7391c9419f
Before this change, it was ensured that a default superuser is created before serving CQL. However, the mechanism didn't wait for default password initialization, so effectively, for a short period, customer couldn't authenticate as the superuser properily. The purpose of this change is to improve the superuser initialization mechanism to wait for superuser default password, just as for the superuser creation. This change: - Introduce authenticator::ensure_superuser_is_created() to allow waiting for complete initialization of super user authentication - Implement ensure_superuser_is_created in password_authenticator, so waiting for superuser password initialization is possible - Implement ensure_superuser_is_create in transitional_authenticator, so the implementation from password_authenticator is used - Implement no-op ensure_superuser_is_create for other authenticators - Modify service::ensure_superuser_is_created to wait for superuser initialization in authenticator, just as it was implemented earlier for role_manager Fixes scylladb/scylladb#20566
99 lines
2.6 KiB
C++
99 lines
2.6 KiB
C++
/*
|
|
* Copyright (C) 2016-present ScyllaDB
|
|
*
|
|
* Modified by ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* SPDX-License-Identifier: (LicenseRef-ScyllaDB-Source-Available-1.0 and Apache-2.0)
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include <seastar/core/abort_source.hh>
|
|
#include <seastar/core/shared_future.hh>
|
|
|
|
#include "db/consistency_level_type.hh"
|
|
#include "auth/authenticator.hh"
|
|
#include "service/raft/raft_group0_client.hh"
|
|
|
|
namespace db {
|
|
class config;
|
|
}
|
|
|
|
namespace cql3 {
|
|
|
|
class query_processor;
|
|
|
|
} // namespace cql3
|
|
|
|
namespace service {
|
|
class migration_manager;
|
|
}
|
|
|
|
namespace auth {
|
|
|
|
extern const std::string_view password_authenticator_name;
|
|
|
|
class password_authenticator : public authenticator {
|
|
cql3::query_processor& _qp;
|
|
::service::raft_group0_client& _group0_client;
|
|
::service::migration_manager& _migration_manager;
|
|
future<> _stopped;
|
|
abort_source _as;
|
|
std::string _superuser;
|
|
shared_promise<> _superuser_created_promise;
|
|
|
|
public:
|
|
static db::consistency_level consistency_for_user(std::string_view role_name);
|
|
static std::string default_superuser(const db::config&);
|
|
|
|
password_authenticator(cql3::query_processor&, ::service::raft_group0_client&, ::service::migration_manager&);
|
|
|
|
~password_authenticator();
|
|
|
|
virtual future<> start() override;
|
|
|
|
virtual future<> stop() override;
|
|
|
|
virtual std::string_view qualified_java_name() const override;
|
|
|
|
virtual bool require_authentication() const override;
|
|
|
|
virtual authentication_option_set supported_options() const override;
|
|
|
|
virtual authentication_option_set alterable_options() const override;
|
|
|
|
virtual future<authenticated_user> authenticate(const credentials_map& credentials) const override;
|
|
|
|
virtual future<> create(std::string_view role_name, const authentication_options& options, ::service::group0_batch& mc) override;
|
|
|
|
virtual future<> alter(std::string_view role_name, const authentication_options& options, ::service::group0_batch&) override;
|
|
|
|
virtual future<> drop(std::string_view role_name, ::service::group0_batch&) override;
|
|
|
|
virtual future<custom_options> query_custom_options(std::string_view role_name) const override;
|
|
|
|
virtual bool uses_password_hashes() const override;
|
|
|
|
virtual future<std::optional<sstring>> get_password_hash(std::string_view role_name) const override;
|
|
|
|
virtual const resource_set& protected_resources() const override;
|
|
|
|
virtual ::shared_ptr<sasl_challenge> new_sasl_challenge() const override;
|
|
|
|
virtual future<> ensure_superuser_is_created() const override;
|
|
|
|
private:
|
|
bool legacy_metadata_exists() const;
|
|
|
|
future<> migrate_legacy_metadata() const;
|
|
|
|
future<> create_default_if_missing();
|
|
|
|
sstring update_row_query() const;
|
|
};
|
|
|
|
}
|
|
|