by tasking another node to take over scanning of the dead node's primary
     // ranges. What we do here is that this node will also check expiration
     // on its *secondary* ranges - but only those whose primary owner is down.
-    token_ranges_owned_by_this_shard<secondary> my_secondary_ranges(db.real_database(), gossiper, s);
+    token_ranges_owned_by_this_shard my_secondary_ranges(s, co_await ranges_holder_secondary::make(erm, my_address, gossiper));
     while (std::optional<dht::partition_range> range = my_secondary_ranges.next_partition_range()) {
         expiration_stats.secondary_ranges_scanned++;
         dht::partition_range_vector partition_ranges;

api/CMakeLists.txt

@@ -1,4 +1,29 @@
 # Generate C++ sources from Swagger definitions
+
+function(generate_swagger)
+  set(one_value_args TARGET VAR IN_FILE OUT_DIR)
+  cmake_parse_arguments(args "" "${one_value_args}" "" ${ARGN})
+  get_filename_component(in_file_name ${args_IN_FILE} NAME)
+  set(generator ${PROJECT_SOURCE_DIR}/seastar/scripts/seastar-json2code.py)
+  set(header_out ${args_OUT_DIR}/${in_file_name}.hh)
+  set(source_out ${args_OUT_DIR}/${in_file_name}.cc)
+
+  add_custom_command(
+    DEPENDS
+      ${args_IN_FILE}
+      ${generator}
+    OUTPUT ${header_out} ${source_out}
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${args_OUT_DIR}
+    COMMAND ${generator} --create-cc -f ${args_IN_FILE} -o ${header_out})
+
+  add_custom_target(${args_TARGET}
+    DEPENDS
+      ${header_out}
+      ${source_out})
+
+  set(${args_VAR} ${header_out} ${source_out} PARENT_SCOPE)
+endfunction()
+
 set(swagger_files
   api-doc/authorization_cache.json
   api-doc/cache_service.json
@@ -7,6 +32,7 @@ set(swagger_files
   api-doc/commitlog.json
   api-doc/compaction_manager.json
   api-doc/config.json
+  api-doc/cql_server_test.json
   api-doc/endpoint_snitch_info.json
   api-doc/error_injection.json
   api-doc/failure_detector.json
@@ -28,7 +54,7 @@ set(swagger_files
 foreach(f ${swagger_files})
   get_filename_component(fname "${f}" NAME_WE)
   get_filename_component(dir "${f}" DIRECTORY)
-  seastar_generate_swagger(
+  generate_swagger(
     TARGET scylla_swagger_gen_${fname}
     VAR scylla_swagger_gen_${fname}_files
     IN_FILE "${CMAKE_CURRENT_SOURCE_DIR}/${f}"
@@ -36,7 +62,7 @@ foreach(f ${swagger_files})
   list(APPEND swagger_gen_files "${scylla_swagger_gen_${fname}_files}")
 endforeach()
 
-add_library(api)
+add_library(api STATIC)
 target_sources(api
   PRIVATE
     api.cc
@@ -46,6 +72,7 @@ target_sources(api
     commitlog.cc
     compaction_manager.cc
     config.cc
+    cql_server_test.cc
     endpoint_snitch.cc
     error_injection.cc
     authorization_cache.cc

api/api-doc/column_family.json

@@ -92,6 +92,14 @@
                      "type":"boolean",
                      "paramType":"query"
                   },
+                  {
+                     "name":"consider_only_existing_data",
+                     "description":"Set to \"true\" to flush all memtables and force tombstone garbage collection to check only the sstables being compacted (false by default). The memtable, commitlog and other uncompacted sstables will not be checked during tombstone garbage collection.",
+                     "required":false,
+                     "allowMultiple":false,
+                     "type":"boolean",
+                     "paramType":"query"
+                  },
                   {
                      "name":"split_output",
                      "description":"true if the output of the major compaction should be split in several sstables",

api/api-doc/cql_server_test.json

@@ -0,0 +1,26 @@
+{
+    "apiVersion":"0.0.1",
+    "swaggerVersion":"1.2",
+    "basePath":"{{Protocol}}://{{Host}}",
+    "resourcePath":"/cql_server_test",
+    "produces":[
+        "application/json"
+    ],
+    "apis":[
+        {
+            "path":"/cql_server_test/connections_params",
+            "operations":[
+                {
+                    "method":"GET",
+                    "summary":"Get service level params of each CQL connection",
+                    "type":"connections_service_level_params",
+                    "nickname":"connections_params",
+                    "produces":[
+                        "application/json"
+                    ],
+                    "parameters":[]
+                }
+            ]
+        }
+    ]
+}

api/api-doc/raft.json

@@ -94,6 +94,38 @@
                ]
             }
          ]
+      },
+      {
+         "path":"/raft/trigger_stepdown/",
+         "operations":[
+            {
+               "method":"POST",
+               "summary":"Triggers stepdown of a leader for given Raft group or group0 if not provided (returns an error if the node is not a leader)",
+               "type":"string",
+               "nickname":"trigger_stepdown",
+               "produces":[
+                  "application/json"
+               ],
+               "parameters":[
+                  {
+                     "name":"group_id",
+                     "description":"The ID of the group which leader should stepdown",
+                     "required":false,
+                     "allowMultiple":false,
+                     "type":"string",
+                     "paramType":"query"
+                  },
+                  {
+                     "name":"timeout",
+                     "description":"Timeout in seconds after which the endpoint returns a failure. If not provided, 60s is used.",
+                     "required":false,
+                     "allowMultiple":false,
+                     "type":"long",
+                     "paramType":"query"
+                  }
+               ]
+            }
+         ]
       }
    ]
 }

api/api-doc/storage_service.json

@@ -741,11 +741,151 @@
                      "allowMultiple":false,
                      "type":"boolean",
                      "paramType":"query"
+                  },
+                  {
+                     "name":"consider_only_existing_data",
+                     "description":"Set to \"true\" to flush all memtables and force tombstone garbage collection to check only the sstables being compacted (false by default). The memtable, commitlog and other uncompacted sstables will not be checked during tombstone garbage collection.",
+                     "required":false,
+                     "allowMultiple":false,
+                     "type":"boolean",
+                     "paramType":"query"
                   }
                ]
             }
          ]
       },
+      {
+          "path":"/storage_service/backup",
+          "operations":[
+              {
+                  "method":"POST",
+                  "summary":"Starts copying SSTables from a specified keyspace to a designated bucket in object storage",
+                  "type":"string",
+                  "nickname":"start_backup",
+                  "produces":[
+                      "application/json"
+                  ],
+                  "parameters":[
+                      {
+                          "name":"endpoint",
+                          "description":"ID of the configured object storage endpoint to copy sstables to",
+                          "required":true,
+                          "allowMultiple":false,
+                          "type":"string",
+                          "paramType":"query"
+                      },
+                      {
+                          "name":"bucket",
+                          "description":"Name of the bucket to backup sstables to",
+                          "required":true,
+                          "allowMultiple":false,
+                          "type":"string",
+                          "paramType":"query"
+                      },
+                      {
+                           "name":"prefix",
+                           "description":"The prefix of the objects for the backuped sstables",
+                           "required":true,
+                           "allowMultiple":false,
+                           "type":"string",
+                           "paramType":"query"
+                      },
+                      {
+                          "name":"keyspace",
+                          "description":"Name of a keyspace to copy sstables from",
+                          "required":true,
+                          "allowMultiple":false,
+                          "type":"string",
+                          "paramType":"query"
+                      },
+                      {
+                          "name":"table",
+                          "description":"Name of a table to copy sstables from",
+                          "required":true,
+                          "allowMultiple":false,
+                          "type":"string",
+                          "paramType":"query"
+                      },
+                      {
+                          "name":"snapshot",
+                          "description":"Name of a snapshot to copy sstables from",
+                          "required":false,
+                          "allowMultiple":false,
+                          "type":"string",
+                          "paramType":"query"
+                      }
+                  ]
+              }
+          ]
+      },
+      {
+          "path":"/storage_service/restore",
+          "operations":[
+              {
+                  "method":"POST",
+                  "summary":"Starts copying SSTables from a designated bucket in object storage to a specified keyspace",
+                  "type":"string",
+                  "nickname":"start_restore",
+                  "produces":[
+                      "application/json"
+                  ],
+                  "parameters":[
+                      {
+                          "name":"endpoint",
+                          "description":"ID of the configured object storage endpoint to copy SSTables from",
+                          "required":true,
+                          "allowMultiple":false,
+                          "type":"string",
+                          "paramType":"query"
+                      },
+                      {
+                          "name":"bucket",
+                          "description":"Name of the bucket to read SSTables from",
+                          "required":true,
+                          "allowMultiple":false,
+                          "type":"string",
+                          "paramType":"query"
+                      },
+                      {
+                          "name":"prefix",
+                          "description":"The prefix of the object keys for the backuped SSTables",
+                          "required":true,
+                          "allowMultiple":false,
+                          "type":"string",
+                          "paramType":"query"
+                      },
+                      {
+                          "in": "body",
+                          "name": "sstables",
+                          "description": "The list of the object keys of the TOC component of the SSTables to be restored",
+                          "required":true,
+                          "schema" :{
+                              "type": "array",
+                              "items": {
+                                  "type": "string"
+                              }
+                          }
+                      },
+                      {
+                          "name":"keyspace",
+                          "description":"Name of a keyspace to copy SSTables to",
+                          "required":true,
+                          "allowMultiple":false,
+                          "type":"string",
+                          "paramType":"query"
+                      },
+                      {
+                          "name":"table",
+                          "description":"Name of a table to copy SSTables to",
+                          "required":true,
+                          "allowMultiple":false,
+                          "type":"string",
+                          "paramType":"query"
+                      }
+                  ]
+              }
+          ]
+      },
       {
          "path":"/storage_service/keyspace_compaction/{keyspace}",
          "operations":[
@@ -781,6 +921,14 @@
                      "allowMultiple":false,
                      "type":"boolean",
                      "paramType":"query"
+                  },
+                  {
+                     "name":"consider_only_existing_data",
+                     "description":"Set to \"true\" to flush all memtables and force tombstone garbage collection to check only the sstables being compacted (false by default). The memtable, commitlog and other uncompacted sstables will not be checked during tombstone garbage collection.",
+                     "required":false,
+                     "allowMultiple":false,
+                     "type":"boolean",
+                     "paramType":"query"
                   }
                ]
             }
@@ -1891,6 +2039,14 @@
                      "allowMultiple":false,
                      "type":"string",
                      "paramType":"query"
+                  },
+                  {
+                     "name":"force",
+                     "description":"Enforce the source_dc option, even if it unsafe to use for rebuild",
+                     "required":false,
+                     "allowMultiple":false,
+                     "type":"boolean",
+                     "paramType":"query"
                   }
                ]
             }

api/api-doc/system.json

@@ -194,6 +194,21 @@
                "parameters":[]
             }
          ]
+      },
+      {
+         "path":"/system/highest_supported_sstable_version",
+         "operations":[
+            {
+               "method":"GET",
+               "summary":"Get highest supported sstable version",
+               "type":"string",
+               "nickname":"get_highest_supported_sstable_version",
+               "produces":[
+                  "application/json"
+               ],
+               "parameters":[]
+            }
+         ]
       }
    ]
 }

api/api-doc/task_manager.json

@@ -115,7 +115,7 @@
                "parameters":[
                   {
                      "name":"task_id",
-                     "description":"The uuid of a task to abort",
+                     "description":"The uuid of a task to abort; if the task is not abortable, 403 status code is returned",
                      "required":true,
                      "allowMultiple":false,
                      "type":"string",
@@ -144,6 +144,14 @@
                      "allowMultiple":false,
                      "type":"string",
                      "paramType":"path"
+                  },
+                  {
+                     "name":"timeout",
+                     "description":"Timeout for waiting; if times out, 408 status code is returned",
+                     "required":false,
+                     "allowMultiple":false,
+                     "type":"long",
+                     "paramType":"query"
                   }
                ]
             }
@@ -197,11 +205,36 @@
                      "paramType":"query"
                   }
                ]
+            },
+            {
+               "method":"GET",
+               "summary":"Get current ttl value",
+               "type":"long",
+               "nickname":"get_ttl",
+               "produces":[
+                  "application/json"
+               ],
+               "parameters":[
+               ]
             }
          ]
       }
    ],
    "models":{
+      "task_identity":{
+         "id": "task_identity",
+         "description":"Id and node of a task",
+         "properties":{
+            "task_id":{
+               "type":"string",
+               "description":"The uuid of a task"
+            },
+            "node":{
+               "type":"string",
+               "description":"Address of a server on which a task is created"
+            }
+         }
+      },
       "task_stats" :{
          "id": "task_stats",
          "description":"A task statistics object",
@@ -224,6 +257,14 @@
                "type":"string",
                "description":"The description of the task"
             },
+            "kind":{
+               "type":"string",
+               "enum":[
+                  "node",
+                  "cluster"
+               ],
+               "description":"The kind of a task"
+            },
             "scope":{
                "type":"string",
                "description":"The scope of the task"
@@ -258,6 +299,14 @@
                "type":"string",
                "description":"The description of the task"
             },
+            "kind":{
+               "type":"string",
+               "enum":[
+                  "node",
+                  "cluster"
+               ],
+               "description":"The kind of a task"
+            },
             "scope":{
                "type":"string",
                "description":"The scope of the task"
@@ -327,9 +376,9 @@
             "children_ids":{
                "type":"array",
                "items":{
-                  "type":"string"
+                  "type":"task_identity"
                },
-               "description":"Task IDs of children of this task"
+               "description":"Task identities of children of this task"
             }
          }
       }

api/api.cc

@@ -10,6 +10,7 @@
 #include <seastar/http/file_handler.hh>
 #include <seastar/http/transformers.hh>
 #include <seastar/http/api_docs.hh>
+#include "cql_server_test.hh"
 #include "storage_service.hh"
 #include "token_metadata.hh"
 #include "commitlog.hh"
@@ -73,6 +74,8 @@ future<> set_server_init(http_context& ctx) {
         set_error_injection(ctx, r);
         rb->register_function(r, "storage_proxy",
                 "The storage proxy API");
+        rb->register_function(r, "storage_service",
+                "The storage service API");
     });
 }
 
@@ -115,7 +118,7 @@ future<> unset_thrift_controller(http_context& ctx) {
 }
 
 future<> set_server_storage_service(http_context& ctx, sharded<service::storage_service>& ss, service::raft_group0_client& group0_client) {
-    return register_api(ctx, "storage_service", "The storage service API", [&ss, &group0_client] (http_context& ctx, routes& r) {
+    return ctx.http_server.set_routes([&ctx, &ss, &group0_client] (routes& r) {
             set_storage_service(ctx, r, ss, group0_client);
         });
 }
@@ -132,6 +135,14 @@ future<> unset_load_meter(http_context& ctx) {
     return ctx.http_server.set_routes([&ctx] (routes& r) { unset_load_meter(ctx, r); });
 }
 
+future<> set_format_selector(http_context& ctx, db::sstables_format_selector& sel) {
+    return ctx.http_server.set_routes([&ctx, &sel] (routes& r) { set_format_selector(ctx, r, sel); });
+}
+
+future<> unset_format_selector(http_context& ctx) {
+    return ctx.http_server.set_routes([&ctx] (routes& r) { unset_format_selector(ctx, r); });
+}
+
 future<> set_server_sstables_loader(http_context& ctx, sharded<sstables_loader>& sst_loader) {
     return ctx.http_server.set_routes([&ctx, &sst_loader] (routes& r) { set_sstables_loader(ctx, r, sst_loader); });
 }
@@ -256,6 +267,10 @@ future<> set_server_cache(http_context& ctx) {
             "The cache service API", set_cache_service);
 }
 
+future<> unset_server_cache(http_context& ctx) {
+    return ctx.http_server.set_routes([&ctx] (routes& r) { unset_cache_service(ctx, r); });
+}
+
 future<> set_hinted_handoff(http_context& ctx, sharded<service::storage_proxy>& proxy) {
     return register_api(ctx, "hinted_handoff",
                 "The hinted handoff API", [&proxy] (http_context& ctx, routes& r) {
@@ -267,16 +282,16 @@ future<> unset_hinted_handoff(http_context& ctx) {
     return ctx.http_server.set_routes([&ctx] (routes& r) { unset_hinted_handoff(ctx, r); });
 }
 
-future<> set_server_compaction_manager(http_context& ctx) {
-    auto rb = std::make_shared < api_registry_builder > (ctx.api_doc);
-
-    return ctx.http_server.set_routes([rb, &ctx](routes& r) {
-        rb->register_function(r, "compaction_manager",
-                "The Compaction manager API");
-        set_compaction_manager(ctx, r);
+future<> set_server_compaction_manager(http_context& ctx, sharded<compaction_manager>& cm) {
+    return register_api(ctx, "compaction_manager", "The Compaction manager API", [&cm] (http_context& ctx, routes& r) {
+        set_compaction_manager(ctx, r, cm);
     });
 }
 
+future<> unset_server_compaction_manager(http_context& ctx) {
+    return ctx.http_server.set_routes([&ctx] (routes& r) { unset_compaction_manager(ctx, r); });
+}
+
 future<> set_server_done(http_context& ctx) {
     auto rb = std::make_shared < api_registry_builder > (ctx.api_doc);
 
@@ -284,15 +299,22 @@ future<> set_server_done(http_context& ctx) {
         rb->register_function(r, "lsa", "Log-structured allocator API");
         set_lsa(ctx, r);
 
-        rb->register_function(r, "commitlog",
-                "The commit log API");
-        set_commitlog(ctx,r);
         rb->register_function(r, "collectd",
                 "The collectd API");
         set_collectd(ctx, r);
     });
 }
 
+future<> set_server_commitlog(http_context& ctx, sharded<replica::database>& db) {
+    return register_api(ctx, "commitlog", "The commit log API", [&db] (http_context& ctx, routes& r) {
+        set_commitlog(ctx, r, db);
+    });
+}
+
+future<> unset_server_commitlog(http_context& ctx) {
+    return ctx.http_server.set_routes([&ctx] (routes& r) { unset_commitlog(ctx, r); });
+}
+
 future<> set_server_task_manager(http_context& ctx, sharded<tasks::task_manager>& tm, lw_shared_ptr<db::config> cfg) {
     auto rb = std::make_shared < api_registry_builder > (ctx.api_doc);
 
@@ -323,6 +345,16 @@ future<> unset_server_task_manager_test(http_context& ctx) {
     return ctx.http_server.set_routes([&ctx] (routes& r) { unset_task_manager_test(ctx, r); });
 }
 
+future<> set_server_cql_server_test(http_context& ctx, cql_transport::controller& ctl) {
+    return register_api(ctx, "cql_server_test", "The CQL server test API", [&ctl] (http_context& ctx, routes& r) {
+        set_cql_server_test(ctx, r, ctl);
+    });
+}
+
+future<> unset_server_cql_server_test(http_context& ctx) {
+    return ctx.http_server.set_routes([&ctx] (routes& r) { unset_cql_server_test(ctx, r); });
+}
+
 #endif
 
 future<> set_server_tasks_compaction_module(http_context& ctx, sharded<service::storage_service>& ss, sharded<db::snapshot_ctl>& snap_ctl) {

api/api.hh

@@ -246,7 +246,7 @@ public:
                 value = T{boost::lexical_cast<Base>(param)};
             }
         } catch (boost::bad_lexical_cast&) {
-            throw httpd::bad_param_exception(format("{} ({}): type error - should be {}", name, param, boost::units::detail::demangle(typeid(Base).name())));
+            throw httpd::bad_param_exception(fmt::format("{} ({}): type error - should be {}", name, param, boost::units::detail::demangle(typeid(Base).name())));
         }
     }
 

api/api_init.hh

@@ -17,6 +17,8 @@
 using request = http::request;
 using reply = http::reply;
 
+class compaction_manager;
+
 namespace service {
 
 class load_meter;
@@ -49,6 +51,7 @@ namespace cql_transport { class controller; }
 namespace db {
 class snapshot_ctl;
 class config;
+class sstables_format_selector;
 namespace view {
 class view_builder;
 }
@@ -119,7 +122,9 @@ future<> unset_server_stream_manager(http_context& ctx);
 future<> set_hinted_handoff(http_context& ctx, sharded<service::storage_proxy>& p);
 future<> unset_hinted_handoff(http_context& ctx);
 future<> set_server_cache(http_context& ctx);
-future<> set_server_compaction_manager(http_context& ctx);
+future<> unset_server_cache(http_context& ctx);
+future<> set_server_compaction_manager(http_context& ctx, sharded<compaction_manager>& cm);
+future<> unset_server_compaction_manager(http_context& ctx);
 future<> set_server_done(http_context& ctx);
 future<> set_server_task_manager(http_context& ctx, sharded<tasks::task_manager>& tm, lw_shared_ptr<db::config> cfg);
 future<> unset_server_task_manager(http_context& ctx);
@@ -131,5 +136,11 @@ future<> set_server_raft(http_context&, sharded<service::raft_group_registry>&);
 future<> unset_server_raft(http_context&);
 future<> set_load_meter(http_context& ctx, service::load_meter& lm);
 future<> unset_load_meter(http_context& ctx);
+future<> set_format_selector(http_context& ctx, db::sstables_format_selector& sel);
+future<> unset_format_selector(http_context& ctx);
+future<> set_server_cql_server_test(http_context& ctx, cql_transport::controller& ctl);
+future<> unset_server_cql_server_test(http_context& ctx);
+future<> set_server_commitlog(http_context& ctx, sharded<replica::database>&);
+future<> unset_server_commitlog(http_context& ctx);
 
