2e4b72c6b9
GRANT/REVOKE fails on the maintenance socket connections,
because maintenance_auth_service uses allow_all_authorizer.
allow_all_authorizer allows all operations, but not GRANT/REVOKE,
because they make no sense in its context.
This has been observed during PGO run failure in operations from
./pgo/conf/auth.cql file.
This patch introduces maintenance_socket_authorizer that supports
the capabilities of default_authorizer ('CassandraAuthorizer')
without needing authorization.
Refs SCYLLADB-1070
38 lines
1011 B
C++
38 lines
1011 B
C++
/*
|
|
* Copyright (C) 2026-present ScyllaDB
|
|
*
|
|
* Modified by ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* SPDX-License-Identifier: (LicenseRef-ScyllaDB-Source-Available-1.0 and Apache-2.0)
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include "auth/default_authorizer.hh"
|
|
#include "auth/permission.hh"
|
|
|
|
namespace auth {
|
|
|
|
// maintenance_socket_authorizer is used for clients connecting to the
|
|
// maintenance socket. It grants all permissions unconditionally (like
|
|
// AllowAllAuthorizer) while still supporting grant/revoke operations
|
|
// (delegated to the underlying CassandraAuthorizer / default_authorizer).
|
|
class maintenance_socket_authorizer : public default_authorizer {
|
|
public:
|
|
using default_authorizer::default_authorizer;
|
|
|
|
~maintenance_socket_authorizer() override = default;
|
|
|
|
future<> start() override {
|
|
return make_ready_future<>();
|
|
}
|
|
|
|
future<permission_set> authorize(const role_or_anonymous&, const resource&) const override {
|
|
return make_ready_future<permission_set>(permissions::ALL);
|
|
}
|
|
};
|
|
|
|
} // namespace auth
|