mirror of
https://github.com/scylladb/scylladb.git
synced 2026-04-25 11:00:35 +00:00
1bb22bb190
This change generalizes the implementation of a `resource` to many
different kinds of resources, though there is still only one
kind (`data`). In the future, we also expect resource kinds for roles,
user-defined functions (UDFs), and possibly on particular REST
end-points.
I considered several approaches to generalizing to different kinds of
resources.
One approach is to have a base class that is inherited from by different
resource kinds. The common functionality would be accessed through
virtual member functions and kind-specific functions would exist in
sub-classes. I rejected this approach because dealing with different
kinds of resources uniformly requires storage and life-time management
through something like `std::unique_ptr<auth::resource>`, which means
that we lose value semantics (including comparison) and must deal with
complications around ownership.
Another option was to use `boost::variant` (or, in future,
`std::variant`). This is closer to what we want, since there a static
set of resource kinds that we support. I rejected this approach for two
reasons. The first is that all resource kinds share the same data (a
list of segments and a root identifier), which would be duplicated in
each type that composed the variant. The second is that the complexity
and source-code overhead of `boost::variant` didn't seem warranted.
The solution I ended up with is home-grown variant. All resources are
described in the same `final` class: `auth::resource`. This class has
value semantics, supports equality comparison, and has a strict
ordering. All resources have in common a tag ("kind") and a list of
parts. Most operations on resources don't care about the kind of
resource (like getting its name, parsing a name, querying for the
parent, etc). These are just member functions of the class.
When we care about a kind-specific interpretation of a resource, we can
produce a "view" of the resource. For example, `data_resource_view`
allows for accessing the (optional) keyspace and table names.
I anticipate in the future to add functions for creating role
resources (`auth::resource::role`) and also `role_resource_view`.
The functional behaviour of the system should be unchanged with this
patch.
I've added new unit tests in `auth_resource_test.cc` and removed the old
test from `auth_test.cc`.
Fixes #3027.
224 lines
8.3 KiB
C++
224 lines
8.3 KiB
C++
/*
|
|
* Copyright (C) 2016 ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* This file is part of Scylla.
|
|
*
|
|
* Scylla is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Scylla is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with Scylla. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
|
|
#include <boost/range/irange.hpp>
|
|
#include <boost/range/adaptors.hpp>
|
|
#include <boost/range/algorithm.hpp>
|
|
#include <boost/test/unit_test.hpp>
|
|
#include <stdint.h>
|
|
|
|
#include <seastar/core/future-util.hh>
|
|
#include <seastar/core/shared_ptr.hh>
|
|
#include <seastar/core/thread.hh>
|
|
|
|
#include "tests/test-utils.hh"
|
|
#include "tests/cql_test_env.hh"
|
|
#include "tests/cql_assertions.hh"
|
|
|
|