 }

api/cache_service.cc

@@ -320,5 +320,50 @@ void set_cache_service(http_context& ctx, routes& r) {
     });
 }
 
+void unset_cache_service(http_context& ctx, routes& r) {
+    cs::get_row_cache_save_period_in_seconds.unset(r);
+    cs::set_row_cache_save_period_in_seconds.unset(r);
+    cs::get_key_cache_save_period_in_seconds.unset(r);
+    cs::set_key_cache_save_period_in_seconds.unset(r);
+    cs::get_counter_cache_save_period_in_seconds.unset(r);
+    cs::set_counter_cache_save_period_in_seconds.unset(r);
+    cs::get_row_cache_keys_to_save.unset(r);
+    cs::set_row_cache_keys_to_save.unset(r);
+    cs::get_key_cache_keys_to_save.unset(r);
+    cs::set_key_cache_keys_to_save.unset(r);
+    cs::get_counter_cache_keys_to_save.unset(r);
+    cs::set_counter_cache_keys_to_save.unset(r);
+    cs::invalidate_key_cache.unset(r);
+    cs::invalidate_counter_cache.unset(r);
+    cs::set_row_cache_capacity_in_mb.unset(r);
+    cs::set_key_cache_capacity_in_mb.unset(r);
+    cs::set_counter_cache_capacity_in_mb.unset(r);
+    cs::save_caches.unset(r);
+    cs::get_key_capacity.unset(r);
+    cs::get_key_hits.unset(r);
+    cs::get_key_requests.unset(r);
+    cs::get_key_hit_rate.unset(r);
+    cs::get_key_hits_moving_avrage.unset(r);
+    cs::get_key_requests_moving_avrage.unset(r);
+    cs::get_key_size.unset(r);
+    cs::get_key_entries.unset(r);
+    cs::get_row_capacity.unset(r);
+    cs::get_row_hits.unset(r);
+    cs::get_row_requests.unset(r);
+    cs::get_row_hit_rate.unset(r);
+    cs::get_row_hits_moving_avrage.unset(r);
+    cs::get_row_requests_moving_avrage.unset(r);
+    cs::get_row_size.unset(r);
+    cs::get_row_entries.unset(r);
+    cs::get_counter_capacity.unset(r);
+    cs::get_counter_hits.unset(r);
+    cs::get_counter_requests.unset(r);
+    cs::get_counter_hit_rate.unset(r);
+    cs::get_counter_hits_moving_avrage.unset(r);
+    cs::get_counter_requests_moving_avrage.unset(r);
+    cs::get_counter_size.unset(r);
+    cs::get_counter_entries.unset(r);
+}
+
 }
 

api/cache_service.hh

@@ -16,5 +16,6 @@ namespace api {
 
 struct http_context;
 void set_cache_service(http_context& ctx, seastar::httpd::routes& r);
+void unset_cache_service(http_context& ctx, seastar::httpd::routes& r);
 
 }

api/collectd.cc

@@ -11,6 +11,7 @@
 #include <seastar/core/scollectd.hh>
 #include <seastar/core/scollectd_api.hh>
 #include <boost/range/irange.hpp>
+#include <ranges>
 #include <regex>
 #include "api/api_init.hh"
 
@@ -61,7 +62,7 @@ void set_collectd(http_context& ctx, routes& r) {
 
         return do_with(std::vector<cd::collectd_value>(), [id] (auto& vec) {
             vec.resize(smp::count);
-            return parallel_for_each(boost::irange(0u, smp::count), [&vec, id] (auto cpu) {
+            return parallel_for_each(std::views::iota(0u, smp::count), [&vec, id] (auto cpu) {
                 return smp::submit_to(cpu, [id = *id] {
                     return scollectd::get_collectd_value(id);
                 }).then([&vec, cpu] (auto res) {

api/column_family.cc

@@ -15,6 +15,7 @@
 #include <seastar/http/exception.hh>
 #include "sstables/sstables.hh"
 #include "sstables/metadata_collector.hh"
+#include "utils/assert.hh"
 #include "utils/estimated_histogram.hh"
 #include <algorithm>
 #include "db/system_keyspace.hh"
@@ -23,6 +24,8 @@
 #include "compaction/compaction_manager.hh"
 #include "unimplemented.hh"
 
+#include <boost/range/algorithm/copy.hpp>
+
 extern logging::logger apilog;
 
 namespace api {
@@ -60,14 +63,6 @@ table_id get_uuid(const sstring& name, const replica::database& db) {
     return get_uuid(ks, cf, db);
 }
 
-future<> foreach_column_family(http_context& ctx, const sstring& name, std::function<void(replica::column_family&)> f) {
-    auto uuid = get_uuid(name, ctx.db.local());
-
-    return ctx.db.invoke_on_all([f, uuid](replica::database& db) {
-        f(db.find_column_family(uuid));
-    });
-}
-
 future<json::json_return_type>  get_cf_stats(http_context& ctx, const sstring& name,
         int64_t replica::column_family_stats::*f) {
     return map_reduce_cf(ctx, name, int64_t(0), [f](const replica::column_family& cf) {
@@ -82,7 +77,7 @@ future<json::json_return_type>  get_cf_stats(http_context& ctx,
     }, std::plus<int64_t>());
 }
 
-static future<json::json_return_type> set_tables(http_context& ctx, const sstring& keyspace, std::vector<sstring> tables, std::function<future<>(replica::table&)> set) {
+static future<json::json_return_type> for_tables_on_all_shards(http_context& ctx, const sstring& keyspace, std::vector<sstring> tables, std::function<future<>(replica::table&)> set) {
     if (tables.empty()) {
         tables = map_keys(ctx.db.local().find_keyspace(keyspace).metadata().get()->cf_meta_data());
     }
@@ -103,7 +98,7 @@ class autocompaction_toggle_guard {
     replica::database& _db;
 public:
     autocompaction_toggle_guard(replica::database& db) : _db(db) {
-        assert(this_shard_id() == 0);
+        SCYLLA_ASSERT(this_shard_id() == 0);
         if (!_db._enable_autocompaction_toggle) {
             throw std::runtime_error("Autocompaction toggle is busy");
         }
@@ -112,7 +107,7 @@ public:
     autocompaction_toggle_guard(const autocompaction_toggle_guard&) = delete;
     autocompaction_toggle_guard(autocompaction_toggle_guard&&) = default;
     ~autocompaction_toggle_guard() {
-        assert(this_shard_id() == 0);
+        SCYLLA_ASSERT(this_shard_id() == 0);
         _db._enable_autocompaction_toggle = true;
     }
 };
@@ -122,7 +117,7 @@ static future<json::json_return_type> set_tables_autocompaction(http_context& ct
 
     return ctx.db.invoke_on(0, [&ctx, keyspace, tables = std::move(tables), enabled] (replica::database& db) {
         auto g = autocompaction_toggle_guard(db);
-        return set_tables(ctx, keyspace, tables, [enabled] (replica::table& cf) {
+        return for_tables_on_all_shards(ctx, keyspace, tables, [enabled] (replica::table& cf) {
             if (enabled) {
                 cf.enable_auto_compaction();
             } else {
@@ -135,7 +130,7 @@ static future<json::json_return_type> set_tables_autocompaction(http_context& ct
 
 static future<json::json_return_type> set_tables_tombstone_gc(http_context& ctx, const sstring &keyspace, std::vector<sstring> tables, bool enabled) {
     apilog.info("set_tables_tombstone_gc: enabled={} keyspace={} tables={}", enabled, keyspace, tables);
-    return set_tables(ctx, keyspace, std::move(tables), [enabled] (replica::table& t) {
+    return for_tables_on_all_shards(ctx, keyspace, std::move(tables), [enabled] (replica::table& t) {
         t.set_tombstone_gc_enabled(enabled);
         return make_ready_future<>();
     });
@@ -1055,12 +1050,12 @@ void set_column_family(http_context& ctx, routes& r, sharded<db::system_keyspace
     });
 
     cf::set_compaction_strategy_class.set(r, [&ctx](std::unique_ptr<http::request> req) {
+        auto [ks, cf] = parse_fully_qualified_cf_name(req->get_path_param("name"));
         sstring strategy = req->get_query_param("class_name");
         apilog.info("column_family/set_compaction_strategy_class: name={} strategy={}", req->get_path_param("name"), strategy);
-        return foreach_column_family(ctx, req->get_path_param("name"), [strategy](replica::column_family& cf) {
+        return for_tables_on_all_shards(ctx, ks, {std::move(cf)}, [strategy] (replica::table& cf) {
             cf.set_compaction_strategy(sstables::compaction_strategy::type(strategy));
-        }).then([] {
-                return make_ready_future<json::json_return_type>(json_void());
+            return make_ready_future<>();
         });
     });
 
@@ -1125,6 +1120,7 @@ void set_column_family(http_context& ctx, routes& r, sharded<db::system_keyspace
         auto params = req_params({
             std::pair("name", mandatory::yes),
             std::pair("flush_memtables", mandatory::no),
+            std::pair("consider_only_existing_data", mandatory::no),
             std::pair("split_output", mandatory::no),
         });
         params.process(*req);
@@ -1133,7 +1129,8 @@ void set_column_family(http_context& ctx, routes& r, sharded<db::system_keyspace
         }
         auto [ks, cf] = parse_fully_qualified_cf_name(*params.get("name"));
         auto flush = params.get_as<bool>("flush_memtables").value_or(true);
-        apilog.info("column_family/force_major_compaction: name={} flush={}", req->get_path_param("name"), flush);
+        auto consider_only_existing_data = params.get_as<bool>("consider_only_existing_data").value_or(false);
+        apilog.info("column_family/force_major_compaction: name={} flush={} consider_only_existing_data={}", req->get_path_param("name"), flush, consider_only_existing_data);
 
         auto keyspace = validate_keyspace(ctx, ks);
         std::vector<table_info> table_infos = {table_info{
@@ -1143,10 +1140,10 @@ void set_column_family(http_context& ctx, routes& r, sharded<db::system_keyspace
 
         auto& compaction_module = ctx.db.local().get_compaction_manager().get_task_manager_module();
         std::optional<flush_mode> fmopt;
-        if (!flush) {
+        if (!flush && !consider_only_existing_data) {
             fmopt = flush_mode::skip;
         }
-        auto task = co_await compaction_module.make_and_start_task<major_keyspace_compaction_task_impl>({}, std::move(keyspace), tasks::task_id::create_null_id(), ctx.db, std::move(table_infos), fmopt);
+        auto task = co_await compaction_module.make_and_start_task<major_keyspace_compaction_task_impl>({}, std::move(keyspace), tasks::task_id::create_null_id(), ctx.db, std::move(table_infos), fmopt, consider_only_existing_data);
         co_await task->done();
         co_return json_void();
     });

api/column_family.hh

@@ -23,8 +23,6 @@ void set_column_family(http_context& ctx, httpd::routes& r, sharded<db::system_k
 void unset_column_family(http_context& ctx, httpd::routes& r);
 
 table_id get_uuid(const sstring& name, const replica::database& db);
-future<> foreach_column_family(http_context& ctx, const sstring& name, std::function<void(replica::column_family&)> f);
-
 
 template<class Mapper, class I, class Reducer>
 future<I> map_reduce_cf_raw(http_context& ctx, const sstring& name, I init,

api/commitlog.cc

@@ -9,18 +9,20 @@
 #include "commitlog.hh"
 #include "db/commitlog/commitlog.hh"
 #include "api/api-doc/commitlog.json.hh"
+#include "api/api-doc/storage_service.json.hh"
 #include "api/api_init.hh"
 #include "replica/database.hh"
 #include <vector>
 
 namespace api {
 using namespace seastar::httpd;
+namespace ss = httpd::storage_service_json;
 
 template<typename T>
-static auto acquire_cl_metric(http_context& ctx, std::function<T (const db::commitlog*)> func) {
+static auto acquire_cl_metric(sharded<replica::database>& db, std::function<T (const db::commitlog*)> func) {
     typedef T ret_type;
 
-    return ctx.db.map_reduce0([func = std::move(func)](replica::database& db) {
+    return db.map_reduce0([func = std::move(func)](replica::database& db) {
         if (db.commitlog() == nullptr) {
             return make_ready_future<ret_type>();
         }
@@ -30,11 +32,11 @@ static auto acquire_cl_metric(http_context& ctx, std::function<T (const db::comm
     });
 }
 
-void set_commitlog(http_context& ctx, routes& r) {
+void set_commitlog(http_context& ctx, routes& r, sharded<replica::database>& db) {
     httpd::commitlog_json::get_active_segment_names.set(r,
-            [&ctx](std::unique_ptr<request> req) {
+            [&db](std::unique_ptr<request> req) {
         auto res = make_shared<std::vector<sstring>>();
-        return ctx.db.map_reduce([res](std::vector<sstring> names) {
+        return db.map_reduce([res](std::vector<sstring> names) {
             res->insert(res->end(), names.begin(), names.end());
         }, [](replica::database& db) {
             if (db.commitlog() == nullptr) {
@@ -52,20 +54,35 @@ void set_commitlog(http_context& ctx, routes& r) {
         return res;
     });
 
-    httpd::commitlog_json::get_completed_tasks.set(r, [&ctx](std::unique_ptr<request> req) {
-        return acquire_cl_metric<uint64_t>(ctx, std::bind(&db::commitlog::get_completed_tasks, std::placeholders::_1));
+    httpd::commitlog_json::get_completed_tasks.set(r, [&db](std::unique_ptr<request> req) {
+        return acquire_cl_metric<uint64_t>(db, std::bind(&db::commitlog::get_completed_tasks, std::placeholders::_1));
     });
 
-    httpd::commitlog_json::get_pending_tasks.set(r, [&ctx](std::unique_ptr<request> req) {
-        return acquire_cl_metric<uint64_t>(ctx, std::bind(&db::commitlog::get_pending_tasks, std::placeholders::_1));
+    httpd::commitlog_json::get_pending_tasks.set(r, [&db](std::unique_ptr<request> req) {
+        return acquire_cl_metric<uint64_t>(db, std::bind(&db::commitlog::get_pending_tasks, std::placeholders::_1));
     });
 
-    httpd::commitlog_json::get_total_commit_log_size.set(r, [&ctx](std::unique_ptr<request> req) {
-        return acquire_cl_metric<uint64_t>(ctx, std::bind(&db::commitlog::get_total_size, std::placeholders::_1));
+    httpd::commitlog_json::get_total_commit_log_size.set(r, [&db](std::unique_ptr<request> req) {
+        return acquire_cl_metric<uint64_t>(db, std::bind(&db::commitlog::get_total_size, std::placeholders::_1));
     });
-    httpd::commitlog_json::get_max_disk_size.set(r, [&ctx](std::unique_ptr<request> req) {
-        return acquire_cl_metric<uint64_t>(ctx, std::bind(&db::commitlog::disk_limit, std::placeholders::_1));
+    httpd::commitlog_json::get_max_disk_size.set(r, [&db](std::unique_ptr<request> req) {
+        return acquire_cl_metric<uint64_t>(db, std::bind(&db::commitlog::disk_limit, std::placeholders::_1));
     });
+
+    ss::get_commitlog.set(r, [&db](const_req req) {
+        return db.local().commitlog()->active_config().commit_log_location;
+    });
+
+}
+
+void unset_commitlog(http_context& ctx, routes& r) {
+    httpd::commitlog_json::get_active_segment_names.unset(r);
+    httpd::commitlog_json::get_archiving_segment_names.unset(r);
+    httpd::commitlog_json::get_completed_tasks.unset(r);
+    httpd::commitlog_json::get_pending_tasks.unset(r);
+    httpd::commitlog_json::get_total_commit_log_size.unset(r);
+    httpd::commitlog_json::get_max_disk_size.unset(r);
+    ss::get_commitlog.unset(r);
 }
 
 }

api/commitlog.hh

@@ -8,12 +8,17 @@
 
 #pragma once
 
+#include <seastar/core/sharded.hh>
+
 namespace seastar::httpd {
 class routes;
 }
 
+namespace replica { class database; }
+
 namespace api {
 struct http_context;
-void set_commitlog(http_context& ctx, seastar::httpd::routes& r);
+void set_commitlog(http_context& ctx, seastar::httpd::routes& r, seastar::sharded<replica::database>&);
+void unset_commitlog(http_context& ctx, seastar::httpd::routes& r);
 
 }

api/compaction_manager.cc

@@ -13,6 +13,7 @@
 #include "compaction/compaction_manager.hh"
 #include "api/api.hh"
 #include "api/api-doc/compaction_manager.json.hh"
+#include "api/api-doc/storage_service.json.hh"
 #include "db/system_keyspace.hh"
 #include "column_family.hh"
 #include "unimplemented.hh"
@@ -23,13 +24,14 @@
 namespace api {
 
 namespace cm = httpd::compaction_manager_json;
+namespace ss = httpd::storage_service_json;
 using namespace json;
 using namespace seastar::httpd;
 
-static future<json::json_return_type> get_cm_stats(http_context& ctx,
+static future<json::json_return_type> get_cm_stats(sharded<compaction_manager>& cm,
         int64_t compaction_manager::stats::*f) {
-    return ctx.db.map_reduce0([f](replica::database& db) {
-        return db.get_compaction_manager().get_stats().*f;
+    return cm.map_reduce0([f](compaction_manager& cm) {
+        return cm.get_stats().*f;
     }, int64_t(0), std::plus<int64_t>()).then([](const int64_t& res) {
         return make_ready_future<json::json_return_type>(res);
     });
@@ -44,11 +46,10 @@ static std::unordered_map<std::pair<sstring, sstring>, uint64_t, utils::tuple_ha
     return std::move(a);
 }
 
-void set_compaction_manager(http_context& ctx, routes& r) {
-    cm::get_compactions.set(r, [&ctx] (std::unique_ptr<http::request> req) {
-        return ctx.db.map_reduce0([](replica::database& db) {
+void set_compaction_manager(http_context& ctx, routes& r, sharded<compaction_manager>& cm) {
+    cm::get_compactions.set(r, [&cm] (std::unique_ptr<http::request> req) {
+        return cm.map_reduce0([](compaction_manager& cm) {
             std::vector<cm::summary> summaries;
-            const compaction_manager& cm = db.get_compaction_manager();
 
             for (const auto& c : cm.get_compactions()) {
                 cm::summary s;
@@ -100,10 +101,9 @@ void set_compaction_manager(http_context& ctx, routes& r) {
         return make_ready_future<json::json_return_type>(json_void());
     });
 
-    cm::stop_compaction.set(r, [&ctx] (std::unique_ptr<http::request> req) {
+    cm::stop_compaction.set(r, [&cm] (std::unique_ptr<http::request> req) {
         auto type = req->get_query_param("type");
-        return ctx.db.invoke_on_all([type] (replica::database& db) {
-            auto& cm = db.get_compaction_manager();
+        return cm.invoke_on_all([type] (compaction_manager& cm) {
             return cm.stop_compaction(type);
         }).then([] {
             return make_ready_future<json::json_return_type>(json_void());
@@ -135,8 +135,8 @@ void set_compaction_manager(http_context& ctx, routes& r) {
         }, std::plus<int64_t>());
     });
 
-    cm::get_completed_tasks.set(r, [&ctx] (std::unique_ptr<http::request> req) {
-        return get_cm_stats(ctx, &compaction_manager::stats::completed_tasks);
+    cm::get_completed_tasks.set(r, [&cm] (std::unique_ptr<http::request> req) {
+        return get_cm_stats(cm, &compaction_manager::stats::completed_tasks);
     });
 
     cm::get_total_compactions_completed.set(r, [] (std::unique_ptr<http::request> req) {
@@ -153,14 +153,14 @@ void set_compaction_manager(http_context& ctx, routes& r) {
         return make_ready_future<json::json_return_type>(0);
     });
 
