193a74576a
Some cluster tests use `cluster_con` when they need a different load balancing policy or auth provider. However, no test uses a port other than 9042 or enables SSL, but all tests must pass `9042, False` because these parameters don't have default values. This makes the code more verbose. Also, it's quite obvious that 9042 stands for port, but it's not obvious what `False` is related to, so there is a need to check the definition of `cluster_con` while reading any test that uses it. No reason to backport, it's only a minor refactoring. Closes scylladb/scylladb#25516
70 lines
2.8 KiB
Python
70 lines
2.8 KiB
Python
#
|
|
# Copyright (C) 2023-present ScyllaDB
|
|
#
|
|
# SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.0
|
|
#
|
|
|
|
from cassandra.auth import PlainTextAuthProvider
|
|
from cassandra.cluster import Cluster, NoHostAvailable
|
|
from cassandra import Unauthorized
|
|
from cassandra.connection import UnixSocketEndPoint
|
|
from test.cluster.conftest import cluster_con
|
|
from test.pylib.manager_client import ManagerClient
|
|
|
|
import pytest
|
|
from test.cluster.auth_cluster import extra_scylla_config_options as auth_config
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_maintenance_socket(manager: ManagerClient):
|
|
"""
|
|
Test that when connecting to the maintenance socket, the user has superuser permissions,
|
|
even if the authentication is enabled on the regular port.
|
|
"""
|
|
config = {
|
|
**auth_config,
|
|
"authenticator": "PasswordAuthenticator",
|
|
"authorizer": "CassandraAuthorizer",
|
|
}
|
|
|
|
server = await manager.server_add(config=config)
|
|
socket = await manager.server_get_maintenance_socket_path(server.server_id)
|
|
|
|
try:
|
|
cluster = Cluster([server.ip_addr])
|
|
cluster.connect()
|
|
except NoHostAvailable:
|
|
pass
|
|
else:
|
|
pytest.fail("Client should not be able to connect if auth provider is not specified")
|
|
|
|
cluster = cluster_con([server.ip_addr],
|
|
auth_provider=PlainTextAuthProvider(username="cassandra", password="cassandra"))
|
|
session = cluster.connect()
|
|
|
|
session.execute("CREATE ROLE john WITH PASSWORD = 'password' AND LOGIN = true;")
|
|
session.execute("CREATE KEYSPACE ks1 WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor': 1};")
|
|
session.execute("CREATE KEYSPACE ks2 WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor': 1};")
|
|
session.execute("CREATE TABLE ks1.t1 (pk int PRIMARY KEY, val int);")
|
|
session.execute("CREATE TABLE ks2.t1 (pk int PRIMARY KEY, val int);")
|
|
session.execute("GRANT SELECT ON ks1.t1 TO john;")
|
|
|
|
cluster = cluster_con([server.ip_addr], auth_provider=PlainTextAuthProvider(username="john", password="password"))
|
|
session = cluster.connect()
|
|
try:
|
|
session.execute("SELECT * FROM ks2.t1")
|
|
except Unauthorized:
|
|
pass
|
|
else:
|
|
pytest.fail("User 'john' has no permissions to access ks2.t1")
|
|
|
|
maintenance_cluster = cluster_con([UnixSocketEndPoint(socket)])
|
|
maintenance_session = maintenance_cluster.connect()
|
|
|
|
# check that the maintenance session has superuser permissions
|
|
maintenance_session.execute("SELECT * FROM ks1.t1")
|
|
maintenance_session.execute("SELECT * FROM ks2.t1")
|
|
maintenance_session.execute("INSERT INTO ks1.t1 (pk, val) VALUES (1, 1);")
|
|
maintenance_session.execute("CREATE KEYSPACE ks3 WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor': 1};")
|
|
maintenance_session.execute("CREATE TABLE ks1.t2 (pk int PRIMARY KEY, val int);")
|