#include "auth/allow_all_authenticator.hh"
|
|
#include "auth/authenticator.hh"
|
|
#include "auth/password_authenticator.hh"
|
|
#include "auth/service.hh"
|
|
#include "auth/authenticated_user.hh"
|
|
#include "auth/data_resource.hh"
|
|
|
|
#include "db/config.hh"
|
|
#include "cql3/query_processor.hh"
|
|
|
|
SEASTAR_TEST_CASE(test_default_authenticator) {
|
|
return do_with_cql_env([](cql_test_env& env) {
|
|
auto& a = env.local_auth_service().underlying_authenticator();
|
|
BOOST_REQUIRE_EQUAL(a.require_authentication(), false);
|
|
BOOST_REQUIRE_EQUAL(a.qualified_java_name(), auth::allow_all_authenticator_name());
|
|
return make_ready_future();
|
|
});
|
|
}
|
|
|
|
SEASTAR_TEST_CASE(test_password_authenticator_attributes) {
|
|
db::config cfg;
|
|
cfg.authenticator(auth::password_authenticator_name());
|
|
|
|
return do_with_cql_env([](cql_test_env& env) {
|
|
auto& a = env.local_auth_service().underlying_authenticator();
|
|
BOOST_REQUIRE_EQUAL(a.require_authentication(), true);
|
|
BOOST_REQUIRE_EQUAL(a.qualified_java_name(), auth::password_authenticator_name());
|
|
return make_ready_future();
|
|
}, cfg);
|
|
}
|
|
|
|
SEASTAR_TEST_CASE(test_auth_users) {
|
|
db::config cfg;
|
|
cfg.authenticator(auth::password_authenticator_name());
|
|
|
|
return do_with_cql_env([](cql_test_env& env) {
|
|
return seastar::async([&env] {
|
|
auto& auth = env.local_auth_service();
|
|
|
|
sstring username("fisk");
|
|
auth.insert_user(username, false).get();
|
|
BOOST_REQUIRE_EQUAL(auth.is_existing_user(username).get0(), true);
|
|
BOOST_REQUIRE_EQUAL(auth.is_super_user(username).get0(), false);
|
|
|
|
auth.insert_user(username, true).get();
|
|
BOOST_REQUIRE_EQUAL(auth.is_existing_user(username).get0(), true);
|
|
BOOST_REQUIRE_EQUAL(auth.is_super_user(username).get0(), true);
|
|
|
|
auth.delete_user(username).get();
|
|
BOOST_REQUIRE_EQUAL(auth.is_existing_user(username).get0(), false);
|
|
BOOST_REQUIRE_EQUAL(auth.is_super_user(username).get0(), false);
|
|
});
|
|
}, cfg);
|
|
}
|
|
|
|
SEASTAR_TEST_CASE(test_password_authenticator_operations) {
|
|
db::config cfg;
|
|
cfg.authenticator(auth::password_authenticator_name());
|
|
|
|
/**
|
|
* Not using seastar::async due to apparent ASan bug.
|
|
* Enjoy the slightly less readable code.
|
|
*/
|
|
return do_with_cql_env([](cql_test_env& env) {
|
|
sstring username("fisk");
|
|
sstring password("notter");
|
|
|
|
using namespace auth;
|
|
using option = authenticator::option;
|
|
using user_ptr = ::shared_ptr<authenticated_user>;
|
|
|
|
auto USERNAME_KEY = authenticator::USERNAME_KEY;
|
|
auto PASSWORD_KEY = authenticator::PASSWORD_KEY;
|
|
|
|
auto& a = env.local_auth_service().underlying_authenticator();
|
|
|
|
// check non-existing user
|
|
return a.authenticate({ { USERNAME_KEY, username }, { PASSWORD_KEY, password } }).then_wrapped([&a](future<user_ptr>&& f) {
|
|
try {
|
|
f.get();
|
|
BOOST_FAIL("should not reach");
|
|
} catch (exceptions::authentication_exception&) {
|
|
// ok
|
|
}
|
|
}).then([=, &a] {
|
|
return a.create(username, { { option::PASSWORD, password} }).then([=, &a] {
|
|
return a.authenticate({ { USERNAME_KEY, username }, { PASSWORD_KEY, password } }).then([=](user_ptr user) {
|
|
BOOST_REQUIRE_EQUAL(user->name(), username);
