mirror of
https://github.com/scylladb/scylladb.git
synced 2026-04-22 17:40:34 +00:00
7391c9419f
Before this change, it was ensured that a default superuser is created before serving CQL. However, the mechanism didn't wait for default password initialization, so effectively, for a short period, customer couldn't authenticate as the superuser properily. The purpose of this change is to improve the superuser initialization mechanism to wait for superuser default password, just as for the superuser creation. This change: - Introduce authenticator::ensure_superuser_is_created() to allow waiting for complete initialization of super user authentication - Implement ensure_superuser_is_created in password_authenticator, so waiting for superuser password initialization is possible - Implement ensure_superuser_is_create in transitional_authenticator, so the implementation from password_authenticator is used - Implement no-op ensure_superuser_is_create for other authenticators - Modify service::ensure_superuser_is_created to wait for superuser initialization in authenticator, just as it was implemented earlier for role_manager Fixes scylladb/scylladb#20566
73 lines
2.1 KiB
C++
73 lines
2.1 KiB
C++
/*
|
|
* Copyright (C) 2020 ScyllaDB
|
|
*
|
|
* Modified by ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.0
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include "auth/authenticator.hh"
|
|
|
|
namespace cql3 {
|
|
class query_processor;
|
|
}
|
|
|
|
namespace service {
|
|
class migration_manager;
|
|
class raft_group0_client;
|
|
}
|
|
|
|
namespace auth {
|
|
|
|
/// Delegates authentication to saslauthd. When this class is asked to authenticate, it passes the credentials
|
|
/// to saslauthd, gets its response, and allows or denies authentication based on that response.
|
|
class saslauthd_authenticator : public authenticator {
|
|
sstring _socket_path; ///< Path to the domain socket on which saslauthd is listening.
|
|
public:
|
|
saslauthd_authenticator(cql3::query_processor&, ::service::raft_group0_client&, ::service::migration_manager&);
|
|
|
|
future<> start() override;
|
|
|
|
future<> stop() override;
|
|
|
|
std::string_view qualified_java_name() const override;
|
|
|
|
bool require_authentication() const override;
|
|
|
|
authentication_option_set supported_options() const override;
|
|
|
|
authentication_option_set alterable_options() const override;
|
|
|
|
future<authenticated_user> authenticate(const credentials_map& credentials) const override;
|
|
|
|
future<> create(std::string_view role_name, const authentication_options& options, ::service::group0_batch& mc) override;
|
|
|
|
future<> alter(std::string_view role_name, const authentication_options& options, ::service::group0_batch& mc) override;
|
|
|
|
future<> drop(std::string_view role_name, ::service::group0_batch& mc) override;
|
|
|
|
future<custom_options> query_custom_options(std::string_view role_name) const override;
|
|
|
|
const resource_set& protected_resources() const override;
|
|
|
|
::shared_ptr<sasl_challenge> new_sasl_challenge() const override;
|
|
|
|
virtual future<> ensure_superuser_is_created() const override {
|
|
return make_ready_future<>();
|
|
}
|
|
};
|
|
|
|
/// A set of four credential strings that saslauthd expects.
|
|
struct saslauthd_credentials {
|
|
sstring username, password, service, realm;
|
|
};
|
|
|
|
future<bool> authenticate_with_saslauthd(sstring saslauthd_socket_path, const saslauthd_credentials& creds);
|
|
|
|
}
|
|
|