mirror of
https://github.com/scylladb/scylladb.git
synced 2026-04-20 08:30:35 +00:00
9d997458d7
An Alternator user was recently "bit" when switching `alternator_enforce_authorization` from "false" to "true": ְְְAfter the configuration change, all application requests suddenly failed because unbeknownst to the user, their application used incorrect secret keys.
This series introduces a solution for users who want to **safely** switch `alternator_enforce_authorization` from "false" to "true": Before switching from "false" to "true", the user can temporarily switch a new option, `alternator_warn_authorization`, to true. In this "warn" mode, authentication and authorization errors are counted in metrics (`scylla_alternator_authentication_failures` and `scylla_alternator_authorization_failures`) and logged as WARNings, but the user's application continues to work. The user can use these metrics or log messages to learn of errors in their application's setup, fix them, and only do the switch of `alternator_enforce_authorization` when the metrics or log messages show there are no more errors.
The first patch is the implementation of the the feature - the new configuration option, the metrics and the log messages, the second patch is a test for the new feature, and the third patch is documentation recommending how to use the warn mode and the associated metrics or log messages to safely switch `alternaor_enforce_authorization` from false to true.
Fixes #25308
This is a feature that users need, so it should probably be backported to live branches.
Closes scylladb/scylladb#25457
* github.com:scylladb/scylladb:
docs/alternator: explain alternator_warn_authorization
test/alternator: tests for new auth failure metrics and log messages
alternator: add alternator_warn_authorization config
(cherry picked from commit 59019bc9a9)
Closes scylladb/scylladb#26894
115 lines
4.5 KiB
C++
115 lines
4.5 KiB
C++
/*
|
|
* Copyright 2019-present ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.0
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include "alternator/executor.hh"
|
|
#include "utils/scoped_item_list.hh"
|
|
#include <seastar/core/future.hh>
|
|
#include <seastar/core/condition-variable.hh>
|
|
#include <seastar/http/httpd.hh>
|
|
#include <seastar/net/tls.hh>
|
|
#include <optional>
|
|
#include "alternator/auth.hh"
|
|
#include "service/qos/service_level_controller.hh"
|
|
#include "utils/small_vector.hh"
|
|
#include "utils/updateable_value.hh"
|
|
#include <seastar/core/units.hh>
|
|
|
|
struct client_data;
|
|
|
|
namespace alternator {
|
|
|
|
using chunked_content = rjson::chunked_content;
|
|
|
|
class server : public peering_sharded_service<server> {
|
|
static constexpr size_t content_length_limit = 16*MB;
|
|
using alternator_callback = std::function<future<executor::request_return_type>(executor&, executor::client_state&,
|
|
tracing::trace_state_ptr, service_permit, rjson::value, std::unique_ptr<http::request>)>;
|
|
using alternator_callbacks_map = std::unordered_map<std::string_view, alternator_callback>;
|
|
|
|
httpd::http_server _http_server;
|
|
httpd::http_server _https_server;
|
|
executor& _executor;
|
|
service::storage_proxy& _proxy;
|
|
gms::gossiper& _gossiper;
|
|
auth::service& _auth_service;
|
|
qos::service_level_controller& _sl_controller;
|
|
|
|
key_cache _key_cache;
|
|
utils::updateable_value<bool> _enforce_authorization;
|
|
utils::updateable_value<bool> _warn_authorization;
|
|
utils::small_vector<std::reference_wrapper<seastar::httpd::http_server>, 2> _enabled_servers;
|
|
named_gate _pending_requests;
|
|
// In some places we will need a CQL updateable_timeout_config object even
|
|
// though it isn't really relevant for Alternator which defines its own
|
|
// timeouts separately. We can create this object only once.
|
|
updateable_timeout_config _timeout_config;
|
|
|
|
alternator_callbacks_map _callbacks;
|
|
|
|
semaphore* _memory_limiter;
|
|
utils::updateable_value<uint32_t> _max_concurrent_requests;
|
|
|
|
::shared_ptr<seastar::tls::server_credentials> _credentials;
|
|
|
|
class json_parser {
|
|
static constexpr size_t yieldable_parsing_threshold = 16*KB;
|
|
chunked_content _raw_document;
|
|
rjson::value _parsed_document;
|
|
std::exception_ptr _current_exception;
|
|
semaphore _parsing_sem{1};
|
|
condition_variable _document_waiting;
|
|
condition_variable _document_parsed;
|
|
abort_source _as;
|
|
future<> _run_parse_json_thread;
|
|
public:
|
|
json_parser();
|
|
// Moving a chunked_content into parse() allows parse() to free each
|
|
// chunk as soon as it is parsed, so when chunks are relatively small,
|
|
// we don't need to store the sum of unparsed and parsed sizes.
|
|
future<rjson::value> parse(chunked_content&& content);
|
|
future<> stop();
|
|
};
|
|
json_parser _json_parser;
|
|
|
|
// The server maintains a list of ongoing requests, that are being handled
|
|
// by handle_api_request(). It uses this list in get_client_data(), which
|
|
// is called when reading the "system.clients" virtual table.
|
|
struct ongoing_request {
|
|
socket_address _client_address;
|
|
sstring _user_agent;
|
|
sstring _username;
|
|
scheduling_group _scheduling_group;
|
|
bool _is_https;
|
|
client_data make_client_data() const;
|
|
};
|
|
utils::scoped_item_list<ongoing_request> _ongoing_requests;
|
|
|
|
public:
|
|
server(executor& executor, service::storage_proxy& proxy, gms::gossiper& gossiper, auth::service& service, qos::service_level_controller& sl_controller);
|
|
|
|
future<> init(net::inet_address addr, std::optional<uint16_t> port, std::optional<uint16_t> https_port, std::optional<tls::credentials_builder> creds,
|
|
utils::updateable_value<bool> enforce_authorization, utils::updateable_value<bool> warn_authorization,
|
|
semaphore* memory_limiter, utils::updateable_value<uint32_t> max_concurrent_requests);
|
|
future<> stop();
|
|
// get_client_data() is called (on each shard separately) when the virtual
|
|
// table "system.clients" is read. It is expected to generate a list of
|
|
// clients connected to this server (on this shard). This function is
|
|
// called by alternator::controller::get_client_data().
|
|
future<utils::chunked_vector<client_data>> get_client_data();
|
|
private:
|
|
void set_routes(seastar::httpd::routes& r);
|
|
// If verification succeeds, returns the authenticated user's username
|
|
future<std::string> verify_signature(const seastar::http::request&, const chunked_content&);
|
|
future<executor::request_return_type> handle_api_request(std::unique_ptr<http::request> req);
|
|
};
|
|
|
|
}
|
|
|