-    cm::get_compaction_history.set(r, [&ctx] (std::unique_ptr<http::request> req) {
-        std::function<future<>(output_stream<char>&&)> f = [&ctx] (output_stream<char>&& out) -> future<> {
+    cm::get_compaction_history.set(r, [&cm] (std::unique_ptr<http::request> req) {
+        std::function<future<>(output_stream<char>&&)> f = [&cm] (output_stream<char>&& out) -> future<> {
             auto s = std::move(out);
             bool first = true;
             std::exception_ptr ex;
             try {
                 co_await s.write("[");
-                co_await ctx.db.local().get_compaction_manager().get_compaction_history([&s, &first](const db::compaction_history_entry& entry) mutable -> future<> {
+                co_await cm.local().get_compaction_history([&s, &first](const db::compaction_history_entry& entry) mutable -> future<> {
                         cm::history h;
                         h.id = fmt::to_string(entry.id);
                         h.ks = std::move(entry.ks);
@@ -168,7 +168,9 @@ void set_compaction_manager(http_context& ctx, routes& r) {
                         h.compacted_at = entry.compacted_at;
                         h.bytes_in = entry.bytes_in;
                         h.bytes_out =  entry.bytes_out;
-                        for (auto it : entry.rows_merged) {
+
+                        std::map<int32_t, int64_t> items(entry.rows_merged.begin(), entry.rows_merged.end());
+                        for (auto it : items) {
                             httpd::compaction_manager_json::row_merged e;
                             e.key = it.first;
                             e.value = it.second;
@@ -201,6 +203,34 @@ void set_compaction_manager(http_context& ctx, routes& r) {
         return make_ready_future<json::json_return_type>(res);
     });
 
+    ss::get_compaction_throughput_mb_per_sec.set(r, [&cm](std::unique_ptr<http::request> req) {
+        int value = cm.local().throughput_mbs();
+        return make_ready_future<json::json_return_type>(value);
+    });
+
+    ss::set_compaction_throughput_mb_per_sec.set(r, [](std::unique_ptr<http::request> req) {
+        //TBD
+        unimplemented();
+        auto value = req->get_query_param("value");
+        return make_ready_future<json::json_return_type>(json_void());
+    });
+
+}
+
+void unset_compaction_manager(http_context& ctx, routes& r) {
+    cm::get_compactions.unset(r);
+    cm::get_pending_tasks_by_table.unset(r);
+    cm::force_user_defined_compaction.unset(r);
+    cm::stop_compaction.unset(r);
+    cm::stop_keyspace_compaction.unset(r);
+    cm::get_pending_tasks.unset(r);
+    cm::get_completed_tasks.unset(r);
+    cm::get_total_compactions_completed.unset(r);
+    cm::get_bytes_compacted.unset(r);
+    cm::get_compaction_history.unset(r);
+    cm::get_compaction_info.unset(r);
+    ss::get_compaction_throughput_mb_per_sec.unset(r);
+    ss::set_compaction_throughput_mb_per_sec.unset(r);
 }
 
 }

api/compaction_manager.hh

@@ -7,13 +7,17 @@
  */
 
 #pragma once
+#include <seastar/core/sharded.hh>
 
 namespace seastar::httpd {
 class routes;
 }
 
+class compaction_manager;
+
 namespace api {
 struct http_context;
-void set_compaction_manager(http_context& ctx, seastar::httpd::routes& r);
+void set_compaction_manager(http_context& ctx, seastar::httpd::routes& r, seastar::sharded<compaction_manager>& cm);
+void unset_compaction_manager(http_context& ctx, seastar::httpd::routes& r);
 
 }

api/config.cc

@@ -10,6 +10,7 @@
 #include "api/config.hh"
 #include "api/api-doc/config.json.hh"
 #include "api/api-doc/storage_proxy.json.hh"
+#include "api/api-doc/storage_service.json.hh"
 #include "replica/database.hh"
 #include "db/config.hh"
 #include <sstream>
@@ -19,6 +20,7 @@
 namespace api {
 using namespace seastar::httpd;
 namespace sp = httpd::storage_proxy_json;
+namespace ss = httpd::storage_service_json;
 
 template<class T>
 json::json_return_type get_json_return_type(const T& val) {
@@ -183,6 +185,14 @@ void set_config(std::shared_ptr < api_registry_builder20 > rb, http_context& ctx
         return make_ready_future<json::json_return_type>(seastar::json::json_void());
     });
 
+    ss::get_all_data_file_locations.set(r, [&cfg](const_req req) {
+        return container_to_vec(cfg.data_file_directories());
+    });
+
+    ss::get_saved_caches_location.set(r, [&cfg](const_req req) {
+        return cfg.saved_caches_directory();
+    });
+
 }
 
 void unset_config(http_context& ctx, routes& r) {
@@ -201,6 +211,8 @@ void unset_config(http_context& ctx, routes& r) {
     sp::set_range_rpc_timeout.unset(r);
     sp::get_truncate_rpc_timeout.unset(r);
     sp::set_truncate_rpc_timeout.unset(r);
+    ss::get_all_data_file_locations.unset(r);
+    ss::get_saved_caches_location.unset(r);
 }
 
 }

api/cql_server_test.cc

@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2024-present ScyllaDB
+ */
+
+/*
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+#ifndef SCYLLA_BUILD_MODE_RELEASE
+
+#include <seastar/core/coroutine.hh>
+
+#include "api/api-doc/cql_server_test.json.hh"
+#include "cql_server_test.hh"
+#include "transport/controller.hh"
+#include "transport/server.hh"
+#include "service/qos/qos_common.hh"
+
+namespace api {
+
+namespace cst = httpd::cql_server_test_json;
+using namespace json;
+using namespace seastar::httpd;
+
+struct connection_sl_params : public json::json_base {
+    json::json_element<sstring> _role_name;
+    json::json_element<sstring> _workload_type;
+    json::json_element<sstring> _timeout;
+
+    connection_sl_params(const sstring& role_name, const sstring& workload_type, const sstring& timeout) {
+        _role_name = role_name;
+        _workload_type = workload_type;
+        _timeout = timeout;
+        register_params();
+    }
+
+    connection_sl_params(const connection_sl_params& params)
+        : connection_sl_params(params._role_name(), params._workload_type(), params._timeout()) {}
+
+    void register_params() {
+        add(&_role_name, "role_name");
+        add(&_workload_type, "workload_type");
+        add(&_timeout, "timeout");
+    }    
+};
+
+void set_cql_server_test(http_context& ctx, seastar::httpd::routes& r, cql_transport::controller& ctl) {
+    cst::connections_params.set(r, [&ctl] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
+        auto sl_params = co_await ctl.get_connections_service_level_params();
+
+        std::vector<connection_sl_params> result;
+        std::ranges::transform(std::move(sl_params), std::back_inserter(result), [] (const cql_transport::connection_service_level_params& params) {
+            auto nanos = std::chrono::duration_cast<std::chrono::nanoseconds>(params.timeout_config.read_timeout).count();
+            return connection_sl_params(
+                    std::move(params.role_name), 
+                    sstring(qos::service_level_options::to_string(params.workload_type)), 
+                    to_string(cql_duration(months_counter{0}, days_counter{0}, nanoseconds_counter{nanos})));
+        });
+        co_return result;
+    });
+}
+
+void unset_cql_server_test(http_context& ctx, seastar::httpd::routes& r) {
+    cst::connections_params.unset(r);
+}
+
+}
+
+#endif

api/cql_server_test.hh

@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2024-present ScyllaDB
+ */
+
+/*
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+#ifndef SCYLLA_BUILD_MODE_RELEASE
+
+#pragma once
+
+namespace cql_transport {
+class controller;
+}
+
+namespace seastar::httpd {
+class routes;
+}
+
+namespace api {
+struct http_context;
+
+void set_cql_server_test(http_context& ctx, seastar::httpd::routes& r, cql_transport::controller& ctl);
+void unset_cql_server_test(http_context& ctx, seastar::httpd::routes& r);
+
+}
+
+#endif

api/lsa.cc

@@ -11,7 +11,7 @@
 
 #include <seastar/http/exception.hh>
 #include "utils/logalloc.hh"
-#include "log.hh"
+#include "utils/log.hh"
 
 namespace api {
 using namespace seastar::httpd;

api/raft.cc

@@ -11,7 +11,8 @@
 #include "api/api-doc/raft.json.hh"
 
 #include "service/raft/raft_group_registry.hh"
-#include "log.hh"
+#include "service/raft/raft_address_map.hh"
+#include "utils/log.hh"
 
 using namespace seastar::httpd;
 
@@ -102,8 +103,8 @@ void set_raft(http_context&, httpd::routes& r, sharded<service::raft_group_regis
 
         if (!req->query_parameters.contains("group_id")) {
             // Read barrier on group 0 by default
-            co_await raft_gr.invoke_on(0, [timeout] (service::raft_group_registry& raft_gr) {
-                return raft_gr.group0_with_timeouts().read_barrier(nullptr, timeout);
+            co_await raft_gr.invoke_on(0, [timeout] (service::raft_group_registry& raft_gr) -> future<> {
+                co_await raft_gr.group0_with_timeouts().read_barrier(nullptr, timeout);
             });
             co_return json_void{};
         }
@@ -111,18 +112,52 @@ void set_raft(http_context&, httpd::routes& r, sharded<service::raft_group_regis
         raft::group_id gid{utils::UUID{req->get_query_param("group_id")}};
 
         std::atomic<bool> found_srv{false};
-        co_await raft_gr.invoke_on_all([gid, timeout, &found_srv] (service::raft_group_registry& raft_gr) {
+        co_await raft_gr.invoke_on_all([gid, timeout, &found_srv] (service::raft_group_registry& raft_gr) -> future<> {
             if (!raft_gr.find_server(gid)) {
-                return make_ready_future<>();
+                co_return;
             }
             found_srv = true;
-            return raft_gr.get_server_with_timeouts(gid).read_barrier(nullptr, timeout);
+            co_await raft_gr.get_server_with_timeouts(gid).read_barrier(nullptr, timeout);
         });
 
         if (!found_srv) {
             throw bad_param_exception{fmt::format("Server for group ID {} not found", gid)};
         }
 
+        co_return json_void{};
+    });
+    r::trigger_stepdown.set(r, [&raft_gr] (std::unique_ptr<http::request> req) -> future<json_return_type> {
+        auto timeout = get_request_timeout(*req);
+        auto dur = timeout.value ? *timeout.value - lowres_clock::now() : std::chrono::seconds(60);
+        const auto stepdown_timeout_ticks = dur / service::raft_tick_interval;
+        auto timeout_dur = raft::logical_clock::duration(stepdown_timeout_ticks);
+
+        if (!req->query_parameters.contains("group_id")) {
+            // Stepdown on group 0 by default
+            co_await raft_gr.invoke_on(0, [timeout_dur] (service::raft_group_registry& raft_gr) {
+                apilog.info("Triggering stepdown for group0");
+                return raft_gr.group0().stepdown(timeout_dur);
+            });
+            co_return json_void{};
+        }
+        raft::group_id gid{utils::UUID{req->get_path_param("group_id")}};
+
+        std::atomic<bool> found_srv{false};
+        co_await raft_gr.invoke_on_all([gid, timeout_dur, &found_srv] (service::raft_group_registry& raft_gr) -> future<> {
+            auto* srv = raft_gr.find_server(gid);
+            if (!srv) {
+                co_return;
+            }
+
+            found_srv = true;
+            apilog.info("Triggering stepdown for group {}", gid);
+            co_await srv->stepdown(timeout_dur);
+        });
+
+        if (!found_srv) {
+            throw std::runtime_error{fmt::format("Server for group ID {} not found", gid)};
+        }
+
         co_return json_void{};
     });
 }
@@ -131,6 +166,7 @@ void unset_raft(http_context&, httpd::routes& r) {
     r::trigger_snapshot.unset(r);
     r::get_leader_host.unset(r);
     r::read_barrier.unset(r);
+    r::trigger_stepdown.unset(r);
 }
 
 }

api/storage_service.cc

@@ -30,7 +30,6 @@
 #include "service/raft/raft_group0_client.hh"
 #include "service/storage_service.hh"
 #include "service/load_meter.hh"
-#include "db/commitlog/commitlog.hh"
 #include "gms/gossiper.hh"
 #include "db/system_keyspace.hh"
 #include <seastar/http/exception.hh>
@@ -40,7 +39,7 @@
 #include "repair/row_level.hh"
 #include "locator/snitch_base.hh"
 #include "column_family.hh"
-#include "log.hh"
+#include "utils/log.hh"
 #include "release.hh"
 #include "compaction/compaction_manager.hh"
 #include "compaction/task_manager_module.hh"
@@ -54,6 +53,8 @@
 #include "locator/abstract_replication_strategy.hh"
 #include "sstables_loader.hh"
 #include "db/view/view_builder.hh"
+#include "utils/rjson.hh"
+#include "utils/user_provided_param.hh"
 
 using namespace seastar::httpd;
 using namespace std::chrono_literals;
@@ -489,10 +490,32 @@ void set_sstables_loader(http_context& ctx, routes& r, sharded<sstables_loader>&
             return make_ready_future<json::json_return_type>(json_void());
         });
     });
+
+    ss::start_restore.set(r, [&sst_loader] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
+        auto endpoint = req->get_query_param("endpoint");
+        auto keyspace = req->get_query_param("keyspace");
+        auto table = req->get_query_param("table");
+        auto bucket = req->get_query_param("bucket");
+        auto prefix = req->get_query_param("prefix");
+
+        // TODO: the http_server backing the API does not use content streaming
+        // should use it for better performance
+        rjson::value parsed = rjson::parse(req->content);
+        if (!parsed.IsArray()) {
+            throw httpd::bad_param_exception("malformatted sstables in body");
+        }
+        auto sstables = parsed.GetArray() |
+            std::views::transform([] (const auto& s) { return sstring(rjson::to_string_view(s)); }) |
+            std::ranges::to<std::vector>();
+        auto task_id = co_await sst_loader.local().download_new_sstables(keyspace, table, prefix, std::move(sstables), endpoint, bucket);
+        co_return json::json_return_type(fmt::to_string(task_id));
+    });
+
 }
 
 void unset_sstables_loader(http_context& ctx, routes& r) {
     ss::load_new_ss_tables.unset(r);
+    ss::start_restore.unset(r);
 }
 
 void set_view_builder(http_context& ctx, routes& r, sharded<db::view::view_builder>& vb) {
@@ -520,10 +543,6 @@ static future<json::json_return_type> describe_ring_as_json_for_table(const shar
 }
 
 void set_storage_service(http_context& ctx, routes& r, sharded<service::storage_service>& ss, service::raft_group0_client& group0_client) {
-    ss::get_commitlog.set(r, [&ctx](const_req req) {
-        return ctx.db.local().commitlog()->active_config().commit_log_location;
-    });
-
     ss::get_token_endpoint.set(r, [&ctx, &ss] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
         const auto keyspace_name = req->get_query_param("keyspace");
         const auto table_name = req->get_query_param("cf");
@@ -610,14 +629,6 @@ void set_storage_service(http_context& ctx, routes& r, sharded<service::storage_
         return ss.local().get_schema_version();
     });
 
-    ss::get_all_data_file_locations.set(r, [&ctx](const_req req) {
-        return container_to_vec(ctx.db.local().get_config().data_file_directories());
-    });
-
-    ss::get_saved_caches_location.set(r, [&ctx](const_req req) {
-        return ctx.db.local().get_config().saved_caches_directory();
-    });
-
     ss::get_range_to_endpoint_map.set(r, [&ctx, &ss](std::unique_ptr<http::request> req) -> future<json::json_return_type> {
         auto keyspace = validate_keyspace(ctx, req);
         auto table = req->get_query_param("cf");
@@ -706,17 +717,19 @@ void set_storage_service(http_context& ctx, routes& r, sharded<service::storage_
         auto& db = ctx.db;
         auto params = req_params({
             std::pair("flush_memtables", mandatory::no),
+            std::pair("consider_only_existing_data", mandatory::no),
         });
         params.process(*req);
         auto flush = params.get_as<bool>("flush_memtables").value_or(true);
-        apilog.info("force_compaction: flush={}", flush);
+        auto consider_only_existing_data = params.get_as<bool>("consider_only_existing_data").value_or(false);
+        apilog.info("force_compaction: flush={} consider_only_existing_data={}", flush, consider_only_existing_data);
 
         auto& compaction_module = db.local().get_compaction_manager().get_task_manager_module();
         std::optional<flush_mode> fmopt;
-        if (!flush) {
+        if (!flush && !consider_only_existing_data) {
             fmopt = flush_mode::skip;
         }
-        auto task = co_await compaction_module.make_and_start_task<global_major_compaction_task_impl>({}, db, fmopt);
+        auto task = co_await compaction_module.make_and_start_task<global_major_compaction_task_impl>({}, db, fmopt, consider_only_existing_data);
         try {
             co_await task->done();
         } catch (...) {
@@ -733,19 +746,21 @@ void set_storage_service(http_context& ctx, routes& r, sharded<service::storage_
             std::pair("keyspace", mandatory::yes),
             std::pair("cf", mandatory::no),
             std::pair("flush_memtables", mandatory::no),
+            std::pair("consider_only_existing_data", mandatory::no),
         });
         params.process(*req);
         auto keyspace = validate_keyspace(ctx, *params.get("keyspace"));
         auto table_infos = parse_table_infos(keyspace, ctx, params.get("cf").value_or(""));
         auto flush = params.get_as<bool>("flush_memtables").value_or(true);
-        apilog.debug("force_keyspace_compaction: keyspace={} tables={}, flush={}", keyspace, table_infos, flush);
+        auto consider_only_existing_data = params.get_as<bool>("consider_only_existing_data").value_or(false);
+        apilog.info("force_keyspace_compaction: keyspace={} tables={}, flush={} consider_only_existing_data={}", keyspace, table_infos, flush, consider_only_existing_data);
 
         auto& compaction_module = db.local().get_compaction_manager().get_task_manager_module();
         std::optional<flush_mode> fmopt;
-        if (!flush) {
+        if (!flush && !consider_only_existing_data) {
             fmopt = flush_mode::skip;
         }
-        auto task = co_await compaction_module.make_and_start_task<major_keyspace_compaction_task_impl>({}, std::move(keyspace), tasks::task_id::create_null_id(), db, table_infos, fmopt);
+        auto task = co_await compaction_module.make_and_start_task<major_keyspace_compaction_task_impl>({}, std::move(keyspace), tasks::task_id::create_null_id(), db, table_infos, fmopt, consider_only_existing_data);
         try {
             co_await task->done();
         } catch (...) {
@@ -884,7 +899,8 @@ void set_storage_service(http_context& ctx, routes& r, sharded<service::storage_
         auto host_id = validate_host_id(req->get_query_param("host_id"));
         std::vector<sstring> ignore_nodes_strs = utils::split_comma_separated_list(req->get_query_param("ignore_nodes"));
         apilog.info("remove_node: host_id={} ignore_nodes={}", host_id, ignore_nodes_strs);
-        auto ignore_nodes = std::list<locator::host_id_or_endpoint>();
+        locator::host_id_or_endpoint_list ignore_nodes;
+        ignore_nodes.reserve(ignore_nodes_strs.size());
         for (const sstring& n : ignore_nodes_strs) {
             try {
                 auto hoep = locator::host_id_or_endpoint(n);
@@ -893,7 +909,7 @@ void set_storage_service(http_context& ctx, routes& r, sharded<service::storage_
                 }
                 ignore_nodes.push_back(std::move(hoep));
             } catch (...) {
-                throw std::runtime_error(format("Failed to parse ignore_nodes parameter: ignore_nodes={}, node={}: {}", ignore_nodes_strs, n, std::current_exception()));
+                throw std::runtime_error(fmt::format("Failed to parse ignore_nodes parameter: ignore_nodes={}, node={}: {}", ignore_nodes_strs, n, std::current_exception()));
             }
         }
         return ss.local().removenode(host_id, std::move(ignore_nodes)).then([] {
@@ -1047,18 +1063,6 @@ void set_storage_service(http_context& ctx, routes& r, sharded<service::storage_
         return make_ready_future<json::json_return_type>(0);
     });
 
