45628cf041
Introduce maintenance_socket_authenticator and rework maintenance_socket_role_manager to support role management operations. Maintenance auth service uses allow_all_authenticator. To allow role modification statements over the maintenance socket connections, we need to treat the maintenance socket connections as superusers and give them proper access rights. Possible approaches are: 1. Modify allow_all_authenticator with conditional logic that password_authenticator already does 2. Modify password_authenticator with conditional logic specific for the maintenance socket connections 3. Extend password_authenticator, overriding the methods that differ Option 3 is chosen: maintenance_socket_authenticator extends password_authenticator with authentication disabled. The maintenance_socket_role_manager is reworked to lazily create a standard_role_manager once the node joins the cluster, delegating role operations to it. In maintenance mode role operations remain disabled. Refs SCYLLADB-409
37 lines
855 B
C++
37 lines
855 B
C++
/*
|
|
* Copyright (C) 2026-present ScyllaDB
|
|
*
|
|
* Modified by ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* SPDX-License-Identifier: (LicenseRef-ScyllaDB-Source-Available-1.0 and Apache-2.0)
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include <seastar/core/shared_future.hh>
|
|
|
|
#include "password_authenticator.hh"
|
|
|
|
namespace auth {
|
|
|
|
// maintenance_socket_authenticator is used for clients connecting to the
|
|
// maintenance socket. It does not require authentication,
|
|
// while still allowing the managing of roles and their credentials.
|
|
class maintenance_socket_authenticator : public password_authenticator {
|
|
public:
|
|
using password_authenticator::password_authenticator;
|
|
|
|
virtual ~maintenance_socket_authenticator();
|
|
|
|
virtual future<> start() override;
|
|
|
|
virtual future<> ensure_superuser_is_created() const override;
|
|
|
|
bool require_authentication() const override;
|
|
};
|
|
|
|
} // namespace auth
|
|
|