7391c9419f
Before this change, it was ensured that a default superuser is created before serving CQL. However, the mechanism didn't wait for default password initialization, so effectively, for a short period, customer couldn't authenticate as the superuser properily. The purpose of this change is to improve the superuser initialization mechanism to wait for superuser default password, just as for the superuser creation. This change: - Introduce authenticator::ensure_superuser_is_created() to allow waiting for complete initialization of super user authentication - Implement ensure_superuser_is_created in password_authenticator, so waiting for superuser password initialization is possible - Implement ensure_superuser_is_create in transitional_authenticator, so the implementation from password_authenticator is used - Implement no-op ensure_superuser_is_create for other authenticators - Modify service::ensure_superuser_is_created to wait for superuser initialization in authenticator, just as it was implemented earlier for role_manager Fixes scylladb/scylladb#20566
93 lines
2.4 KiB
C++
93 lines
2.4 KiB
C++
/*
|
|
* Copyright (C) 2017-present ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.0
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include <stdexcept>
|
|
|
|
#include "auth/authenticated_user.hh"
|
|
#include "auth/authenticator.hh"
|
|
#include "auth/common.hh"
|
|
|
|
namespace cql3 {
|
|
class query_processor;
|
|
}
|
|
|
|
namespace service {
|
|
class migration_manager;
|
|
}
|
|
|
|
namespace auth {
|
|
|
|
extern const std::string_view allow_all_authenticator_name;
|
|
|
|
class allow_all_authenticator final : public authenticator {
|
|
public:
|
|
allow_all_authenticator(cql3::query_processor&, ::service::raft_group0_client&, ::service::migration_manager&) {
|
|
}
|
|
|
|
virtual future<> start() override {
|
|
return make_ready_future<>();
|
|
}
|
|
|
|
virtual future<> stop() override {
|
|
return make_ready_future<>();
|
|
}
|
|
|
|
virtual std::string_view qualified_java_name() const override {
|
|
return allow_all_authenticator_name;
|
|
}
|
|
|
|
virtual bool require_authentication() const override {
|
|
return false;
|
|
}
|
|
|
|
virtual authentication_option_set supported_options() const override {
|
|
return authentication_option_set();
|
|
}
|
|
|
|
virtual authentication_option_set alterable_options() const override {
|
|
return authentication_option_set();
|
|
}
|
|
|
|
future<authenticated_user> authenticate(const credentials_map& credentials) const override {
|
|
return make_ready_future<authenticated_user>(anonymous_user());
|
|
}
|
|
|
|
virtual future<> create(std::string_view, const authentication_options& options, ::service::group0_batch&) override {
|
|
return make_ready_future();
|
|
}
|
|
|
|
virtual future<> alter(std::string_view, const authentication_options& options, ::service::group0_batch&) override {
|
|
return make_ready_future();
|
|
}
|
|
|
|
virtual future<> drop(std::string_view, ::service::group0_batch&) override {
|
|
return make_ready_future();
|
|
}
|
|
|
|
virtual future<custom_options> query_custom_options(std::string_view role_name) const override {
|
|
return make_ready_future<custom_options>();
|
|
}
|
|
|
|
virtual const resource_set& protected_resources() const override {
|
|
static const resource_set resources;
|
|
return resources;
|
|
}
|
|
|
|
virtual ::shared_ptr<sasl_challenge> new_sasl_challenge() const override {
|
|
throw std::runtime_error("Should not reach");
|
|
}
|
|
|
|
virtual future<> ensure_superuser_is_created() const override {
|
|
return make_ready_future<>();
|
|
}
|
|
};
|
|
|
|
}
|