mirrors/scylladb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
copilot/fix-host-variable-error
scylladb/auth/certificate_authenticator.cc
Nadav Har'El c06e63daed Merge 'auth: start using SHA 512 hashing originated from musl with added yielding' from Andrzej Jackowski 
This patch series contains the following changes:
 - Incorporation of `crypt_sha512.c` from musl to out codebase
 - Conversion of `crypt_sha512.c` to C++ and coroutinization
 - Coroutinization of `auth::passwords::check`
 - Enabling use of `__crypt_sha512` orignated from `crypt_sha512.c` for
   computing SHA 512 passwords of length <=255
 - Addition of yielding in the aforementioned hashing implementation.

The alien thread was a solution for reactor stalls caused by indivisible
password‑hashing tasks (https://github.com/scylladb/scylladb/issues/24524).
However, because there is only one alien thread, overall hashing throughput was reduced
(see, e.g., https://github.com/scylladb/scylla-enterprise/issues/5711). To address this,
the alien‑thread solution is reverted, and a hashing implementation
with yielding is introduced in this patch series.

Before this patch series, ScyllaDB used SHA-512 hashing provided
by the `crypt_r` function, which in our case meant using the implementation
from the `libxcrypt` library. Adding yielding to this `libxcrypt`
implementation is problematic, both due to licensing (LGPL) and because the
implementation is split into many functions across multiple files. In
contrast, the SHA-512 implementation from `musl libc` has a more
permissive license and is concise, which makes it easier to incorporate
into the ScyllaDB codebase.

The performance of this solution was compared with the previous
implementation that used one alien thread and the implementation
after the alien thread was reverted. The results (median) of
`perf-cql-raw` with `--connection-per-request 1 --smp 10` parameters
are as follows:
 - Alien thread: 41.5 new connections/s per shard
 - Reverted alien thread: 244.1 new connections/s per shard
 - This commit (yielding in hashing): 198.4 new connections/s per shard

The roughly 20% performance deterioration compared to
the old implementation without the alien thread comes from the fact
that the new hashing algorithm implemented in `utils/crypt_sha512.cc`
performs an expensive self-verification and stack cleanup.

On the other hand, with smp=10 the current implementation achieves
roughly 5x higher throughput than the alien thread. In addition,
due to yielding added in this commit, the algorithm is expected
to provide similar protection from stalls as the alien thread did.
In a test that in parallel started a cassandra-stress workload and
created thousands of new connections using python-driver, the values of
`scylla_reactor_stalls_count` metric were as follows:
 - Alien thread: 109 stalls/shard total
 - Reverted alien thread: 13186 stalls/shard total
 - This commit (yielding in hashing): 149 stalls/shard total

Similarly, the `scylla_scheduler_time_spent_on_task_quota_violations_ms`
values were:
 - Alien thread: 1087 ms/shard total
 - Reverted alien thread: 72839 ms/shard total
 - This commit (yielding in hashing): 1623 ms/shard total

To summarize, yielding during hashing computations achieves similar
throughput to the old solution without the alien thread but also
prevents stalls similarly to the alien thread.

Fixes: scylladb/scylladb#26859
Refs: scylladb/scylla-enterprise#5711

No automatic backport. After this PR is completed, the alien thread should be rather reverted from older branches (2025.2-2025.4 because on 2025.1 it's already removed). Backporting of the other commits needs further discussion.

Closes scylladb/scylladb#26860

* github.com:scylladb/scylladb:
  test/boost: add too_long_password to auth_passwords_test
  test/boost: add same_hashes_as_crypt_r to auth_passwords_test
  auth: utils: add yielding to crypt_sha512
  auth: change return type of passwords::check to future
  auth: remove code duplication in verify_scheme
  test/boost: coroutinize auth_passwords_test
  utils: coroutinize crypt_sha512
  utils: make crypt_sha512.cc to compile
  utils: license: import crypt_sha512.c from musl to the project
  Revert "auth: move passwords::check call to alien thread"
2025-12-14 14:01:01 +02:00