-    ss::get_compaction_throughput_mb_per_sec.set(r, [&ctx](std::unique_ptr<http::request> req) {
-        int value = ctx.db.local().get_config().compaction_throughput_mb_per_sec();
-        return make_ready_future<json::json_return_type>(value);
-    });
-
-    ss::set_compaction_throughput_mb_per_sec.set(r, [](std::unique_ptr<http::request> req) {
-        //TBD
-        unimplemented();
-        auto value = req->get_query_param("value");
-        return make_ready_future<json::json_return_type>(json_void());
-    });
-
     ss::is_incremental_backups_enabled.set(r, [&ctx](std::unique_ptr<http::request> req) {
         // If this is issued in parallel with an ongoing change, we may see values not agreeing.
         // Reissuing is asking for trouble, so we will just return true upon seeing any true value.
@@ -1096,7 +1100,16 @@ void set_storage_service(http_context& ctx, routes& r, sharded<service::storage_
     });
 
     ss::rebuild.set(r, [&ss](std::unique_ptr<http::request> req) {
-        auto source_dc = req->get_query_param("source_dc");
+        utils::optional_param source_dc;
+        if (auto source_dc_str = req->get_query_param("source_dc"); !source_dc_str.empty()) {
+            source_dc.emplace(std::move(source_dc_str)).set_user_provided();
+        }
+        if (auto force_str = req->get_query_param("force"); !force_str.empty() && service::loosen_constraints(validate_bool(force_str))) {
+            if (!source_dc) {
+                throw bad_param_exception("The `source_dc` option must be provided for using the `force` option");
+            }
+            source_dc.set_force();
+        }
         apilog.info("rebuild: source_dc={}", source_dc);
         return ss.local().rebuild(std::move(source_dc)).then([] {
             return make_ready_future<json::json_return_type>(json_void());
@@ -1439,12 +1452,7 @@ void set_storage_service(http_context& ctx, routes& r, sharded<service::storage_
     ss::reload_raft_topology_state.set(r,
             [&ss, &group0_client] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
         co_await ss.invoke_on(0, [&group0_client] (service::storage_service& ss) -> future<> {
-            apilog.info("Waiting for group 0 read/apply mutex before reloading Raft topology state...");
-            auto holder = co_await group0_client.hold_read_apply_mutex();
-            apilog.info("Reloading Raft topology state");
-            // Using topology_transition() instead of topology_state_load(), because the former notifies listeners
-            co_await ss.topology_transition();
-            apilog.info("Reloaded Raft topology state");
+            return ss.reload_raft_topology_state(group0_client);
         });
         co_return json_void();
     });
@@ -1553,14 +1561,11 @@ void set_storage_service(http_context& ctx, routes& r, sharded<service::storage_
 }
 
 void unset_storage_service(http_context& ctx, routes& r) {
-    ss::get_commitlog.unset(r);
     ss::get_token_endpoint.unset(r);
     ss::toppartitions_generic.unset(r);
     ss::get_release_version.unset(r);
     ss::get_scylla_release_version.unset(r);
     ss::get_schema_version.unset(r);
-    ss::get_all_data_file_locations.unset(r);
-    ss::get_saved_caches_location.unset(r);
     ss::get_range_to_endpoint_map.unset(r);
     ss::get_pending_range_to_endpoint_map.unset(r);
     ss::describe_ring.unset(r);
@@ -1598,8 +1603,6 @@ void unset_storage_service(http_context& ctx, routes& r) {
     ss::is_joined.unset(r);
     ss::set_stream_throughput_mb_per_sec.unset(r);
     ss::get_stream_throughput_mb_per_sec.unset(r);
-    ss::get_compaction_throughput_mb_per_sec.unset(r);
-    ss::set_compaction_throughput_mb_per_sec.unset(r);
     ss::is_incremental_backups_enabled.unset(r);
     ss::set_incremental_backups_enabled.unset(r);
     ss::rebuild.unset(r);
@@ -1776,6 +1779,23 @@ void set_snapshot(http_context& ctx, routes& r, sharded<db::snapshot_ctl>& snap_
         co_return json::json_return_type(static_cast<int>(scrub_status::successful));
     });
 
+    ss::start_backup.set(r, [&snap_ctl] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
+        auto endpoint = req->get_query_param("endpoint");
+        auto keyspace = req->get_query_param("keyspace");
+        auto table = req->get_query_param("table");
+        auto bucket = req->get_query_param("bucket");
+        auto prefix = req->get_query_param("prefix");
+        auto snapshot_name = req->get_query_param("snapshot");
+        if (snapshot_name.empty()) {
+            // TODO: If missing, snapshot should be taken by scylla, then removed
+            throw httpd::bad_param_exception("The snapshot name must be specified");
+        }
+
+        auto& ctl = snap_ctl.local();
+        auto task_id = co_await ctl.start_backup(std::move(endpoint), std::move(bucket), std::move(prefix), std::move(keyspace), std::move(table), std::move(snapshot_name));
+        co_return json::json_return_type(fmt::to_string(task_id));
+    });
+
     cf::get_true_snapshots_size.set(r, [&snap_ctl] (std::unique_ptr<http::request> req) {
         auto [ks, cf] = parse_fully_qualified_cf_name(req->get_path_param("name"));
         return snap_ctl.local().true_snapshots_size(std::move(ks), std::move(cf)).then([] (int64_t res) {
@@ -1797,6 +1817,7 @@ void unset_snapshot(http_context& ctx, routes& r) {
     ss::del_snapshot.unset(r);
     ss::true_snapshots_size.unset(r);
     ss::scrub.unset(r);
+    ss::start_backup.unset(r);
     cf::get_true_snapshots_size.unset(r);
     cf::get_all_true_snapshots_size.unset(r);
 }

api/storage_service.hh

@@ -12,6 +12,7 @@
 #include <seastar/json/json_elements.hh>
 #include "api/api_init.hh"
 #include "db/data_listeners.hh"
+#include "compaction/compaction_descriptor.hh"
 
 namespace cql_transport { class controller; }
 namespace db {

api/system.cc

@@ -10,6 +10,7 @@
 #include "api/api-doc/system.json.hh"
 #include "api/api-doc/metrics.json.hh"
 #include "replica/database.hh"
+#include "db/sstables-format-selector.hh"
 
 #include <rapidjson/document.h>
 #include <seastar/core/reactor.hh>
@@ -19,7 +20,7 @@
 #include <seastar/util/short_streams.hh>
 #include <seastar/http/short_streams.hh>
 
-#include "log.hh"
+#include "utils/log.hh"
 
 extern logging::logger apilog;
 
@@ -184,4 +185,16 @@ void set_system(http_context& ctx, routes& r) {
     }) ;
 }
 
+void set_format_selector(http_context& ctx, routes& r, db::sstables_format_selector& sel) {
+    hs::get_highest_supported_sstable_version.set(r, [&sel] (std::unique_ptr<request> req) {
+        return smp::submit_to(0, [&sel] {
+            return make_ready_future<json::json_return_type>(seastar::to_sstring(sel.selected_format()));
+        });
+    });
+}
+
+void unset_format_selector(http_context& ctx, routes& r) {
+    hs::get_highest_supported_sstable_version.unset(r);
+}
+
 }

api/system.hh

@@ -12,9 +12,14 @@ namespace seastar::httpd {
 class routes;
 }
 
+namespace db { class sstables_format_selector; }
+
 namespace api {
 
 struct http_context;
 void set_system(http_context& ctx, seastar::httpd::routes& r);
 
+void set_format_selector(http_context& ctx, seastar::httpd::routes& r, db::sstables_format_selector& sel);
+void unset_format_selector(http_context& ctx, seastar::httpd::routes& r);
+
 }

api/task_manager.cc

@@ -14,9 +14,10 @@
 #include "api/api.hh"
 #include "api/api-doc/task_manager.json.hh"
 #include "db/system_keyspace.hh"
+#include "tasks/task_handler.hh"
+#include "utils/overloaded_functor.hh"
 
 #include <utility>
-#include <boost/range/adaptors.hpp>
 
 namespace api {
 
@@ -24,118 +25,87 @@ namespace tm = httpd::task_manager_json;
 using namespace json;
 using namespace seastar::httpd;
 
-using task_variant = std::variant<tasks::task_manager::foreign_task_ptr, tasks::task_manager::task::task_essentials>;
-
-inline bool filter_tasks(tasks::task_manager::task_ptr task, std::unordered_map<sstring, sstring>& query_params) {
-    return (!query_params.contains("keyspace") || query_params["keyspace"] == task->get_status().keyspace) &&
-        (!query_params.contains("table") || query_params["table"] == task->get_status().table);
-}
-
-struct full_task_status {
-    tasks::task_manager::task::status task_status;
-    std::string type;
-    tasks::task_manager::task::progress progress;
-    tasks::task_id parent_id;
-    tasks::is_abortable abortable;
-    std::vector<std::string> children_ids;
-};
-
-struct task_stats {
-    task_stats(tasks::task_manager::task_ptr task)
-        : task_id(task->id().to_sstring())
-        , state(task->get_status().state)
-        , type(task->type())
-        , scope(task->get_status().scope)
-        , keyspace(task->get_status().keyspace)
-        , table(task->get_status().table)
-        , entity(task->get_status().entity)
-        , sequence_number(task->get_status().sequence_number)
-    { }
-
-    sstring task_id;
-    tasks::task_manager::task_state state;
-    std::string type;
-    std::string scope;
-    std::string keyspace;
-    std::string table;
-    std::string entity;
-    uint64_t sequence_number;
-};
-
-tm::task_status make_status(full_task_status status) {
-    auto start_time = db_clock::to_time_t(status.task_status.start_time);
-    auto end_time = db_clock::to_time_t(status.task_status.end_time);
+tm::task_status make_status(tasks::task_status status) {
+    auto start_time = db_clock::to_time_t(status.start_time);
+    auto end_time = db_clock::to_time_t(status.end_time);
     ::tm st, et;
     ::gmtime_r(&end_time, &et);
     ::gmtime_r(&start_time, &st);
 
+    std::vector<tm::task_identity> tis{status.children.size()};
+    std::ranges::transform(status.children, tis.begin(), [] (const auto& child) {
+        tm::task_identity ident;
+        ident.task_id = child.task_id.to_sstring();
+        ident.node = fmt::format("{}", child.node);
+        return ident;
+    });
+
     tm::task_status res{};
-    res.id = status.task_status.id.to_sstring();
+    res.id = status.task_id.to_sstring();
     res.type = status.type;
-    res.scope = status.task_status.scope;
-    res.state = status.task_status.state;
-    res.is_abortable = bool(status.abortable);
+    res.kind = status.kind;
+    res.scope = status.scope;
+    res.state = status.state;
+    res.is_abortable = bool(status.is_abortable);
     res.start_time = st;
     res.end_time = et;
-    res.error = status.task_status.error;
-    res.parent_id = status.parent_id.to_sstring();
-    res.sequence_number = status.task_status.sequence_number;
-    res.shard = status.task_status.shard;
-    res.keyspace = status.task_status.keyspace;
-    res.table = status.task_status.table;
-    res.entity = status.task_status.entity;
-    res.progress_units = status.task_status.progress_units;
+    res.error = status.error;
+    res.parent_id = status.parent_id ? status.parent_id.to_sstring() : "none";
+    res.sequence_number = status.sequence_number;
+    res.shard = status.shard;
+    res.keyspace = status.keyspace;
+    res.table = status.table;
+    res.entity = status.entity;
+    res.progress_units = status.progress_units;
     res.progress_total = status.progress.total;
     res.progress_completed = status.progress.completed;
-    res.children_ids = std::move(status.children_ids);
+    res.children_ids = std::move(tis);
     return res;
 }
 
-future<full_task_status> retrieve_status(const tasks::task_manager::foreign_task_ptr& task) {
-    if (task.get() == nullptr) {
-        co_return coroutine::return_exception(httpd::bad_param_exception("Task not found"));
-    }
-    auto progress = co_await task->get_progress();
-    full_task_status s;
-    s.task_status = task->get_status();
-    s.type = task->type();
-    s.parent_id = task->get_parent_id();
-    s.abortable = task->is_abortable();
-    s.progress.completed = progress.completed;
-    s.progress.total = progress.total;
-    std::vector<std::string> ct = co_await task->get_children().map_each_task<std::string>([] (const tasks::task_manager::foreign_task_ptr& child) {
-        return child->id().to_sstring();
-    }, [] (const tasks::task_manager::task::task_essentials& child) {
-        return child.task_status.id.to_sstring();
-    });
-    s.children_ids = std::move(ct);
-    co_return s;
-};
+tm::task_stats make_stats(tasks::task_stats stats) {
+    tm::task_stats res{};
+    res.task_id = stats.task_id.to_sstring();
+    res.type = stats.type;
+    res.kind = stats.kind;
+    res.scope = stats.scope;
+    res.state = stats.state;
+    res.sequence_number = stats.sequence_number;
+    res.keyspace = stats.keyspace;
+    res.table = stats.table;
+    res.entity = stats.entity;
+    return res;
+}
 
 void set_task_manager(http_context& ctx, routes& r, sharded<tasks::task_manager>& tm, db::config& cfg) {
     tm::get_modules.set(r, [&tm] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
-        std::vector<std::string> v = boost::copy_range<std::vector<std::string>>(tm.local().get_modules() | boost::adaptors::map_keys);
+        std::vector<std::string> v = tm.local().get_modules() | std::views::keys | std::ranges::to<std::vector>();
         co_return v;
     });
 
     tm::get_tasks.set(r, [&tm] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
-        using chunked_stats = utils::chunked_vector<task_stats>;
+        using chunked_stats = utils::chunked_vector<tasks::task_stats>;
         auto internal = tasks::is_internal{req_param<bool>(*req, "internal", false)};
         std::vector<chunked_stats> res = co_await tm.map([&req, internal] (tasks::task_manager& tm) {
-            chunked_stats local_res;
             tasks::task_manager::module_ptr module;
+            std::optional<std::string> keyspace = std::nullopt;
+            std::optional<std::string> table = std::nullopt;
             try {
                 module = tm.find_module(req->get_path_param("module"));
             } catch (...) {
                 throw bad_param_exception(fmt::format("{}", std::current_exception()));
             }
-            const auto& filtered_tasks = module->get_tasks() | boost::adaptors::filtered([&params = req->query_parameters, internal] (const auto& task) {
-                return (internal || !task.second->is_internal()) && filter_tasks(task.second, params);
-            });
-            for (auto& [task_id, task] : filtered_tasks) {
-                local_res.push_back(task_stats{task});
+
+            if (auto it = req->query_parameters.find("keyspace"); it != req->query_parameters.end()) {
+                keyspace = it->second;
             }
-            return local_res;
+            if (auto it = req->query_parameters.find("table"); it != req->query_parameters.end()) {
+                table = it->second;
+            }
+
+            return module->get_stats(internal, [keyspace = std::move(keyspace), table = std::move(table)] (std::string& ks, std::string& t) {
+                return (!keyspace || keyspace == ks) && (!table || table == t);
+            });
         });
 
         std::function<future<>(output_stream<char>&&)> f = [r = std::move(res)] (output_stream<char>&& os) -> future<> {
@@ -148,8 +118,7 @@ void set_task_manager(http_context& ctx, routes& r, sharded<tasks::task_manager>
                 for (auto& v: res) {
                     for (auto& stats: v) {
                         co_await s.write(std::exchange(delim, ", "));
-                        tm::task_stats ts;
-                        ts = stats;
+                        tm::task_stats ts = make_stats(stats);
                         co_await formatter::write(s, ts);
                     }
                 }
@@ -168,121 +137,70 @@ void set_task_manager(http_context& ctx, routes& r, sharded<tasks::task_manager>
 
     tm::get_task_status.set(r, [&tm] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
         auto id = tasks::task_id{utils::UUID{req->get_path_param("task_id")}};
-        tasks::task_manager::foreign_task_ptr task;
+        tasks::task_status status;
         try {
-            task = co_await tasks::task_manager::invoke_on_task(tm, id, std::function([] (tasks::task_manager::task_ptr task) -> future<tasks::task_manager::foreign_task_ptr> {
-                if (task->is_complete()) {
-                    task->unregister_task();
-                }
-                co_return std::move(task);
-            }));
+            auto task = tasks::task_handler{tm.local(), id};
+            status = co_await task.get_status();
         } catch (tasks::task_manager::task_not_found& e) {
             throw bad_param_exception(e.what());
         }
-        auto s = co_await retrieve_status(task);
-        co_return make_status(s);
+        co_return make_status(status);
     });
 
     tm::abort_task.set(r, [&tm] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
         auto id = tasks::task_id{utils::UUID{req->get_path_param("task_id")}};
         try {
-            co_await tasks::task_manager::invoke_on_task(tm, id, [] (tasks::task_manager::task_ptr task) -> future<> {
-                if (!task->is_abortable()) {
-                    co_await coroutine::return_exception(std::runtime_error("Requested task cannot be aborted"));
-                }
-                task->abort();
-            });
+            auto task = tasks::task_handler{tm.local(), id};
+            co_await task.abort();
         } catch (tasks::task_manager::task_not_found& e) {
             throw bad_param_exception(e.what());
+        } catch (tasks::task_not_abortable& e) {
+            throw httpd::base_exception{e.what(), http::reply::status_type::forbidden};
         }
         co_return json_void();
     });
 
     tm::wait_task.set(r, [&tm] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
         auto id = tasks::task_id{utils::UUID{req->get_path_param("task_id")}};
-        tasks::task_manager::foreign_task_ptr task;
+        tasks::task_status status;
+        std::optional<std::chrono::seconds> timeout = std::nullopt;
+        if (auto it = req->query_parameters.find("timeout"); it != req->query_parameters.end()) {
+            timeout = std::chrono::seconds(boost::lexical_cast<uint32_t>(it->second));
+        }
         try {
-            task = co_await tasks::task_manager::invoke_on_task(tm, id, std::function([] (tasks::task_manager::task_ptr task) {
-                return task->done().then_wrapped([task] (auto f) {
-                    // done() is called only because we want the task to be complete before getting its status.
-                    // The future should be ignored here as the result does not matter.
-                    f.ignore_ready_future();
-                    return make_foreign(task);
-                });
-            }));
+            auto task = tasks::task_handler{tm.local(), id};
+            status = co_await task.wait_for_task(timeout);
         } catch (tasks::task_manager::task_not_found& e) {
             throw bad_param_exception(e.what());
+        } catch (timed_out_error& e) {
+            throw httpd::base_exception{e.what(), http::reply::status_type::request_timeout};
         }
-        auto s = co_await retrieve_status(task);
-        co_return make_status(s);
+        co_return make_status(status);
     });
 
     tm::get_task_status_recursively.set(r, [&_tm = tm] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
         auto& tm = _tm;
         auto id = tasks::task_id{utils::UUID{req->get_path_param("task_id")}};
-        std::queue<task_variant> q;
-        utils::chunked_vector<full_task_status> res;
-
-        tasks::task_manager::foreign_task_ptr task;
         try {
-            // Get requested task.
-            task = co_await tasks::task_manager::invoke_on_task(tm, id, std::function([] (tasks::task_manager::task_ptr task) -> future<tasks::task_manager::foreign_task_ptr> {
-                if (task->is_complete()) {
-                    task->unregister_task();
+            auto task = tasks::task_handler{tm.local(), id};
+            auto res = co_await task.get_status_recursively(true);
+
+            std::function<future<>(output_stream<char>&&)> f = [r = std::move(res)] (output_stream<char>&& os) -> future<> {
+                auto s = std::move(os);
+                auto res = std::move(r);
+                co_await s.write("[");
+                std::string delim = "";
+                for (auto& status: res) {
+                    co_await s.write(std::exchange(delim, ", "));
+                    co_await formatter::write(s, make_status(status));
                 }
-                co_return task;
-            }));
+                co_await s.write("]");
+                co_await s.close();
+            };
+            co_return f;
         } catch (tasks::task_manager::task_not_found& e) {
             throw bad_param_exception(e.what());
         }
-
-        // Push children's statuses in BFS order.
-        q.push(co_await task.copy());   // Task cannot be moved since we need it to be alive during whole loop execution.
-        while (!q.empty()) {
-            auto& current = q.front();
-            co_await std::visit(overloaded_functor {
-                [&] (const tasks::task_manager::foreign_task_ptr& task) -> future<> {
-                    res.push_back(co_await retrieve_status(task));
-                    co_await task->get_children().for_each_task([&q] (const tasks::task_manager::foreign_task_ptr& child) -> future<> {
-                        q.push(co_await child.copy());
-                    }, [&] (const tasks::task_manager::task::task_essentials& child) {
-                        q.push(child);
-                        return make_ready_future();
-                    });
-                },
-                [&] (const tasks::task_manager::task::task_essentials& task) -> future<> {
-                    res.push_back(full_task_status{
-                        .task_status = task.task_status,
-                        .type = task.type,
-                        .progress = task.task_progress,
-                        .parent_id = task.parent_id,
-                        .abortable = task.abortable,
-                        .children_ids = boost::copy_range<std::vector<std::string>>(task.failed_children | boost::adaptors::transformed([] (auto& child) {
-                            return child.task_status.id.to_sstring();
-                        }))
-                    });
-                    for (auto& child: task.failed_children) {
-                        q.push(child);
-                    }
-                    return make_ready_future();
-                }
-            }, current);
-            q.pop();
-        }
-
-        std::function<future<>(output_stream<char>&&)> f = [r = std::move(res)] (output_stream<char>&& os) -> future<> {
-            auto s = std::move(os);
-            auto res = std::move(r);
-            co_await s.write("[");
-            std::string delim = "";
-            for (auto& status: res) {
-                co_await s.write(std::exchange(delim, ", "));
-                co_await formatter::write(s, make_status(status));
-            }
-            co_await s.write("]");
-            co_await s.close();
-        };
-        co_return f;
     });
 
     tm::get_and_update_ttl.set(r, [&cfg] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
@@ -294,6 +212,11 @@ void set_task_manager(http_context& ctx, routes& r, sharded<tasks::task_manager>
         }
         co_return json::json_return_type(ttl);
     });
+
+    tm::get_ttl.set(r, [&cfg] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
+        uint32_t ttl = cfg.task_ttl_seconds();
+        co_return json::json_return_type(ttl);
+    });
 }
 
 void unset_task_manager(http_context& ctx, routes& r) {
@@ -304,6 +227,7 @@ void unset_task_manager(http_context& ctx, routes& r) {
     tm::wait_task.unset(r);
     tm::get_task_status_recursively.unset(r);
     tm::get_and_update_ttl.unset(r);
+    tm::get_ttl.unset(r);
 }
 
