03cc34e3a0
The test creates all driver sessions by itself. As a consequence, all sessions use the default request timeout of 10s. This can be too low for the debug mode, as observed in scylladb/scylla-enterprise#5601. In this commit, we change the test to use `cluster_con`, so that the sessions have the request timeout set to 200s from now on. Fixes scylladb/scylla-enterprise#5601 This commit changes only the test and is a CI stability improvement, so it should be backported all the way to 2024.2. 2024.1 doesn't have this test. Closes scylladb/scylladb#25510
71 lines
2.8 KiB
Python
71 lines
2.8 KiB
Python
#
|
|
# Copyright (C) 2023-present ScyllaDB
|
|
#
|
|
# SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.0
|
|
#
|
|
|
|
from cassandra.auth import PlainTextAuthProvider
|
|
from cassandra.cluster import Cluster, NoHostAvailable
|
|
from cassandra import Unauthorized
|
|
from cassandra.connection import UnixSocketEndPoint
|
|
from test.cluster.conftest import cluster_con
|
|
from test.pylib.manager_client import ManagerClient
|
|
|
|
import pytest
|
|
from test.cluster.auth_cluster import extra_scylla_config_options as auth_config
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_maintenance_socket(manager: ManagerClient):
|
|
"""
|
|
Test that when connecting to the maintenance socket, the user has superuser permissions,
|
|
even if the authentication is enabled on the regular port.
|
|
"""
|
|
config = {
|
|
**auth_config,
|
|
"authenticator": "PasswordAuthenticator",
|
|
"authorizer": "CassandraAuthorizer",
|
|
}
|
|
|
|
server = await manager.server_add(config=config)
|
|
socket = await manager.server_get_maintenance_socket_path(server.server_id)
|
|
|
|
try:
|
|
cluster = Cluster([server.ip_addr])
|
|
cluster.connect()
|
|
except NoHostAvailable:
|
|
pass
|
|
else:
|
|
pytest.fail("Client should not be able to connect if auth provider is not specified")
|
|
|
|
cluster = cluster_con([server.ip_addr], 9042, False,
|
|
PlainTextAuthProvider(username="cassandra", password="cassandra"))
|
|
session = cluster.connect()
|
|
|
|
session.execute("CREATE ROLE john WITH PASSWORD = 'password' AND LOGIN = true;")
|
|
session.execute("CREATE KEYSPACE ks1 WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor': 1};")
|
|
session.execute("CREATE KEYSPACE ks2 WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor': 1};")
|
|
session.execute("CREATE TABLE ks1.t1 (pk int PRIMARY KEY, val int);")
|
|
session.execute("CREATE TABLE ks2.t1 (pk int PRIMARY KEY, val int);")
|
|
session.execute("GRANT SELECT ON ks1.t1 TO john;")
|
|
|
|
cluster = cluster_con([server.ip_addr], 9042, False,
|
|
PlainTextAuthProvider(username="john", password="password"))
|
|
session = cluster.connect()
|
|
try:
|
|
session.execute("SELECT * FROM ks2.t1")
|
|
except Unauthorized:
|
|
pass
|
|
else:
|
|
pytest.fail("User 'john' has no permissions to access ks2.t1")
|
|
|
|
maintenance_cluster = cluster_con([UnixSocketEndPoint(socket)], 9042, False)
|
|
maintenance_session = maintenance_cluster.connect()
|
|
|
|
# check that the maintenance session has superuser permissions
|
|
maintenance_session.execute("SELECT * FROM ks1.t1")
|
|
maintenance_session.execute("SELECT * FROM ks2.t1")
|
|
maintenance_session.execute("INSERT INTO ks1.t1 (pk, val) VALUES (1, 1);")
|
|
maintenance_session.execute("CREATE KEYSPACE ks3 WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor': 1};")
|
|
maintenance_session.execute("CREATE TABLE ks1.t2 (pk int PRIMARY KEY, val int);")
|