187 lines
6.3 KiB
C++
Raw Permalink Blame History

/*
* Copyright (C) 2022-present ScyllaDB
*
*/
/*
* SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.0
*/
#include "auth/certificate_authenticator.hh"
#include "auth/cache.hh"
#include <boost/regex.hpp>
#include <fmt/ranges.h>
#include "utils/class_registrator.hh"
#include "utils/to_string.hh"
#include "data_dictionary/data_dictionary.hh"
#include "cql3/query_processor.hh"
#include "db/config.hh"
static const auto CERT_AUTH_NAME = "com.scylladb.auth.CertificateAuthenticator";
const std::string_view auth::certificate_authenticator_name(CERT_AUTH_NAME);
static logging::logger clogger("certificate_authenticator");
static const std::string cfg_source_attr = "source";
static const std::string cfg_query_attr = "query";
static const std::string cfg_source_subject = "SUBJECT";
static const std::string cfg_source_altname = "ALTNAME";
static const class_registrator<auth::authenticator
, auth::certificate_authenticator
, cql3::query_processor&
, ::service::raft_group0_client&
, ::service::migration_manager&
, auth::cache&> cert_auth_reg(CERT_AUTH_NAME);
enum class auth::certificate_authenticator::query_source {
subject, altname
};
auth::certificate_authenticator::certificate_authenticator(cql3::query_processor& qp, ::service::raft_group0_client&, ::service::migration_manager&, auth::cache&)
: _queries([&] {
auto& conf = qp.db().get_config();
auto queries = conf.auth_certificate_role_queries();
if (queries.empty()) {
throw std::invalid_argument("No role extraction queries specified.");
}
std::vector<std::pair<query_source, boost::regex>> res;
for (auto& map : queries) {
// first, check for any invalid config keys
if (map.size() == 2) {
try {
auto& source = map.at(cfg_source_attr);
std::string query = map.at(cfg_query_attr);
std::transform(source.begin(), source.end(), source.begin(), ::toupper);
boost::regex ex(query);
if (ex.mark_count() != 1) {
throw std::invalid_argument("Role query must have exactly one mark expression");
}
clogger.debug("Append role query: {} : {}", source, query);
if (source == cfg_source_subject) {
res.emplace_back(query_source::subject, std::move(ex));
} else if (source == cfg_source_altname) {
res.emplace_back(query_source::altname, std::move(ex));
} else {
throw std::invalid_argument(fmt::format("Invalid source: {}", map.at(cfg_source_attr)));
}
continue;
} catch (const std::out_of_range&) {
// just fallthrough
} catch (const boost::regex_error&) {
std::throw_with_nested(std::invalid_argument(fmt::format("Invalid query expression: {}", map.at(cfg_query_attr))));
}
}
throw std::invalid_argument(fmt::format("Invalid query: {}", map));
}
return res;
}())
{}
auth::certificate_authenticator::~certificate_authenticator() = default;
future<> auth::certificate_authenticator::start() {
co_return;
}
future<> auth::certificate_authenticator::stop() {
co_return;
}
std::string_view auth::certificate_authenticator::qualified_java_name() const {
return certificate_authenticator_name;
}
bool auth::certificate_authenticator::require_authentication() const {
return true;
}
auth::authentication_option_set auth::certificate_authenticator::supported_options() const {
return {};
}
auth::authentication_option_set auth::certificate_authenticator::alterable_options() const {
return {};
}
future<std::optional<auth::authenticated_user>> auth::certificate_authenticator::authenticate(session_dn_func f) const {
if (!f) {
co_return std::nullopt;
}
auto dninfo = co_await f();
if (!dninfo) {
throw exceptions::authentication_exception("No valid certificate found");
}
auto& subject = dninfo->subject;
std::optional<std::string> altname ;
const std::string* source_str = nullptr;
for (auto& [source, expr] : _queries) {
switch (source) {
default:
case query_source::subject:
source_str = &subject;
break;
case query_source::altname:
if (!altname) {
altname = dninfo->get_alt_names ? co_await dninfo->get_alt_names() : std::string{};
}
source_str = &*altname;
break;
}
clogger.debug("Checking {}: {}", int(source), *source_str);
boost::smatch m;
if (boost::regex_search(*source_str, m, expr)) {
auto username = m[1].str();
clogger.debug("Return username: {}", username);
co_return username;
}
}
throw exceptions::authentication_exception(seastar::format("Subject '{}'/'{}' does not match any query expression", subject, altname));
}
future<auth::authenticated_user> auth::certificate_authenticator::authenticate(const credentials_map&) const {
throw exceptions::authentication_exception("Cannot authenticate using attribute map");
}
future<> auth::certificate_authenticator::create(std::string_view role_name, const authentication_options& options, ::service::group0_batch& mc) {
// TODO: should we keep track of roles/enforce existence? Role manager should deal with this...
co_return;
}
future<> auth::certificate_authenticator::alter(std::string_view role_name, const authentication_options& options, ::service::group0_batch& mc) {
co_return;
}
future<> auth::certificate_authenticator::drop(std::string_view role_name, ::service::group0_batch&) {
co_return;
}
future<auth::custom_options> auth::certificate_authenticator::query_custom_options(std::string_view) const {
co_return auth::custom_options{};
}
const auth::resource_set& auth::certificate_authenticator::protected_resources() const {
static const resource_set resources;
return resources;
}
::shared_ptr<auth::sasl_challenge> auth::certificate_authenticator::new_sasl_challenge() const {
throw exceptions::authentication_exception("Login authentication not supported");
}
Reference in New Issue View Git Blame Copy Permalink