 }

api/task_manager_test.cc

@@ -13,6 +13,7 @@
 #include "task_manager_test.hh"
 #include "api/api-doc/task_manager_test.json.hh"
 #include "tasks/test_module.hh"
+#include "utils/overloaded_functor.hh"
 
 namespace api {
 
@@ -61,8 +62,8 @@ void set_task_manager_test(http_context& ctx, routes& r, sharded<tasks::task_man
         auto module = tms.local().find_module("test");
         id = co_await module->make_task<tasks::test_task_impl>(shard, id, keyspace, table, entity, data);
         co_await tms.invoke_on(shard, [id] (tasks::task_manager& tm) {
-            auto it = tm.get_all_tasks().find(id);
-            if (it != tm.get_all_tasks().end()) {
+            auto it = tm.get_local_tasks().find(id);
+            if (it != tm.get_local_tasks().end()) {
                 it->second->start();
             }
         });
@@ -72,9 +73,16 @@ void set_task_manager_test(http_context& ctx, routes& r, sharded<tasks::task_man
     tmt::unregister_test_task.set(r, [&tm] (std::unique_ptr<http::request> req) -> future<json::json_return_type> {
         auto id = tasks::task_id{utils::UUID{req->query_parameters["task_id"]}};
         try {
-            co_await tasks::task_manager::invoke_on_task(tm, id, [] (tasks::task_manager::task_ptr task) -> future<> {
-                tasks::test_task test_task{task};
-                co_await test_task.unregister_task();
+            co_await tasks::task_manager::invoke_on_task(tm, id, [] (tasks::task_manager::task_variant task_v) -> future<> {
+                return std::visit(overloaded_functor{
+                    [] (tasks::task_manager::task_ptr task) -> future<> {
+                        tasks::test_task test_task{task};
+                        co_await test_task.unregister_task();
+                    },
+                    [] (tasks::task_manager::virtual_task_ptr task) {
+                        return make_ready_future();
+                    }
+                }, task_v);
             });
         } catch (tasks::task_manager::task_not_found& e) {
             throw bad_param_exception(e.what());
@@ -89,13 +97,20 @@ void set_task_manager_test(http_context& ctx, routes& r, sharded<tasks::task_man
         std::string error = fail ? it->second : "";
 
         try {
-            co_await tasks::task_manager::invoke_on_task(tm, id, [fail, error = std::move(error)] (tasks::task_manager::task_ptr task) -> future<> {
-                tasks::test_task test_task{task};
-                if (fail) {
-                    co_await test_task.finish_failed(std::make_exception_ptr(std::runtime_error(error)));
-                } else {
-                    co_await test_task.finish();
-                }
+            co_await tasks::task_manager::invoke_on_task(tm, id, [fail, error = std::move(error)] (tasks::task_manager::task_variant task_v) -> future<> {
+                return std::visit(overloaded_functor{
+                    [fail, error = std::move(error)] (tasks::task_manager::task_ptr task) -> future<> {
+                        tasks::test_task test_task{task};
+                        if (fail) {
+                            co_await test_task.finish_failed(std::make_exception_ptr(std::runtime_error(error)));
+                        } else {
+                            co_await test_task.finish();
+                        }
+                    },
+                    [] (tasks::task_manager::virtual_task_ptr task) {
+                        return make_ready_future();
+                    }
+                }, task_v);
             });
         } catch (tasks::task_manager::task_not_found& e) {
             throw bad_param_exception(e.what());

api/tasks.cc

@@ -16,6 +16,7 @@
 #include "compaction/task_manager_module.hh"
 #include "service/storage_service.hh"
 #include "tasks/task_manager.hh"
+#include "replica/database.hh"
 
 using namespace seastar::httpd;
 

api/token_metadata.cc

@@ -21,6 +21,9 @@ using namespace json;
 void set_token_metadata(http_context& ctx, routes& r, sharded<locator::shared_token_metadata>& tm) {
     ss::local_hostid.set(r, [&tm](std::unique_ptr<http::request> req) {
         auto id = tm.local().get()->get_my_id();
+        if (!bool(id)) {
+            throw not_found_exception("local host ID is not yet set");
+        }
         return make_ready_future<json::json_return_type>(id.to_sstring());
     });
 
@@ -68,7 +71,7 @@ void set_token_metadata(http_context& ctx, routes& r, sharded<locator::shared_to
 
     ss::get_host_id_map.set(r, [&tm](const_req req) {
         std::vector<ss::mapper> res;
-        return map_to_key_value(tm.local().get()->get_endpoint_to_host_id_map_for_reading(), res);
+        return map_to_key_value(tm.local().get()->get_endpoint_to_host_id_map(), res);
     });
 
     static auto host_or_broadcast = [&tm](const_req req) {

auth/authentication_options.hh

@@ -12,6 +12,7 @@
 #include <stdexcept>
 #include <unordered_map>
 #include <unordered_set>
+#include <variant>
 
 #include <seastar/core/print.hh>
 #include <seastar/core/sstring.hh>
@@ -22,29 +23,10 @@ namespace auth {
 
 enum class authentication_option {
     password,
+    hashed_password,
     options
 };
 
-using authentication_option_set = std::unordered_set<authentication_option>;
-
-using custom_options = std::unordered_map<sstring, sstring>;
-
-struct authentication_options final {
-    std::optional<sstring> password;
-    std::optional<custom_options> options;
-};
-
-inline bool any_authentication_options(const authentication_options& aos) noexcept {
-    return aos.password || aos.options;
-}
-
-class unsupported_authentication_option : public std::invalid_argument {
-public:
-    explicit unsupported_authentication_option(authentication_option k)
-            : std::invalid_argument(format("The {} option is not supported.", k)) {
-    }
-};
-
 }
 
 template <>
@@ -55,9 +37,44 @@ struct fmt::formatter<auth::authentication_option> : fmt::formatter<string_view>
         switch (a) {
         case password:
             return formatter<string_view>::format("PASSWORD", ctx);
+        case hashed_password:
+            return formatter<string_view>::format("HASHED PASSWORD", ctx);
         case options:
             return formatter<string_view>::format("OPTIONS", ctx);
         }
         std::abort();
     }
 };
+
+namespace auth {
+
+using authentication_option_set = std::unordered_set<authentication_option>;
+
+using custom_options = std::unordered_map<sstring, sstring>;
+
+struct password_option {
+    sstring password;
+};
+
+/// Used exclusively for restoring roles.
+struct hashed_password_option {
+    sstring hashed_password;
+};
+
+struct authentication_options final {
+    std::optional<std::variant<password_option, hashed_password_option>> credentials;
+    std::optional<custom_options> options;
+};
+
+inline bool any_authentication_options(const authentication_options& aos) noexcept {
+    return aos.options || aos.credentials;
+}
+
+class unsupported_authentication_option : public std::invalid_argument {
+public:
+    explicit unsupported_authentication_option(authentication_option k)
+            : std::invalid_argument(format("The {} option is not supported.", k)) {
+    }
+};
+
+}

auth/authenticator.hh

@@ -43,6 +43,11 @@ struct certificate_info {
 
 using session_dn_func = std::function<future<std::optional<certificate_info>>()>;
 
+class unsupported_authentication_operation : public std::invalid_argument {
+public:
+    using std::invalid_argument::invalid_argument;
+};
+
 ///
 /// Abstract client for authenticating role identity.
 ///
@@ -129,6 +134,19 @@ public:
     ///
     virtual future<custom_options> query_custom_options(std::string_view role_name) const = 0;
 
+    virtual bool uses_password_hashes() const {
+        return false;
+    }
+
+    ///
+    /// Query the password hash corresponding to a given role.
+    ///
+    /// If the authenticator doesn't use password hashes, throws an `unsupported_authentication_operation` exception.
+    ///
+    virtual future<std::optional<sstring>> get_password_hash(std::string_view role_name) const {
+        return make_exception_future<std::optional<sstring>>(unsupported_authentication_operation("get_password_hash is not implemented"));
+    }
+
     ///
     /// System resources used internally as part of the implementation. These are made inaccessible to users.
     ///

auth/certificate_authenticator.cc

@@ -9,7 +9,7 @@
 
 #include "auth/certificate_authenticator.hh"
 
-#include <regex>
+#include <boost/regex.hpp>
 #include <fmt/ranges.h>
 
 #include "utils/class_registrator.hh"
@@ -76,7 +76,7 @@ auth::certificate_authenticator::certificate_authenticator(cql3::query_processor
                     continue;
                 } catch (std::out_of_range&) {
                     // just fallthrough
-                } catch (std::regex_error&) {
+                } catch (boost::regex_error&) {
                     std::throw_with_nested(std::invalid_argument(fmt::format("Invalid query expression: {}", map.at(cfg_query_attr))));
                 }
             }
@@ -149,7 +149,7 @@ future<std::optional<auth::authenticated_user>> auth::certificate_authenticator:
             co_return username;
         }
     }
-    throw exceptions::authentication_exception(format("Subject '{}'/'{}' does not match any query expression", subject, altname));
+    throw exceptions::authentication_exception(seastar::format("Subject '{}'/'{}' does not match any query expression", subject, altname));
 }
 
 

auth/certificate_authenticator.hh

@@ -10,6 +10,7 @@
 #pragma once
 
 #include "auth/authenticator.hh"
+#include <boost/regex_fwd.hpp>  // IWYU pragma: keep
 
 namespace cql3 {
 

auth/common.cc

@@ -16,6 +16,7 @@
 #include "mutation/canonical_mutation.hh"
 #include "schema/schema_fwd.hh"
 #include "timestamp.hh"
+#include "utils/assert.hh"
 #include "utils/exponential_backoff_retry.hh"
 #include "cql3/query_processor.hh"
 #include "cql3/statements/create_table_statement.hh"
@@ -24,6 +25,7 @@
 #include "service/raft/group0_state_machine.hh"
 #include "timeout_config.hh"
 #include "utils/error_injection.hh"
+#include "db/system_keyspace.hh"
 
 namespace auth {
 
@@ -39,7 +41,7 @@ constinit const std::string_view AUTH_PACKAGE_NAME("org.apache.cassandra.auth.")
 static logging::logger auth_log("auth");
 
 bool legacy_mode(cql3::query_processor& qp) {
-    return qp.auth_version < db::system_keyspace::auth_version_t::v2;
+    return qp.auth_version < db::auth_version_t::v2;
 }
 
 std::string_view get_auth_ks_name(cql3::query_processor& qp) {
@@ -68,10 +70,10 @@ static future<> create_legacy_metadata_table_if_missing_impl(
         cql3::query_processor& qp,
         std::string_view cql,
         ::service::migration_manager& mm) {
-    assert(this_shard_id() == 0); // once_among_shards makes sure a function is executed on shard 0 only
+    SCYLLA_ASSERT(this_shard_id() == 0); // once_among_shards makes sure a function is executed on shard 0 only
 
     auto db = qp.db();
-    auto parsed_statement = cql3::query_processor::parse_statement(cql);
+    auto parsed_statement = cql3::query_processor::parse_statement(cql, cql3::dialect{});
     auto& parsed_cf_statement = static_cast<cql3::statements::raw::cf_statement&>(*parsed_statement);
 
     parsed_cf_statement.prepare_keyspace(meta::legacy::AUTH_KS);
@@ -121,7 +123,7 @@ static future<> announce_mutations_with_guard(
         ::service::raft_group0_client& group0_client,
         std::vector<canonical_mutation> muts,
         ::service::group0_guard group0_guard,
-        seastar::abort_source* as,
+        seastar::abort_source& as,
         std::optional<::service::raft_timeout> timeout) {
     auto group0_cmd = group0_client.prepare_command(
         ::service::write_mutations{
@@ -137,7 +139,7 @@ future<> announce_mutations_with_batching(
         ::service::raft_group0_client& group0_client,
         start_operation_func_t start_operation_func,
         std::function<::service::mutations_generator(api::timestamp_type t)> gen,
-        seastar::abort_source* as,
+        seastar::abort_source& as,
         std::optional<::service::raft_timeout> timeout) {
     // account for command's overhead, it's better to use smaller threshold than constantly bounce off the limit
     size_t memory_threshold = group0_client.max_command_size() * 0.75;
@@ -188,7 +190,7 @@ future<> announce_mutations(
         ::service::raft_group0_client& group0_client,
         const sstring query_string,
         std::vector<data_value_or_unset> values,
-        seastar::abort_source* as,
+        seastar::abort_source& as,
         std::optional<::service::raft_timeout> timeout) {
     auto group0_guard = co_await group0_client.start_operation(as, timeout);
     auto timestamp = group0_guard.write_timestamp();

auth/common.hh

@@ -80,7 +80,7 @@ future<> create_legacy_metadata_table_if_missing(
 // Execute update query via group0 mechanism, mutations will be applied on all nodes.
 // Use this function when need to perform read before write on a single guard or if
 // you have more than one mutation and potentially exceed single command size limit.
-using start_operation_func_t = std::function<future<::service::group0_guard>(abort_source*)>;
+using start_operation_func_t = std::function<future<::service::group0_guard>(abort_source&)>;
 future<> announce_mutations_with_batching(
         ::service::raft_group0_client& group0_client,
         // since we can operate also in topology coordinator context where we need stronger
@@ -88,7 +88,7 @@ future<> announce_mutations_with_batching(
         // function here
         start_operation_func_t start_operation_func,
         std::function<::service::mutations_generator(api::timestamp_type t)> gen,
-        seastar::abort_source* as,
+        seastar::abort_source& as,
         std::optional<::service::raft_timeout> timeout);
 
 // Execute update query via group0 mechanism, mutations will be applied on all nodes.
@@ -97,7 +97,7 @@ future<> announce_mutations(
         ::service::raft_group0_client& group0_client,
         const sstring query_string,
         std::vector<data_value_or_unset> values,
-        seastar::abort_source* as,
+        seastar::abort_source& as,
         std::optional<::service::raft_timeout> timeout);
 
 // Appends mutations to a collector, they will be applied later on all nodes via group0 mechanism.

auth/default_authorizer.cc

@@ -27,7 +27,7 @@ extern "C" {
 #include "cql3/query_processor.hh"
 #include "cql3/untyped_result_set.hh"
 #include "exceptions/exceptions.hh"
-#include "log.hh"
+#include "utils/log.hh"
 #include "utils/class_registrator.hh"
 
 namespace auth {
@@ -67,7 +67,7 @@ bool default_authorizer::legacy_metadata_exists() const {
 }
 
 future<bool> default_authorizer::legacy_any_granted() const {
-    static const sstring query = format("SELECT * FROM {}.{} LIMIT 1", meta::legacy::AUTH_KS, PERMISSIONS_CF);
+    static const sstring query = seastar::format("SELECT * FROM {}.{} LIMIT 1", meta::legacy::AUTH_KS, PERMISSIONS_CF);
 
     return _qp.execute_internal(
             query,
@@ -80,7 +80,7 @@ future<bool> default_authorizer::legacy_any_granted() const {
 
 future<> default_authorizer::migrate_legacy_metadata() {
     alogger.info("Starting migration of legacy permissions metadata.");
-    static const sstring query = format("SELECT * FROM {}.{}", meta::legacy::AUTH_KS, legacy_table_name);
+    static const sstring query = seastar::format("SELECT * FROM {}.{}", meta::legacy::AUTH_KS, legacy_table_name);
 
     return _qp.execute_internal(
             query,
@@ -163,7 +163,7 @@ default_authorizer::authorize(const role_or_anonymous& maybe_role, const resourc
         co_return permissions::NONE;
     }
 
-    const sstring query = format("SELECT {} FROM {}.{} WHERE {} = ? AND {} = ?",
+    const sstring query = seastar::format("SELECT {} FROM {}.{} WHERE {} = ? AND {} = ?",
             PERMISSIONS_NAME,
             get_auth_ks_name(_qp),
             PERMISSIONS_CF,
@@ -188,7 +188,7 @@ default_authorizer::modify(
         const resource& resource,
         std::string_view op,
         ::service::group0_batch& mc) {
-    const sstring query = format("UPDATE {}.{} SET {} = {} {} ? WHERE {} = ? AND {} = ?",
+    const sstring query = seastar::format("UPDATE {}.{} SET {} = {} {} ? WHERE {} = ? AND {} = ?",
             get_auth_ks_name(_qp),
             PERMISSIONS_CF,
             PERMISSIONS_NAME,
@@ -218,7 +218,7 @@ future<> default_authorizer::revoke(std::string_view role_name, permission_set s
 }
 
 future<std::vector<permission_details>> default_authorizer::list_all() const {
-    const sstring query = format("SELECT {}, {}, {} FROM {}.{}",
+    const sstring query = seastar::format("SELECT {}, {}, {} FROM {}.{}",
             ROLE_NAME,
             RESOURCE_NAME,
             PERMISSIONS_NAME,
@@ -246,7 +246,7 @@ future<std::vector<permission_details>> default_authorizer::list_all() const {
 
 future<> default_authorizer::revoke_all(std::string_view role_name, ::service::group0_batch& mc) {
     try {
-        const sstring query = format("DELETE FROM {}.{} WHERE {} = ?",
+        const sstring query = seastar::format("DELETE FROM {}.{} WHERE {} = ?",
                 get_auth_ks_name(_qp),
                 PERMISSIONS_CF,
                 ROLE_NAME);
@@ -266,7 +266,7 @@ future<> default_authorizer::revoke_all(std::string_view role_name, ::service::g
 }
 
 future<> default_authorizer::revoke_all_legacy(const resource& resource) {
-    static const sstring query = format("SELECT {} FROM {}.{} WHERE {} = ? ALLOW FILTERING",
+    static const sstring query = seastar::format("SELECT {} FROM {}.{} WHERE {} = ? ALLOW FILTERING",
             ROLE_NAME,
             get_auth_ks_name(_qp),
             PERMISSIONS_CF,
@@ -283,7 +283,7 @@ future<> default_authorizer::revoke_all_legacy(const resource& resource) {
                     res->begin(),
                     res->end(),
                     [this, res, resource](const cql3::untyped_result_set::row& r) {
-                static const sstring query = format("DELETE FROM {}.{} WHERE {} = ? AND {} = ?",
+                static const sstring query = seastar::format("DELETE FROM {}.{} WHERE {} = ? AND {} = ?",
                         get_auth_ks_name(_qp),
                         PERMISSIONS_CF,
                         ROLE_NAME,
@@ -323,7 +323,7 @@ future<> default_authorizer::revoke_all(const resource& resource, ::service::gro
 
     auto name = resource.name();
     auto gen = [this, name] (api::timestamp_type t) -> ::service::mutations_generator {
-        const sstring query = format("SELECT {} FROM {}.{} WHERE {} = ? ALLOW FILTERING",
+        const sstring query = seastar::format("SELECT {} FROM {}.{} WHERE {} = ? ALLOW FILTERING",
                 ROLE_NAME,
                 get_auth_ks_name(_qp),
                 PERMISSIONS_CF,
@@ -334,7 +334,7 @@ future<> default_authorizer::revoke_all(const resource& resource, ::service::gro
                 {name},
                 cql3::query_processor::cache_internal::no);
         for (const auto& r : *res) {
-            const sstring query = format("DELETE FROM {}.{} WHERE {} = ? AND {} = ?",
+            const sstring query = seastar::format("DELETE FROM {}.{} WHERE {} = ? AND {} = ?",
                     get_auth_ks_name(_qp),
                     PERMISSIONS_CF,
                     ROLE_NAME,
@@ -346,7 +346,7 @@ future<> default_authorizer::revoke_all(const resource& resource, ::service::gro
                     {r.get_as<sstring>(ROLE_NAME), name});
             if (muts.size() != 1) {
                 on_internal_error(alogger,
-                    format("expecting single delete mutation, got {}", muts.size()));
+                    seastar::format("expecting single delete mutation, got {}", muts.size()));
             }
             co_yield std::move(muts[0]);
         }
@@ -357,7 +357,7 @@ future<> default_authorizer::revoke_all(const resource& resource, ::service::gro
 void default_authorizer::revoke_all_keyspace_resources(const resource& ks_resource, ::service::group0_batch& mc) {
     auto ks_name = ks_resource.name();
     auto gen = [this, ks_name] (api::timestamp_type t) -> ::service::mutations_generator {
-        const sstring query = format("SELECT {}, {} FROM {}.{}",
+        const sstring query = seastar::format("SELECT {}, {} FROM {}.{}",
                 ROLE_NAME,
                 RESOURCE_NAME,
                 get_auth_ks_name(_qp),
@@ -374,7 +374,7 @@ void default_authorizer::revoke_all_keyspace_resources(const resource& ks_resour
                 // r doesn't represent resource related to ks_resource
                 continue;
             }
-            const sstring query = format("DELETE FROM {}.{} WHERE {} = ? AND {} = ?",
+            const sstring query = seastar::format("DELETE FROM {}.{} WHERE {} = ? AND {} = ?",
                     get_auth_ks_name(_qp),
                     PERMISSIONS_CF,
                     ROLE_NAME,

auth/maintenance_socket_role_manager.cc

@@ -11,6 +11,7 @@
 #include <seastar/core/future.hh>
 #include <stdexcept>
 #include <string_view>
+#include "cql3/description.hh"
 #include "utils/class_registrator.hh"
 
 namespace auth {
@@ -43,10 +44,14 @@ future<> maintenance_socket_role_manager::stop() {
     return make_ready_future<>();
 }
 