|
|
BOOST_REQUIRE_EQUAL(user->is_anonymous(), false);
|
|
});
|
|
});
|
|
}).then([=, &a] {
|
|
// check wrong password
|
|
return a.authenticate( { {USERNAME_KEY, username}, {PASSWORD_KEY, "hejkotte"}}).then_wrapped([](future<user_ptr>&& f) {
|
|
try {
|
|
f.get();
|
|
BOOST_FAIL("should not reach");
|
|
} catch (exceptions::authentication_exception&) {
|
|
// ok
|
|
}
|
|
});
|
|
}).then([=, &a] {
|
|
// sasl
|
|
auto sasl = a.new_sasl_challenge();
|
|
|
|
BOOST_REQUIRE_EQUAL(sasl->is_complete(), false);
|
|
|
|
bytes b;
|
|
int8_t i = 0;
|
|
b.append(&i, 1);
|
|
b.insert(b.end(), username.begin(), username.end());
|
|
b.append(&i, 1);
|
|
b.insert(b.end(), password.begin(), password.end());
|
|
|
|
sasl->evaluate_response(b);
|
|
BOOST_REQUIRE_EQUAL(sasl->is_complete(), true);
|
|
|
|
return sasl->get_authenticated_user().then([=](user_ptr user) {
|
|
BOOST_REQUIRE_EQUAL(user->name(), username);
|
|
BOOST_REQUIRE_EQUAL(user->is_anonymous(), false);
|
|
});
|
|
}).then([=, &a] {
|
|
// check deleted user
|
|
return a.drop(username).then([=, &a] {
|
|
return a.authenticate({ { USERNAME_KEY, username }, { PASSWORD_KEY, password } }).then_wrapped([](future<user_ptr>&& f) {
|
|
try {
|
|
f.get();
|
|
BOOST_FAIL("should not reach");
|
|
} catch (exceptions::authentication_exception&) {
|
|
// ok
|
|
}
|
|
});
|
|
});
|
|
});
|
|
}, cfg);
|
|
}
|
|
|
|
|
|
SEASTAR_TEST_CASE(test_cassandra_hash) {
|
|
db::config cfg;
|
|
cfg.authenticator(auth::password_authenticator_name());
|
|
|
|
return do_with_cql_env([](cql_test_env& env) {
|
|
/**
|
|
* Try to check password against hash from origin.
|
|
* Allow for specific failure if glibc cannot handle the
|
|
* hash algo (i.e. blowfish).
|
|
*/
|
|
|
|
sstring username("fisk");
|
|
sstring password("cassandra");
|
|
sstring salted_hash("$2a$10$8cz4EZ5v8f/aTZFkNEQafe.z66ZvjOonOpHCApwx0ksWp3aKf.Roq");
|
|
|
|
// This is extremely whitebox. We'll just go right ahead and know
|
|
// what the tables etc are called. Oy wei...
|
|
auto f = env.local_qp().process("INSERT into system_auth.credentials (username, salted_hash) values (?, ?)", db::consistency_level::ONE,
|
|
{ username, salted_hash }).discard_result();
|
|
|
|
return f.then([=, &env] {
|
|
auto& a = env.local_auth_service().underlying_authenticator();
|
|
|
|
auto USERNAME_KEY = auth::authenticator::USERNAME_KEY;
|
|
auto PASSWORD_KEY = auth::authenticator::PASSWORD_KEY;
|
|
using user_ptr = ::shared_ptr<auth::authenticated_user>;
|
|
|
|
// try to verify our user with a cassandra-originated salted_hash
|
|
return a.authenticate({ { USERNAME_KEY, username }, { PASSWORD_KEY, password } }).then_wrapped([](future<user_ptr> f) {
|
|
try {
|
|
f.get();
|
|
} catch (exceptions::authentication_exception& e) {
|
|
try {
|
|
std::rethrow_if_nested(e);
|
|
BOOST_FAIL(std::string("Unexcepted exception ") + e.what());
|
|
} catch (std::system_error & e) {
|
|
bool is_einval = e.code().category() == std::system_category() && e.code().value() == EINVAL;
|
|
BOOST_WARN_MESSAGE(is_einval, "Could not verify cassandra password hash due to glibc limitation");
|
|
if (!is_einval) {
|
|
BOOST_FAIL(std::string("Unexcepted system error ") + e.what());
|
|
}
|
|
}
|
|
}
|
|
});
|
|
});
|
|
}, cfg);
|
|
}
|
|
|
|
|