00793059e1
When the configuration has alternator_enforce_authorization=false, Alternator should not do authentication (check which user signed each request) nor authorization (check if that user has permissions to do each operation). Our implementation forgot to disable the authorization checks when it's configured to false. The (incorrect) assumption was that when alternator_enforce_authorization is configured to false, the CQL 'authenticator' and 'authorizer' configuration is also disabled - so the authorization checks will be no-ops. But we can't assume that: Users are free to configure 'authenticator' and 'authorizer' for use in CQL, and then set alternator_enforce_authorization=false just for Alternator. So this patch adds a new test for this case - when we have authenticator=PasswordAuthenticator, authorizer=CassandraAuthorizer but alternator_enforce_authorization=false, and fixes it to work correctly. The heart of the fix is trivial: the `verify_*_permission()` functions just need to check the alternator_enforce_authorization and return immediately when false. The bigger part of this change is to get the alternator_enforce_authorization into the "executor" object and then to pass it into the verify calls. Although alternator_enforce_authorization is not YET live updatable, this code is prepared for the future that it may become live updatable, so the executor object saves not the boolean value of this flag, but a live-updatable reference to it. Fixes #20619 Signed-off-by: Nadav Har'El <nyh@scylladb.com>
Scylla in-source tests.
For details on how to run the tests, see docs/dev/testing.md
Shared C++ utils, libraries are in lib/, for Python - pylib/
alternator - Python tests which connect to a single server and use the DynamoDB API unit, boost, raft - unit tests in C++ cql-pytest - Python tests which connect to a single server and use CQL topology* - tests that set up clusters and add/remove nodes cql - approval tests that use CQL and pre-recorded output rest_api - tests for Scylla REST API Port 9000 scylla-gdb - tests for scylla-gdb.py helper script nodetool - tests for C++ implementation of nodetool
If you can use an existing folder, consider adding your test to it. New folders should be used for new large categories/subsystems, or when the test environment is significantly different from some existing suite, e.g. you plan to start scylladb with different configuration, and you intend to add many tests and would like them to reuse an existing Scylla cluster (clusters can be reused for tests within the same folder).
To add a new folder, create a new directory, and then
copy & edit its suite.ini.