+future<> maintenance_socket_role_manager::ensure_superuser_is_created() {
+    return make_ready_future<>();
+}
+
 template<typename T = void>
 future<T> operation_not_supported_exception(std::string_view operation) {
     return make_exception_future<T>(
-        std::runtime_error(format("role manager: {} operation not supported through maintenance socket", operation)));
+        std::runtime_error(fmt::format("role manager: {} operation not supported through maintenance socket", operation)));
 }
 
 future<> maintenance_socket_role_manager::create(std::string_view role_name, const role_config&, ::service::group0_batch&) {
@@ -73,6 +78,10 @@ future<role_set> maintenance_socket_role_manager::query_granted(std::string_view
     return operation_not_supported_exception<role_set>("QUERY GRANTED");
 }
 
+future<role_to_directly_granted_map> maintenance_socket_role_manager::query_all_directly_granted() {
+    return operation_not_supported_exception<role_to_directly_granted_map>("QUERY ALL DIRECTLY GRANTED");
+}
+
 future<role_set> maintenance_socket_role_manager::query_all() {
     return operation_not_supported_exception<role_set>("QUERY ALL");
 }
@@ -105,4 +114,8 @@ future<> maintenance_socket_role_manager::remove_attribute(std::string_view role
     return operation_not_supported_exception("REMOVE ATTRIBUTE");
 }
 
+future<std::vector<cql3::description>> maintenance_socket_role_manager::describe_role_grants() {
+    return operation_not_supported_exception<std::vector<cql3::description>>("DESCRIBE SCHEMA WITH INTERNALS");
 }
+
+} // namespace auth

auth/maintenance_socket_role_manager.hh

@@ -39,6 +39,8 @@ public:
 
     virtual future<> stop() override;
 
+    virtual future<> ensure_superuser_is_created() override;
+
     virtual future<> create(std::string_view role_name, const role_config&, ::service::group0_batch&) override;
 
     virtual future<> drop(std::string_view role_name, ::service::group0_batch& mc) override;
@@ -51,6 +53,8 @@ public:
 
     virtual future<role_set> query_granted(std::string_view grantee_name, recursive_role_query) override;
 
+    virtual future<role_to_directly_granted_map> query_all_directly_granted() override;
+
     virtual future<role_set> query_all() override;
 
     virtual future<bool> exists(std::string_view role_name) override;
@@ -66,6 +70,8 @@ public:
     virtual future<> set_attribute(std::string_view role_name, std::string_view attribute_name, std::string_view attribute_value, ::service::group0_batch& mc) override;
 
     virtual future<> remove_attribute(std::string_view role_name, std::string_view attribute_name, ::service::group0_batch& mc) override;
+
+    virtual future<std::vector<cql3::description>> describe_role_grants() override;
 };
 
 }

auth/password_authenticator.cc

@@ -14,16 +14,17 @@
 #include <string_view>
 #include <optional>
 
-#include <boost/algorithm/cxx11/all_of.hpp>
 #include <seastar/core/seastar.hh>
 #include <seastar/core/sleep.hh>
+#include <variant>
 
 #include "auth/authenticated_user.hh"
+#include "auth/authentication_options.hh"
 #include "auth/common.hh"
 #include "auth/passwords.hh"
 #include "auth/roles-metadata.hh"
 #include "cql3/untyped_result_set.hh"
-#include "log.hh"
+#include "utils/log.hh"
 #include "service/migration_manager.hh"
 #include "utils/class_registrator.hh"
 #include "replica/database.hh"
@@ -75,7 +76,7 @@ static bool has_salted_hash(const cql3::untyped_result_set_row& row) {
 }
 
 sstring password_authenticator::update_row_query() const {
-    return format("UPDATE {}.{} SET {} = ? WHERE {} = ?",
+    return seastar::format("UPDATE {}.{} SET {} = ? WHERE {} = ?",
             get_auth_ks_name(_qp),
             meta::roles_table::name,
             SALTED_HASH,
@@ -90,7 +91,7 @@ bool password_authenticator::legacy_metadata_exists() const {
 
 future<> password_authenticator::migrate_legacy_metadata() const {
     plogger.info("Starting migration of legacy authentication metadata.");
-    static const sstring query = format("SELECT * FROM {}.{}", meta::legacy::AUTH_KS, legacy_table_name);
+    static const sstring query = seastar::format("SELECT * FROM {}.{}", meta::legacy::AUTH_KS, legacy_table_name);
 
     return _qp.execute_internal(
             query,
@@ -136,7 +137,7 @@ future<> password_authenticator::create_default_if_missing() {
         plogger.info("Created default superuser authentication record.");
     } else {
         co_await announce_mutations(_qp, _group0_client, query,
-            {salted_pwd, _superuser}, &_as, ::service::raft_timeout{});
+            {salted_pwd, _superuser}, _as, ::service::raft_timeout{});
         plogger.info("Created default superuser authentication record.");
     }
 }
@@ -199,7 +200,7 @@ bool password_authenticator::require_authentication() const {
 }
 
 authentication_option_set password_authenticator::supported_options() const {
-    return authentication_option_set{authentication_option::password};
+    return authentication_option_set{authentication_option::password, authentication_option::hashed_password};
 }
 
 authentication_option_set password_authenticator::alterable_options() const {
@@ -218,28 +219,8 @@ future<authenticated_user> password_authenticator::authenticate(
     const sstring username = credentials.at(USERNAME_KEY);
     const sstring password = credentials.at(PASSWORD_KEY);
 
-    // Here was a thread local, explicit cache of prepared statement. In normal execution this is
-    // fine, but since we in testing set up and tear down system over and over, we'd start using
-    // obsolete prepared statements pretty quickly.
-    // Rely on query processing caching statements instead, and lets assume
-    // that a map lookup string->statement is not gonna kill us much.
-    const sstring query = format("SELECT {} FROM {}.{} WHERE {} = ?",
-                SALTED_HASH,
-                get_auth_ks_name(_qp),
-                meta::roles_table::name,
-                meta::roles_table::role_col_name);
     try {
-        const auto res = co_await _qp.execute_internal(
-                query,
-                consistency_for_user(username),
-                internal_distributed_query_state(),
-                {username},
-                cql3::query_processor::cache_internal::yes);
-
-        auto salted_hash = std::optional<sstring>();
-        if (!res->empty()) {
-            salted_hash = res->one().get_opt<sstring>(SALTED_HASH);
-        }
+        const std::optional<sstring> salted_hash = co_await get_password_hash(username);
         if (!salted_hash || !passwords::check(password, *salted_hash)) {
             throw exceptions::authentication_exception("Username and/or password are incorrect");
         }
@@ -258,29 +239,46 @@ future<authenticated_user> password_authenticator::authenticate(
 }
 
 future<> password_authenticator::create(std::string_view role_name, const authentication_options& options, ::service::group0_batch& mc) {
-    if (!options.password) {
+    // When creating a role with the usual `CREATE ROLE` statement, turns the underlying `PASSWORD`
+    // into the corresponding hash.
+    // When creating a role with `CREATE ROLE WITH HASHED PASSWORD`, simply extracts the `HASHED PASSWORD`.
+    auto maybe_hash = options.credentials.transform([&] (const auto& creds) -> sstring {
+        return std::visit(make_visitor(
+                [&] (const password_option& opt) {
+                    return passwords::hash(opt.password, rng_for_salt);
+                },
+                [] (const hashed_password_option& opt) {
+                    return opt.hashed_password;
+                }
+        ), creds);
+    });
+
+    // Neither `PASSWORD`, nor `HASHED PASSWORD` has been specified.
+    if (!maybe_hash) {
         co_return;
     }
+
     const auto query = update_row_query();
     if (legacy_mode(_qp)) {
         co_await _qp.execute_internal(
                 query,
                 consistency_for_user(role_name),
                 internal_distributed_query_state(),
-                {passwords::hash(*options.password, rng_for_salt), sstring(role_name)},
+                {std::move(*maybe_hash), sstring(role_name)},
                 cql3::query_processor::cache_internal::no).discard_result();
     } else {
-        co_await collect_mutations(_qp, mc, query,
-                {passwords::hash(*options.password, rng_for_salt), sstring(role_name)});
+        co_await collect_mutations(_qp, mc, query, {std::move(*maybe_hash), sstring(role_name)});
     }
 }
 
 future<> password_authenticator::alter(std::string_view role_name, const authentication_options& options, ::service::group0_batch& mc) {
-    if (!options.password) {
+    if (!options.credentials) {
         co_return;
     }
 
-    const sstring query = format("UPDATE {}.{} SET {} = ? WHERE {} = ?",
+    const auto password = std::get<password_option>(*options.credentials).password;
+
+    const sstring query = seastar::format("UPDATE {}.{} SET {} = ? WHERE {} = ?",
             get_auth_ks_name(_qp),
             meta::roles_table::name,
             SALTED_HASH,
@@ -290,16 +288,16 @@ future<> password_authenticator::alter(std::string_view role_name, const authent
                 query,
                 consistency_for_user(role_name),
                 internal_distributed_query_state(),
-                {passwords::hash(*options.password, rng_for_salt), sstring(role_name)},
+                {passwords::hash(password, rng_for_salt), sstring(role_name)},
                 cql3::query_processor::cache_internal::no).discard_result();
     } else {
         co_await collect_mutations(_qp, mc, query,
-                {passwords::hash(*options.password, rng_for_salt), sstring(role_name)});
+                {passwords::hash(password, rng_for_salt), sstring(role_name)});
     }
 }
 
 future<> password_authenticator::drop(std::string_view name, ::service::group0_batch& mc) {
-    const sstring query = format("DELETE {} FROM {}.{} WHERE {} = ?",
+    const sstring query = seastar::format("DELETE {} FROM {}.{} WHERE {} = ?",
             SALTED_HASH,
             get_auth_ks_name(_qp),
             meta::roles_table::name,
@@ -319,6 +317,36 @@ future<custom_options> password_authenticator::query_custom_options(std::string_
     return make_ready_future<custom_options>();
 }
 
+bool password_authenticator::uses_password_hashes() const {
+    return true;
+}
+
+future<std::optional<sstring>> password_authenticator::get_password_hash(std::string_view role_name) const {
+    // Here was a thread local, explicit cache of prepared statement. In normal execution this is
+    // fine, but since we in testing set up and tear down system over and over, we'd start using
+    // obsolete prepared statements pretty quickly.
+    // Rely on query processing caching statements instead, and lets assume
+    // that a map lookup string->statement is not gonna kill us much.
+    const sstring query = seastar::format("SELECT {} FROM {}.{} WHERE {} = ?",
+                SALTED_HASH,
+                get_auth_ks_name(_qp),
+                meta::roles_table::name,
+                meta::roles_table::role_col_name);
+
+    const auto res = co_await _qp.execute_internal(
+            query,
+            consistency_for_user(role_name),
+            internal_distributed_query_state(),
+            {role_name},
+            cql3::query_processor::cache_internal::yes);
+
+    if (res->empty()) {
+        co_return std::nullopt;
+    }
+
+    co_return res->one().get_opt<sstring>(SALTED_HASH);
+}
+
 const resource_set& password_authenticator::protected_resources() const {
     static const resource_set resources({make_data_resource(meta::legacy::AUTH_KS, meta::roles_table::name)});
     return resources;

auth/password_authenticator.hh

@@ -72,6 +72,10 @@ public:
 
     virtual future<custom_options> query_custom_options(std::string_view role_name) const override;
 
+    virtual bool uses_password_hashes() const override;
+
+    virtual future<std::optional<sstring>> get_password_hash(std::string_view role_name) const override;
+
     virtual const resource_set& protected_resources() const override;
 
     virtual ::shared_ptr<sasl_challenge> new_sasl_challenge() const override;

auth/permissions_cache.hh

@@ -17,7 +17,7 @@
 #include "auth/permission.hh"
 #include "auth/resource.hh"
 #include "auth/role_or_anonymous.hh"
-#include "log.hh"
+#include "utils/log.hh"
 #include "utils/hash.hh"
 #include "utils/loading_cache.hh"
 

auth/resource.cc

@@ -23,7 +23,7 @@
 #include "cql3/functions/user_function.hh"
 #include "cql3/util.hh"
 #include "db/marshal/type_parser.hh"
-#include "log.hh"
+#include "utils/log.hh"
 
 namespace auth {
 
@@ -193,7 +193,7 @@ service_level_resource_view::service_level_resource_view(const resource &r) {
 }
 
 sstring encode_signature(std::string_view name, std::vector<data_type> args) {
-    return format("{}[{}]", name,
+    return seastar::format("{}[{}]", name,
             fmt::join(args | boost::adaptors::transformed([] (const data_type t) {
                 return t->name();
             }), "^"));
@@ -222,7 +222,7 @@ std::pair<sstring, std::vector<data_type>> decode_signature(std::string_view enc
 // to the short form (int)
 static sstring decoded_signature_string(std::string_view encoded_signature) {
     auto [function_name, arg_types] = decode_signature(encoded_signature);
-    return format("{}({})", cql3::util::maybe_quote(sstring(function_name)),
+    return seastar::format("{}({})", cql3::util::maybe_quote(sstring(function_name)),
             boost::algorithm::join(arg_types | boost::adaptors::transformed([] (data_type t) {
                 return t->cql3_type_name();
             }), ", "));

auth/resource.hh

@@ -18,7 +18,6 @@
 #include <unordered_set>
 
 #include <fmt/core.h>
-#include <seastar/core/print.hh>
 #include <seastar/core/sstring.hh>
 
 #include "auth/permission.hh"
@@ -33,7 +32,7 @@ namespace auth {
 class invalid_resource_name : public std::invalid_argument {
 public:
     explicit invalid_resource_name(std::string_view name)
-            : std::invalid_argument(format("The resource name '{}' is invalid.", name)) {
+            : std::invalid_argument(fmt::format("The resource name '{}' is invalid.", name)) {
     }
 };
 
@@ -149,7 +148,7 @@ class resource_kind_mismatch : public std::invalid_argument {
 public:
     explicit resource_kind_mismatch(resource_kind expected, resource_kind actual)
         : std::invalid_argument(
-            format("This resource has kind '{}', but was expected to have kind '{}'.", actual, expected)) {
+            fmt::format("This resource has kind '{}', but was expected to have kind '{}'.", actual, expected)) {
     }
 };
 

auth/role_manager.hh

@@ -18,6 +18,7 @@
 #include <seastar/core/sstring.hh>
 
 #include "auth/resource.hh"
+#include "cql3/description.hh"
 #include "seastarx.hh"
 #include "exceptions/exceptions.hh"
 #include "service/raft/raft_group0_client.hh"
@@ -48,14 +49,14 @@ public:
 class role_already_exists : public roles_argument_exception {
 public:
     explicit role_already_exists(std::string_view role_name)
-            : roles_argument_exception(format("Role {} already exists.", role_name)) {
+            : roles_argument_exception(seastar::format("Role {} already exists.", role_name)) {
     }
 };
 
 class nonexistant_role : public roles_argument_exception {
 public:
     explicit nonexistant_role(std::string_view role_name)
-            : roles_argument_exception(format("Role {} doesn't exist.", role_name)) {
+            : roles_argument_exception(seastar::format("Role {} doesn't exist.", role_name)) {
     }
 };
 
@@ -63,7 +64,7 @@ class role_already_included : public roles_argument_exception {
 public:
     role_already_included(std::string_view grantee_name, std::string_view role_name)
             : roles_argument_exception(
-                      format("{} already includes role {}.", grantee_name, role_name)) {
+                      seastar::format("{} already includes role {}.", grantee_name, role_name)) {
     }
 };
 
@@ -71,11 +72,12 @@ class revoke_ungranted_role : public roles_argument_exception {
 public:
     revoke_ungranted_role(std::string_view revokee_name, std::string_view role_name)
             : roles_argument_exception(
-                      format("{} was not granted role {}, so it cannot be revoked.", revokee_name, role_name)) {
+                      seastar::format("{} was not granted role {}, so it cannot be revoked.", revokee_name, role_name)) {
     }
 };
 
 using role_set = std::unordered_set<sstring>;
+using role_to_directly_granted_map = std::multimap<sstring, sstring>;
 
 enum class recursive_role_query { yes, no };
 
@@ -105,6 +107,13 @@ public:
 
     virtual future<> stop() = 0;
 
+    ///
+    /// Ensure that superuser role exists.
+    ///
+    /// \returns a future once it is ensured that the superuser role exists.
+    ///
+    virtual future<> ensure_superuser_is_created() = 0;
+
     ///
     /// \returns an exceptional future with \ref role_already_exists for a role that has previously been created.
     ///
@@ -144,6 +153,22 @@ public:
     ///
     virtual future<role_set> query_granted(std::string_view grantee, recursive_role_query) = 0;
 
+    /// \returns map of directly granted roles for all roles
+    ///
+    /// Example:
+    /// GRANT role2 TO role1
+    /// GRANT role3 TO role1
+    /// GRANT role3 TO role2
+    ///
+    /// Will return map:
+    /// {
+    ///   (role1, role2),
+    ///   (role1, role3),
+    ///   (role2, role3)
+    /// }
+    ///  
+    virtual future<role_to_directly_granted_map> query_all_directly_granted() = 0;
+
     virtual future<role_set> query_all() = 0;
 
     virtual future<bool> exists(std::string_view role_name) = 0;
@@ -178,5 +203,8 @@ public:
     /// \note: This is a no-op if the role does not have the named attribute set.
     ///
     virtual future<> remove_attribute(std::string_view role_name, std::string_view attribute_name, ::service::group0_batch& mc) = 0;
+
+    /// Produces descriptions that can be used to restore the role grants.
+    virtual future<std::vector<cql3::description>> describe_role_grants() = 0;
 };
 }

auth/roles-metadata.cc

@@ -8,7 +8,6 @@
 
 #include "auth/roles-metadata.hh"
 
-#include <boost/algorithm/cxx11/any_of.hpp>
 #include <seastar/core/print.hh>
 #include <seastar/core/shared_ptr.hh>
 #include <seastar/core/sstring.hh>
@@ -47,7 +46,7 @@ future<bool> default_role_row_satisfies(
         cql3::query_processor& qp,
         std::function<bool(const cql3::untyped_result_set_row&)> p,
         std::optional<std::string> rolename) {
-    const sstring query = format("SELECT * FROM {}.{} WHERE {} = ?",
+    const sstring query = seastar::format("SELECT * FROM {}.{} WHERE {} = ?",
             get_auth_ks_name(qp),
             meta::roles_table::name,
             meta::roles_table::role_col_name);
@@ -69,7 +68,7 @@ future<bool> any_nondefault_role_row_satisfies(
         cql3::query_processor& qp,
         std::function<bool(const cql3::untyped_result_set_row&)> p,
         std::optional<std::string> rolename) {
-    const sstring query = format("SELECT * FROM {}.{}", get_auth_ks_name(qp), meta::roles_table::name);
+    const sstring query = seastar::format("SELECT * FROM {}.{}", get_auth_ks_name(qp), meta::roles_table::name);
 
     auto results = co_await qp.execute_internal(query, db::consistency_level::QUORUM
         , internal_distributed_query_state(), cql3::query_processor::cache_internal::no
@@ -79,7 +78,7 @@ future<bool> any_nondefault_role_row_satisfies(
     }
     static const sstring col_name = sstring(meta::roles_table::role_col_name);
 
-    co_return boost::algorithm::any_of(*results, [&](const cql3::untyped_result_set_row& row) {
+    co_return std::ranges::any_of(*results, [&](const cql3::untyped_result_set_row& row) {
         auto superuser = rolename ? std::string_view(*rolename) : meta::DEFAULT_SUPERUSER_NAME;
         const bool is_nondefault = row.get_as<sstring>(col_name) != superuser;
         return is_nondefault && p(row);

auth/sasl_challenge.hh

@@ -18,7 +18,7 @@
 #include <seastar/core/sstring.hh>
 
 #include "auth/authenticated_user.hh"
-#include "bytes.hh"
+#include "bytes_fwd.hh"
 #include "seastarx.hh"
 
 namespace auth {

auth/service.cc

@@ -8,6 +8,8 @@
 
 #include <exception>
 #include <seastar/core/coroutine.hh>
+#include "auth/authentication_options.hh"
+#include "auth/authorizer.hh"
 #include "auth/resource.hh"
 #include "auth/service.hh"
 
@@ -25,17 +27,21 @@
 #include "auth/role_or_anonymous.hh"
 #include "cql3/functions/functions.hh"
 #include "cql3/query_processor.hh"
+#include "cql3/description.hh"
 #include "cql3/untyped_result_set.hh"
+#include "cql3/util.hh"
 #include "db/config.hh"
 #include "db/consistency_level_type.hh"
 #include "db/functions/function_name.hh"
-#include "log.hh"
+#include "utils/log.hh"
 #include "schema/schema_fwd.hh"
 #include <seastar/core/future.hh>
 #include <seastar/coroutine/parallel_for_each.hh>
+#include <variant>
 #include "service/migration_manager.hh"
 #include "service/raft/raft_group0_client.hh"
 #include "timestamp.hh"
+#include "utils/assert.hh"
 #include "utils/class_registrator.hh"
 #include "locator/abstract_replication_strategy.hh"
 #include "data_dictionary/keyspace_metadata.hh"
@@ -77,7 +83,7 @@ private:
     void on_update_function(const sstring& ks_name, const sstring& function_name) override {}
     void on_update_aggregate(const sstring& ks_name, const sstring& aggregate_name) override {}
     void on_update_view(const sstring& ks_name, const sstring& view_name, bool columns_changed) override {}
-    void on_update_tablet_metadata() override {}
+    void on_update_tablet_metadata(const locator::tablet_metadata_change_hint&) override {}
 
     void on_drop_keyspace(const sstring& ks_name) override {
         if (!legacy_mode(_qp)) {
@@ -194,7 +200,7 @@ service::service(
 }
 
 future<> service::create_legacy_keyspace_if_missing(::service::migration_manager& mm) const {
-    assert(this_shard_id() == 0); // once_among_shards makes sure a function is executed on shard 0 only
+    SCYLLA_ASSERT(this_shard_id() == 0); // once_among_shards makes sure a function is executed on shard 0 only
     auto db = _qp.db();
 
     while (!db.has_keyspace(meta::legacy::AUTH_KS)) {
@@ -212,7 +218,7 @@ future<> service::create_legacy_keyspace_if_missing(::service::migration_manager
 
             try {
                 co_return co_await mm.announce(::service::prepare_new_keyspace_announcement(db.real_database(), ksm, ts),
-                        std::move(group0_guard), format("auth_service: create {} keyspace", meta::legacy::AUTH_KS));
+                        std::move(group0_guard), seastar::format("auth_service: create {} keyspace", meta::legacy::AUTH_KS));
             } catch (::service::group0_concurrent_modification&) {
                 log.info("Concurrent operation is detected while creating {} keyspace, retrying.", meta::legacy::AUTH_KS);
             }
@@ -256,6 +262,10 @@ future<> service::stop() {
     });
 }
 
+future<> service::ensure_superuser_is_created() {
+    return _role_manager->ensure_superuser_is_created();
+}
+
 void service::update_cache_config() {
     auto db = _qp.db();
 
@@ -321,8 +331,11 @@ static void validate_authentication_options_are_supported(
         }
     };
 
-    if (options.password) {
-        check(authentication_option::password);
+    if (options.credentials) {
+        std::visit(make_visitor(
+            [&] (const password_option&) { check(authentication_option::password); },
+            [&] (const hashed_password_option&) { check(authentication_option::hashed_password); }
+        ), *options.credentials);
     }
 
     if (options.options) {
@@ -417,6 +430,223 @@ future<bool> service::exists(const resource& r) const {
     return make_ready_future<bool>(false);
 }
 
+future<std::vector<cql3::description>> service::describe_roles(bool with_hashed_passwords) {
+    std::vector<cql3::description> result{};
+
+    const auto roles = co_await _role_manager->query_all();
+    result.reserve(roles.size());
+
+    const bool authenticator_uses_password_hashes = _authenticator->uses_password_hashes();
+
+    auto produce_create_statement = [with_hashed_passwords] (const sstring& formatted_role_name,
+            const std::optional<sstring>& maybe_hashed_password, bool can_login, bool is_superuser) {
+        // Even after applying formatting to a role, `formatted_role_name` can only equal `meta::DEFAULT_SUPER_NAME`
+        // if the original identifier was equal to it.
+        const sstring role_part = formatted_role_name == meta::DEFAULT_SUPERUSER_NAME
+                ? seastar::format("IF NOT EXISTS {}", formatted_role_name)
+                : formatted_role_name;
+
+        const sstring with_hashed_password_part = with_hashed_passwords && maybe_hashed_password
+                // `K_PASSWORD` in Scylla's CQL grammar requires that passwords be quoted
+                // with single quotation marks.
+                ? seastar::format("WITH HASHED PASSWORD = {} AND", cql3::util::single_quote(*maybe_hashed_password))
+                : "WITH";
+
+        return seastar::format("CREATE ROLE {} {} LOGIN = {} AND SUPERUSER = {};",
+                role_part, with_hashed_password_part, can_login, is_superuser);
+    };
+
+    for (const auto& role : roles) {
+        const sstring formatted_role_name = cql3::util::maybe_quote(role);
+
+        std::optional<sstring> maybe_hashed_password;
+        if (authenticator_uses_password_hashes) {
+            maybe_hashed_password = co_await _authenticator->get_password_hash(role);
+        }
+
+        const bool can_login = co_await _role_manager->can_login(role);
+        const bool is_superuser = co_await _role_manager->is_superuser(role);
+
+        result.push_back(cql3::description {
+            // Roles do not belong to any keyspace.
+            .keyspace = std::nullopt,
+            .type = "role",
+            .name = role,
+            .create_statement = produce_create_statement(formatted_role_name, maybe_hashed_password, can_login, is_superuser)
+        });
+    }
+
+    std::ranges::sort(result, std::less<>{}, std::mem_fn(&cql3::description::name));
+
+    co_return result;
+}
+
+// The function doesn't assume anything about `role`.
+static sstring describe_data_resource(const permission& perm, const resource& r, std::string_view role) {
+    const auto permission = permissions::to_string(perm);
+    const auto formatted_role = cql3::util::maybe_quote(role);
+
+    const auto view = data_resource_view(r);
+    const auto maybe_ks = view.keyspace();
+    const auto maybe_cf = view.table();
+
+    // The documentation says:
+    //
+    //     Both keyspace and table names consist of only alphanumeric characters, cannot be empty,
+    //     and are limited in size to 48 characters (that limit exists mostly to avoid filenames,
+    //     which may include the keyspace and table name, to go over the limits of certain file systems).
+    //     By default, keyspace and table names are case insensitive (myTable is equivalent to mytable),
+    //     but case sensitivity can be forced by using double-quotes ("myTable" is different from mytable).
+    //
+    // That's why we wrap identifiers with quotation marks below.
+
+    if (!maybe_ks) {
+        return seastar::format("GRANT {} ON ALL KEYSPACES TO {};", permission, formatted_role);
+    }
+    const auto ks = cql3::util::maybe_quote(*maybe_ks);
+
+    if (!maybe_cf) {
+        return seastar::format("GRANT {} ON KEYSPACE {} TO {};", permission, ks, formatted_role);
+    }
+    const auto cf = cql3::util::maybe_quote(*maybe_cf);
+
+    return seastar::format("GRANT {} ON {}.{} TO {};", permission, ks, cf, formatted_role);
+}
+
+// The function doesn't assume anything about `role`.
+static sstring describe_role_resource(const permission& perm, const resource& r, std::string_view role) {
+    const auto permission = permissions::to_string(perm);
+    const auto formatted_role = cql3::util::maybe_quote(role);
+
+    const auto view = role_resource_view(r);
+    const auto maybe_target_role = view.role();
+
+    if (!maybe_target_role) {
+        return seastar::format("GRANT {} ON ALL ROLES TO {};", permission, formatted_role);
+    }
+    return seastar::format("GRANT {} ON ROLE {} TO {};", permission, cql3::util::maybe_quote(*maybe_target_role), formatted_role);
+}
+
+// The function doesn't assume anything about `role`.
+static sstring describe_udf_resource(const permission& perm, const resource& r, std::string_view role) {
+    const auto permission = permissions::to_string(perm);
+    const auto formatted_role = cql3::util::maybe_quote(role);
+
+    const auto view = functions_resource_view(r);
+    const auto maybe_ks = view.keyspace();
+    const auto maybe_fun_sig = view.function_signature();
+    const auto maybe_fun_name = view.function_name();
+    const auto maybe_fun_args = view.function_args();
+
+    // The documentation says:
+    //
+    //     Both keyspace and table names consist of only alphanumeric characters, cannot be empty,
+    //     and are limited in size to 48 characters (that limit exists mostly to avoid filenames,
+    //     which may include the keyspace and table name, to go over the limits of certain file systems).
+    //     By default, keyspace and table names are case insensitive (myTable is equivalent to mytable),
+    //     but case sensitivity can be forced by using double-quotes ("myTable" is different from mytable).
+    //
+    // That's why we wrap identifiers with quotation marks below.
+
+    if (!maybe_ks) {
+        return seastar::format("GRANT {} ON ALL FUNCTIONS TO {};", permission, formatted_role);
+    }
+    const auto ks = cql3::util::maybe_quote(*maybe_ks);
+
+    if (!maybe_fun_sig && !maybe_fun_name) {
+        return seastar::format("GRANT {} ON ALL FUNCTIONS IN KEYSPACE {} TO {};", permission, ks, formatted_role);
+    }
+
+    if (maybe_fun_name) {
+        SCYLLA_ASSERT(maybe_fun_args);
+
+        const auto fun_name = cql3::util::maybe_quote(*maybe_fun_name);
+        const auto fun_args_range = *maybe_fun_args | std::views::transform([] (const auto& fun_arg) {
+            return cql3::util::maybe_quote(fun_arg);
+        });
+
+        return seastar::format("GRANT {} ON FUNCTION {}.{}({}) TO {};",
+                permission, ks, fun_name, fmt::join(fun_args_range, ", "), formatted_role);
+    }
+
+    SCYLLA_ASSERT(maybe_fun_sig);
+
+    auto [fun_name, fun_args] = decode_signature(*maybe_fun_sig);
+    fun_name = cql3::util::maybe_quote(fun_name);
+
+    // We don't call `cql3::util::maybe_quote` later because `cql3_type_name_without_frozen` already guarantees
+    // that the type will be wrapped within double quotation marks if it's necessary.
+    auto parsed_fun_args = fun_args | std::views::transform([] (const data_type& dt) {
+        return dt->without_reversed().cql3_type_name_without_frozen();
+    });
+
+    return seastar::format("GRANT {} ON FUNCTION {}.{}({}) TO {};",
+            permission, ks, fun_name, fmt::join(parsed_fun_args, ", "), formatted_role);
+}
+
+// The function doesn't assume anything about `role`.
+static sstring describe_resource_kind(const permission& perm, const resource& r, std::string_view role) {
+    switch (r.kind()) {
+        case resource_kind::data:
+            return describe_data_resource(perm, r, role);
+        case resource_kind::role:
+            return describe_role_resource(perm, r, role);
+        case resource_kind::service_level:
+            on_internal_error(log, "Granting permissions for service levels is not supported");
+        case resource_kind::functions:
+            return describe_udf_resource(perm, r, role);
+    }
+}
+
+future<std::vector<cql3::description>> service::describe_permissions() const {
+    std::vector<cql3::description> result{};
+
+    const auto permission_list = co_await std::invoke([&] -> future<std::vector<permission_details>> {
+        try {
+            co_return co_await _authorizer->list_all();
+        } catch (const unsupported_authorization_operation&) {
+            // If Scylla uses AllowAllAuthorizer, permissions do not exist and the corresponding authorizer
+            // will throw an exception when trying to access them.
+            co_return std::vector<permission_details>{};
+        }
+    });
+
+    for (const auto& permissions : permission_list) {
+        for (const auto& permission : permissions.permissions) {
+            result.push_back(cql3::description {
+                // Permission grants do not belong to any keyspace.
+                .keyspace = std::nullopt,
+                .type = "grant_permission",
+                .name = permissions.role_name,
+                .create_statement = describe_resource_kind(permission, permissions.resource, permissions.role_name)
+            });
+        }
+
+        co_await coroutine::maybe_yield();
+    }
+
+    std::ranges::sort(result, std::less<>{}, [] (const cql3::description& desc) noexcept {
+        return std::make_tuple(std::ref(desc.name), std::ref(*desc.create_statement));
+    });
+
+    co_return result;
+}
+
+future<std::vector<cql3::description>> service::describe_auth(bool with_hashed_passwords) {
+    auto role_descs = co_await describe_roles(with_hashed_passwords);
+    auto role_grant_descs = co_await _role_manager->describe_role_grants();
+    auto permission_descs = co_await describe_permissions();
+
+    auto join_vectors = [] (std::vector<cql3::description>& v1, std::vector<cql3::description>&& v2) {
+        v1.insert(v1.end(), std::make_move_iterator(v2.begin()), std::make_move_iterator(v2.end()));
+    };
+
+    join_vectors(role_descs, std::move(role_grant_descs));
+    join_vectors(role_descs, std::move(permission_descs));
+
+    co_return role_descs;
+}
+
 //
 // Free functions.
 //
@@ -632,7 +862,7 @@ future<> migrate_to_auth_v2(db::system_keyspace& sys_ks, ::service::raft_group0_
             ::service::query_state qs(cs, empty_service_permit());
 
             auto rows = co_await qp.execute_internal(
-                    format("SELECT * FROM {}.{}", meta::legacy::AUTH_KS, cf_name),
+                    seastar::format("SELECT * FROM {}.{}", meta::legacy::AUTH_KS, cf_name),
                     db::consistency_level::ALL,
                     qs,
                     {},
@@ -681,7 +911,7 @@ future<> migrate_to_auth_v2(db::system_keyspace& sys_ks, ::service::raft_group0_
     co_await announce_mutations_with_batching(g0,
             start_operation_func,
             std::move(gen),
-            &as,
+            as,
             std::nullopt);
 }
 

auth/service.hh

@@ -23,6 +23,7 @@
 #include "auth/permissions_cache.hh"
 #include "auth/role_manager.hh"
 #include "auth/common.hh"
+#include "cql3/description.hh"
 #include "seastarx.hh"
 #include "service/raft/raft_group0_client.hh"
 #include "utils/observable.hh"
@@ -131,6 +132,8 @@ public:
 
     future<> stop();
 
+    future<> ensure_superuser_is_created();
+
     void update_cache_config();
 
     void reset_authorization_cache();
@@ -174,6 +177,12 @@ public:
 
     future<bool> exists(const resource&) const;
 
+    ///
+    /// Produces descriptions that can be used to restore the state of auth. That encompasses
+    /// roles, role grants, and permission grants.
+    ///
+    future<std::vector<cql3::description>> describe_auth(bool with_hashed_passwords);
+
     authenticator& underlying_authenticator() const {
         return *_authenticator;
     }
@@ -197,6 +206,9 @@ public:
 private:
     future<> create_legacy_keyspace_if_missing(::service::migration_manager& mm) const;
     future<bool> has_superuser(std::string_view role_name, const role_set& roles) const;
+
+    future<std::vector<cql3::description>> describe_roles(bool with_hashed_passwords);
+    future<std::vector<cql3::description>> describe_permissions() const;
 };
 
 future<bool> has_superuser(const service&, const authenticated_user&);

auth/standard_role_manager.cc

@@ -21,12 +21,17 @@
 #include <seastar/core/thread.hh>
 
 #include "auth/common.hh"
+#include "auth/role_manager.hh"
 #include "auth/roles-metadata.hh"
 #include "cql3/query_processor.hh"
+#include "cql3/description.hh"
 #include "cql3/untyped_result_set.hh"
+#include "cql3/util.hh"
 #include "db/consistency_level_type.hh"
 #include "exceptions/exceptions.hh"
-#include "log.hh"
+#include "utils/log.hh"
+#include "seastar/core/loop.hh"
+#include "seastar/coroutine/maybe_yield.hh"
 #include "service/raft/raft_group0_client.hh"
 #include "utils/class_registrator.hh"
 #include "service/migration_manager.hh"
@@ -46,7 +51,7 @@ namespace role_attributes_table {
 constexpr std::string_view name{"role_attributes", 15};
 
 static std::string_view creation_query() noexcept {
-    static const sstring instance = format(
+    static const sstring instance = seastar::format(
             "CREATE TABLE {}.{} ("
             "  role text,"
             "  name text,"
@@ -86,7 +91,7 @@ static db::consistency_level consistency_for_role(std::string_view role_name) no
 }
 
 static future<std::optional<record>> find_record(cql3::query_processor& qp, std::string_view role_name) {
-    const sstring query = format("SELECT * FROM {}.{} WHERE {} = ?",
+    const sstring query = seastar::format("SELECT * FROM {}.{} WHERE {} = ?",
             get_auth_ks_name(qp),
             meta::roles_table::name,
             meta::roles_table::role_col_name);
@@ -180,7 +185,7 @@ future<> standard_role_manager::create_default_role_if_missing() {
         if (exists) {
             co_return;
         }
-        const sstring query = format("INSERT INTO {}.{} ({}, is_superuser, can_login) VALUES (?, true, true)",
+        const sstring query = seastar::format("INSERT INTO {}.{} ({}, is_superuser, can_login) VALUES (?, true, true)",
                 get_auth_ks_name(_qp),
                 meta::roles_table::name,
                 meta::roles_table::role_col_name);
@@ -192,7 +197,7 @@ future<> standard_role_manager::create_default_role_if_missing() {
                     {_superuser},
                     cql3::query_processor::cache_internal::no).discard_result();
         } else {
-            co_await announce_mutations(_qp, _group0_client, query, {_superuser}, &_as, ::service::raft_timeout{});
+            co_await announce_mutations(_qp, _group0_client, query, {_superuser}, _as, ::service::raft_timeout{});
         }
         log.info("Created default superuser role '{}'.", _superuser);
     } catch(const exceptions::unavailable_exception& e) {
@@ -209,7 +214,7 @@ bool standard_role_manager::legacy_metadata_exists() {
 
 future<> standard_role_manager::migrate_legacy_metadata() {
     log.info("Starting migration of legacy user metadata.");
-    static const sstring query = format("SELECT * FROM {}.{}", meta::legacy::AUTH_KS, legacy_table_name);
+    static const sstring query = seastar::format("SELECT * FROM {}.{}", meta::legacy::AUTH_KS, legacy_table_name);
 
     return _qp.execute_internal(
             query,
@@ -238,35 +243,39 @@ future<> standard_role_manager::migrate_legacy_metadata() {
 }
 
 future<> standard_role_manager::start() {
-    return once_among_shards([this] {
-        return futurize_invoke([this] () {
-            if (legacy_mode(_qp)) {
-                return create_legacy_metadata_tables_if_missing();
-            }
-            return make_ready_future<>();
-        }).then([this] {
-            _stopped = auth::do_after_system_ready(_as, [this] {
-                return seastar::async([this] {
-                    if (legacy_mode(_qp)) {
-                        _migration_manager.wait_for_schema_agreement(_qp.db().real_database(), db::timeout_clock::time_point::max(), &_as).get();
+    return once_among_shards([this] () -> future<> {
+        if (legacy_mode(_qp)) {
+            co_await create_legacy_metadata_tables_if_missing();
+        }
 
-                        if (any_nondefault_role_row_satisfies(_qp, &has_can_login).get()) {
-                            if (legacy_metadata_exists()) {
-                                log.warn("Ignoring legacy user metadata since nondefault roles already exist.");
-                            }
+        auto handler = [this] () -> future<> {
+            const bool legacy = legacy_mode(_qp);
+            if (legacy) {
+                if (!_superuser_created_promise.available()) {
+                    _superuser_created_promise.set_value();
+                }
+                co_await _migration_manager.wait_for_schema_agreement(_qp.db().real_database(), db::timeout_clock::time_point::max(), &_as);
 
-                            return;
-                        }
-
-                        if (legacy_metadata_exists()) {
-                            migrate_legacy_metadata().get();
-                            return;
-                        }
+                if (co_await any_nondefault_role_row_satisfies(_qp, &has_can_login)) {
+                    if (legacy_metadata_exists()) {
+                        log.warn("Ignoring legacy user metadata since nondefault roles already exist.");
                     }
-                    create_default_role_if_missing().get();
-                });
-            });
-        });
+                    co_return;
+                }
+
+                if (legacy_metadata_exists()) {
+                    co_await migrate_legacy_metadata();
+                    co_return;
+                }
+            }
+            co_await create_default_role_if_missing();
+            if (!legacy) {
+                _superuser_created_promise.set_value();
+            }
+        };
+
+        _stopped = auth::do_after_system_ready(_as, handler);
+        co_return;
     });
 }
 
@@ -275,8 +284,13 @@ future<> standard_role_manager::stop() {
     return _stopped.handle_exception_type([] (const sleep_aborted&) { }).handle_exception_type([](const abort_requested_exception&) {});;
 }
 
+future<> standard_role_manager::ensure_superuser_is_created() {
+    SCYLLA_ASSERT(this_shard_id() == 0);
+    return _superuser_created_promise.get_shared_future();
+}
+
 future<> standard_role_manager::create_or_replace(std::string_view role_name, const role_config& c, ::service::group0_batch& mc) {
-    const sstring query = format("INSERT INTO {}.{} ({}, is_superuser, can_login) VALUES (?, ?, ?)",
+    const sstring query = seastar::format("INSERT INTO {}.{} ({}, is_superuser, can_login) VALUES (?, ?, ?)",
             get_auth_ks_name(_qp),
             meta::roles_table::name,
             meta::roles_table::role_col_name);
@@ -323,7 +337,7 @@ standard_role_manager::alter(std::string_view role_name, const role_config_updat
         if (!u.is_superuser && !u.can_login) {
             return make_ready_future<>();
         }
-        const sstring query = format("UPDATE {}.{} SET {} WHERE {} = ?",
+        const sstring query = seastar::format("UPDATE {}.{} SET {} WHERE {} = ?",
             get_auth_ks_name(_qp),
             meta::roles_table::name,
             build_column_assignments(u),
@@ -347,7 +361,7 @@ future<> standard_role_manager::drop(std::string_view role_name, ::service::grou
     }
     // First, revoke this role from all roles that are members of it.
     const auto revoke_from_members = [this, role_name, &mc] () -> future<> {
-        const sstring query = format("SELECT member FROM {}.{} WHERE role = ?",
+        const sstring query = seastar::format("SELECT member FROM {}.{} WHERE role = ?",
                 get_auth_ks_name(_qp),
                 meta::role_members_table::name);
         const auto members = co_await _qp.execute_internal(
@@ -379,7 +393,7 @@ future<> standard_role_manager::drop(std::string_view role_name, ::service::grou
     };
     // Delete all attributes for that role
     const auto remove_attributes_of = [this, role_name, &mc] () -> future<> {
-        const sstring query = format("DELETE FROM {}.{} WHERE role = ?",
+        const sstring query = seastar::format("DELETE FROM {}.{} WHERE role = ?",
                 get_auth_ks_name(_qp),
                 meta::role_attributes_table::name);
         if (legacy_mode(_qp)) {
@@ -391,7 +405,7 @@ future<> standard_role_manager::drop(std::string_view role_name, ::service::grou
     };
     // Finally, delete the role itself.
     const auto delete_role = [this, role_name, &mc] () -> future<> {
-        const sstring query = format("DELETE FROM {}.{} WHERE {} = ?",
+        const sstring query = seastar::format("DELETE FROM {}.{} WHERE {} = ?",
                 get_auth_ks_name(_qp),
                 meta::roles_table::name,
                 meta::roles_table::role_col_name);
@@ -418,7 +432,7 @@ standard_role_manager::legacy_modify_membership(
         std::string_view role_name,
         membership_change ch) {
     const auto modify_roles = [this, role_name, grantee_name, ch] () -> future<> {
-        const auto query = format(
+        const auto query = seastar::format(
                 "UPDATE {}.{} SET member_of = member_of {} ? WHERE {} = ?",
                 get_auth_ks_name(_qp),
                 meta::roles_table::name,
@@ -435,7 +449,7 @@ standard_role_manager::legacy_modify_membership(
     const auto modify_role_members = [this, role_name, grantee_name, ch] () -> future<> {
         switch (ch) {
             case membership_change::add: {
-                const sstring insert_query = format("INSERT INTO {}.{} (role, member) VALUES (?, ?)",
+                const sstring insert_query = seastar::format("INSERT INTO {}.{} (role, member) VALUES (?, ?)",
                         get_auth_ks_name(_qp),
                         meta::role_members_table::name);
                 co_return co_await _qp.execute_internal(
@@ -447,7 +461,7 @@ standard_role_manager::legacy_modify_membership(
             }
 
             case membership_change::remove: {
-                const sstring delete_query = format("DELETE FROM {}.{} WHERE role = ? AND member = ?",
+                const sstring delete_query = seastar::format("DELETE FROM {}.{} WHERE role = ? AND member = ?",
                         get_auth_ks_name(_qp),
                         meta::role_members_table::name);
                 co_return co_await _qp.execute_internal(
@@ -473,7 +487,7 @@ standard_role_manager::modify_membership(
         co_return co_await legacy_modify_membership(grantee_name, role_name, ch);
     }
 
-    const auto modify_roles = format(
+    const auto modify_roles = seastar::format(
             "UPDATE {}.{} SET member_of = member_of {} ? WHERE {} = ?",
             get_auth_ks_name(_qp),
             meta::roles_table::name,
@@ -485,12 +499,12 @@ standard_role_manager::modify_membership(
     sstring modify_role_members;
     switch (ch) {
     case membership_change::add:
-        modify_role_members = format("INSERT INTO {}.{} (role, member) VALUES (?, ?)",
+        modify_role_members = seastar::format("INSERT INTO {}.{} (role, member) VALUES (?, ?)",
                 get_auth_ks_name(_qp),
                 meta::role_members_table::name);
         break;
     case membership_change::remove:
-        modify_role_members = format("DELETE FROM {}.{} WHERE role = ? AND member = ?",
+        modify_role_members = seastar::format("DELETE FROM {}.{} WHERE role = ? AND member = ?",
                 get_auth_ks_name(_qp),
                 meta::role_members_table::name);
         break;
@@ -583,8 +597,22 @@ future<role_set> standard_role_manager::query_granted(std::string_view grantee_n
     });
 }
 
+future<role_to_directly_granted_map> standard_role_manager::query_all_directly_granted() {
+    const sstring query = seastar::format("SELECT * FROM {}.{}",
+            get_auth_ks_name(_qp),
+            meta::role_members_table::name);
+
+    role_to_directly_granted_map roles_map;
+    co_await _qp.query_internal(query, [&roles_map] (const cql3::untyped_result_set_row& row) -> future<stop_iteration> {
+        roles_map.insert({row.get_as<sstring>("member"), row.get_as<sstring>("role")});
+        co_return stop_iteration::no;
+    });
+
+    co_return roles_map;
+}
+
 future<role_set> standard_role_manager::query_all() {
-    const sstring query = format("SELECT {} FROM {}.{}",
+    const sstring query = seastar::format("SELECT {} FROM {}.{}",
             meta::roles_table::role_col_name,
             get_auth_ks_name(_qp),
             meta::roles_table::name);
@@ -628,7 +656,7 @@ future<bool> standard_role_manager::can_login(std::string_view role_name) {
 }
 
 future<std::optional<sstring>> standard_role_manager::get_attribute(std::string_view role_name, std::string_view attribute_name) {
-    const sstring query = format("SELECT name, value FROM {}.{} WHERE role = ? AND name = ?",
+    const sstring query = seastar::format("SELECT name, value FROM {}.{} WHERE role = ? AND name = ?",
             get_auth_ks_name(_qp),
             meta::role_attributes_table::name);
     const auto result_set = co_await _qp.execute_internal(query, {sstring(role_name), sstring(attribute_name)}, cql3::query_processor::cache_internal::yes);
@@ -659,7 +687,7 @@ future<> standard_role_manager::set_attribute(std::string_view role_name, std::s
     if (!co_await exists(role_name)) {
         throw auth::nonexistant_role(role_name);
     }
-    const sstring query = format("INSERT INTO {}.{} (role, name, value)  VALUES (?, ?, ?)",
+    const sstring query = seastar::format("INSERT INTO {}.{} (role, name, value)  VALUES (?, ?, ?)",
             get_auth_ks_name(_qp),
             meta::role_attributes_table::name);
     if (legacy_mode(_qp)) {
@@ -674,7 +702,7 @@ future<> standard_role_manager::remove_attribute(std::string_view role_name, std
     if (!co_await exists(role_name)) {
         throw auth::nonexistant_role(role_name);
     }
-    const sstring query = format("DELETE FROM {}.{} WHERE role = ? AND name = ?",
+    const sstring query = seastar::format("DELETE FROM {}.{} WHERE role = ? AND name = ?",
             get_auth_ks_name(_qp),
             meta::role_attributes_table::name);
     if (legacy_mode(_qp)) {
@@ -684,4 +712,33 @@ future<> standard_role_manager::remove_attribute(std::string_view role_name, std
                 {sstring(role_name), sstring(attribute_name)});
     }
 }
+
+future<std::vector<cql3::description>> standard_role_manager::describe_role_grants() {
+    std::vector<cql3::description> result{};
+
+    const auto grants = co_await query_all_directly_granted();
+    result.reserve(grants.size());
+
+    for (const auto& [grantee_role, granted_role] : grants) {
+        const auto formatted_grantee = cql3::util::maybe_quote(grantee_role);
+        const auto formatted_granted = cql3::util::maybe_quote(granted_role);
+
+        result.push_back(cql3::description {
+            // Role grants do not belong to any keyspace.
+            .keyspace = std::nullopt,
+            .type = "grant_role",
+            .name = granted_role,
+            .create_statement = seastar::format("GRANT {} TO {};", formatted_granted, formatted_grantee)
+        });
+
+        co_await coroutine::maybe_yield();
+    }
+
+    std::ranges::sort(result, std::less<>{}, [] (const cql3::description& desc) noexcept {
+        return std::make_tuple(std::ref(desc.name), std::ref(*desc.create_statement));
+    });
+
+    co_return result;
 }
+
+} // namespace auth

auth/standard_role_manager.hh

@@ -15,8 +15,10 @@
 
 #include <seastar/core/abort_source.hh>
 #include <seastar/core/future.hh>
+#include <seastar/core/shared_future.hh>
 #include <seastar/core/sstring.hh>
 
+#include "cql3/description.hh"
 #include "seastarx.hh"
 #include "service/raft/raft_group0_client.hh"
 
@@ -37,6 +39,7 @@ class standard_role_manager final : public role_manager {
     future<> _stopped;
     abort_source _as;
     std::string _superuser;
+    shared_promise<> _superuser_created_promise;
 
 public:
     standard_role_manager(cql3::query_processor&, ::service::raft_group0_client&, ::service::migration_manager&);
@@ -49,6 +52,8 @@ public:
 
     virtual future<> stop() override;
 
+    virtual future<> ensure_superuser_is_created() override;
+
     virtual future<> create(std::string_view role_name, const role_config&, ::service::group0_batch&) override;
 
     virtual future<> drop(std::string_view role_name, ::service::group0_batch& mc) override;
@@ -61,6 +66,8 @@ public:
 
     virtual future<role_set> query_granted(std::string_view grantee_name, recursive_role_query) override;
 
+    virtual future<role_to_directly_granted_map> query_all_directly_granted() override;
+
     virtual future<role_set> query_all() override;
 
     virtual future<bool> exists(std::string_view role_name) override;
@@ -77,6 +84,8 @@ public:
 
     virtual future<> remove_attribute(std::string_view role_name, std::string_view attribute_name, ::service::group0_batch& mc) override;
 
+    virtual future<std::vector<cql3::description>> describe_role_grants() override;
+
 private:
     enum class membership_change { add, remove };
 
@@ -95,4 +104,4 @@ private:
     future<> modify_membership(std::string_view role_name, std::string_view grantee_name, membership_change, ::service::group0_batch& mc);
 };
 
-}
+} // namespace auth

auth/transitional.cc

@@ -103,6 +103,14 @@ public:
         return _authenticator->query_custom_options(role_name);
     }
 
+    virtual bool uses_password_hashes() const override {
+        return _authenticator->uses_password_hashes();
+    }
+
+    virtual future<std::optional<sstring>> get_password_hash(std::string_view role_name) const override {
+        return _authenticator->get_password_hash(role_name);
+    }
+
     virtual const resource_set& protected_resources() const override {
         return _authenticator->protected_resources();
     }

bin/cqlsh

@@ -4,5 +4,5 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 here=$(dirname "$0")
-exec "$here/../tools/cqlsh/bin/cqlsh" "$@"
+exec "$here/../tools/cqlsh/bin/cqlsh.py" "$@"
 

bytes.cc

@@ -7,6 +7,7 @@
  */
 
 #include "bytes.hh"
+#include <fmt/ostream.h>
 #include <seastar/core/print.hh>
 
 static inline int8_t hex_to_int(unsigned char c) {
@@ -42,7 +43,7 @@ bytes from_hex(sstring_view s) {
         auto half_byte1 = hex_to_int(s[i * 2]);
         auto half_byte2 = hex_to_int(s[i * 2 + 1]);
         if (half_byte1 == -1 || half_byte2 == -1) {
-            throw std::invalid_argument(format("Non-hex characters in {}", s));
+            throw std::invalid_argument(fmt::format("Non-hex characters in {}", s));
         }
         out[i] = (half_byte1 << 4) | half_byte2;
     }

bytes.hh

@@ -16,13 +16,10 @@
 #include <iosfwd>
 #include <functional>
 #include <compare>
+#include "bytes_fwd.hh"
 #include "utils/mutable_view.hh"
 #include "utils/simple_hashers.hh"
 
-using bytes = basic_sstring<int8_t, uint32_t, 31, false>;
-using bytes_view = std::basic_string_view<int8_t>;
-using bytes_mutable_view = basic_mutable_view<bytes_view::value_type>;
-using bytes_opt = std::optional<bytes>;
 using sstring_view = std::string_view;
 
 inline bytes to_bytes(bytes&& b) {

bytes_fwd.hh

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) 2024-present ScyllaDB
+ */
+
+/*
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+#pragma once
+
+#include <seastar/core/sstring.hh>
+
+#include "utils/mutable_view.hh"
+
+using namespace seastar;
+
+using bytes = basic_sstring<int8_t, uint32_t, 31, false>;
+using bytes_view = std::basic_string_view<int8_t>;
+using bytes_mutable_view = basic_mutable_view<bytes_view::value_type>;
+using bytes_opt = std::optional<bytes>;

bytes_ostream.hh

@@ -8,14 +8,58 @@
 
 #pragma once
 
-#include <boost/range/iterator_range.hpp>
-
 #include "bytes.hh"
+#include "utils/assert.hh"
 #include "utils/managed_bytes.hh"
 #include <seastar/core/simple-stream.hh>
 #include <seastar/core/loop.hh>
 #include <bit>
 #include <concepts>
+#include <ranges>
+
+
+class bytes_ostream_fragment_iterator {
+public:
+    using iterator_category = std::input_iterator_tag;
+    using iterator_concept = std::input_iterator_tag;
+    using value_type = bytes_view;
+    using difference_type = std::ptrdiff_t;
+    using pointer = bytes_view*;
+    using reference = bytes_view&;
+public:
+    using chunk = multi_chunk_blob_storage;
+    struct implementation {
+        chunk* current_chunk;
+    };
+private:
+    chunk* _current = nullptr;
+public:
+    bytes_ostream_fragment_iterator() = default;
+    bytes_ostream_fragment_iterator(chunk* current) : _current(current) {}
+    bytes_ostream_fragment_iterator(const bytes_ostream_fragment_iterator&) = default;
+    bytes_ostream_fragment_iterator& operator=(const bytes_ostream_fragment_iterator&) = default;
+    bytes_view operator*() const {
+        return { _current->data, _current->frag_size };
+    }
+    bytes_view operator->() const {
+        return *(*this);
+    }
+    bytes_ostream_fragment_iterator& operator++() {
+        _current = _current->next;
+        return *this;
+    }
+    bytes_ostream_fragment_iterator operator++(int) {
+        bytes_ostream_fragment_iterator tmp(*this);
+        ++(*this);
+        return tmp;
+    }
+    bool operator==(const bytes_ostream_fragment_iterator&) const = default;
+    implementation extract_implementation() const {
+        return implementation {
+            .current_chunk = _current,
+        };
+    }
+};
 
 /**
  * Utility for writing data into a buffer when its final size is not known up front.
@@ -45,46 +89,7 @@ private:
     size_type _size;
     size_type _initial_chunk_size = default_chunk_size;
 public:
-    class fragment_iterator {
-    public:
-        using iterator_category = std::input_iterator_tag;
-        using value_type = bytes_view;
-        using difference_type = std::ptrdiff_t;
-        using pointer = bytes_view*;
-        using reference = bytes_view&;
-
-        struct implementation {
-            chunk* current_chunk;
-        };
-    private:
-        chunk* _current = nullptr;
-    public:
-        fragment_iterator() = default;
-        fragment_iterator(chunk* current) : _current(current) {}
-        fragment_iterator(const fragment_iterator&) = default;
-        fragment_iterator& operator=(const fragment_iterator&) = default;
-        bytes_view operator*() const {
-            return { _current->data, _current->frag_size };
-        }
-        bytes_view operator->() const {
-            return *(*this);
-        }
-        fragment_iterator& operator++() {
-            _current = _current->next;
-            return *this;
-        }
-        fragment_iterator operator++(int) {
-            fragment_iterator tmp(*this);
-            ++(*this);
-            return tmp;
-        }
-        bool operator==(const fragment_iterator&) const = default;
-        implementation extract_implementation() const {
-            return implementation {
-                .current_chunk = _current,
-            };
-        }
-    };
+    using fragment_iterator = bytes_ostream_fragment_iterator;
     using const_iterator = fragment_iterator;
 
     class output_iterator {
@@ -269,7 +274,7 @@ public:
 
     // Call only when is_linearized()
     bytes_view view() const {
-        assert(is_linearized());
+        SCYLLA_ASSERT(is_linearized());
         if (!_current) {
             return bytes_view();
         }
@@ -357,7 +362,7 @@ public:
 
     output_iterator write_begin() { return output_iterator(*this); }
 
-    boost::iterator_range<fragment_iterator> fragments() const {
+    std::ranges::subrange<fragment_iterator> fragments() const {
         return { begin(), end() };
     }
 

cache_mutation_reader.hh

@@ -8,6 +8,7 @@
 
 #pragma once
 
+#include "utils/assert.hh"
 #include <vector>
 #include "row_cache.hh"
 #include "mutation/mutation_fragment.hh"
@@ -283,7 +284,7 @@ future<> cache_mutation_reader::process_static_row() {
         return ensure_underlying().then([this] {
             return (*_underlying)().then([this] (mutation_fragment_v2_opt&& sr) {
                 if (sr) {
-                    assert(sr->is_static_row());
+                    SCYLLA_ASSERT(sr->is_static_row());
                     maybe_add_to_cache(sr->as_static_row());
                     push_mutation_fragment(std::move(*sr));
                 }
@@ -382,7 +383,7 @@ future<> cache_mutation_reader::do_fill_buffer() {
     if (_state == state::reading_from_underlying) {
         return read_from_underlying();
     }
-    // assert(_state == state::reading_from_cache)
+    // SCYLLA_ASSERT(_state == state::reading_from_cache)
     return _lsa_manager.run_in_read_section([this] {
         auto next_valid = _next_row.iterators_valid();
         clogger.trace("csm {}: reading_from_cache, range=[{}, {}), next={}, valid={}, rt={}", fmt::ptr(this), _lower_bound,
@@ -794,7 +795,6 @@ void cache_mutation_reader::copy_from_cache_to_buffer() {
             };
 
             if (row_tomb_expired(t) || is_row_dead(row)) {
-                can_gc_fn always_gc = [&](tombstone) { return true; };
                 const schema& row_schema = _next_row.latest_row_schema();
 
                 _read_context.cache()._tracker.on_row_compacted();
@@ -990,7 +990,7 @@ void cache_mutation_reader::offer_from_underlying(mutation_fragment_v2&& mf) {
         maybe_add_to_cache(mf.as_clustering_row());
         add_clustering_row_to_buffer(std::move(mf));
     } else {
-        assert(mf.is_range_tombstone_change());
+        SCYLLA_ASSERT(mf.is_range_tombstone_change());
         auto& chg = mf.as_range_tombstone_change();
         if (maybe_add_to_cache(chg)) {
             add_to_buffer(std::move(mf).as_range_tombstone_change());

cartesian_product.hh

@@ -76,7 +76,7 @@ public:
 };
 
 template<typename T>
-static inline
+inline
 size_t cartesian_product_size(const std::vector<std::vector<T>>& vec_of_vecs) {
     size_t r = 1;
     for (auto&& vec : vec_of_vecs) {
@@ -86,7 +86,7 @@ size_t cartesian_product_size(const std::vector<std::vector<T>>& vec_of_vecs) {
 }
 
 template<typename T>
-static inline
+inline
 bool cartesian_product_is_empty(const std::vector<std::vector<T>>& vec_of_vecs) {
     for (auto&& vec : vec_of_vecs) {
         if (vec.empty()) {
@@ -97,7 +97,7 @@ bool cartesian_product_is_empty(const std::vector<std::vector<T>>& vec_of_vecs)
 }
 
 template<typename T>
-static inline
+inline
 cartesian_product<T> make_cartesian_product(const std::vector<std::vector<T>>& vec_of_vecs) {
     return cartesian_product<T>(vec_of_vecs);
 }

cdc/cdc_extension.hh

@@ -11,7 +11,7 @@
 
 #include <seastar/core/sstring.hh>
 
-#include "bytes.hh"
+#include "bytes_fwd.hh"
 #include "cdc/cdc_options.hh"
 #include "schema/schema.hh"
 #include "serializer_impl.hh"
@@ -34,7 +34,7 @@ public:
         return ser::serialize_to_buffer<bytes>(_cdc_options.to_map());
     }
     static std::map<sstring, sstring> deserialize(const bytes_view& buffer) {
-        return ser::deserialize_from_buffer(buffer, boost::type<std::map<sstring, sstring>>());
+        return ser::deserialize_from_buffer(buffer, std::type_identity<std::map<sstring, sstring>>());
     }
     const options& get_options() const {
         return _cdc_options;

cdc/cdc_partitioner.cc

@@ -23,7 +23,7 @@ const sstring cdc_partitioner::name() const {
 }
 
 static dht::token to_token(int64_t value) {
-    return dht::token(dht::token::kind::key, value);
+    return dht::token(value);
 }
 
 static dht::token to_token(bytes_view key) {