HCD-82 Enables auth* classes configuration #1578
Conversation
Checklist before you submit for review
|
tiagomlalves
force-pushed
the
HCD-82-main
branch
2 times, most recently
from
cf24826 to
c11278a
Compare
There was a problem hiding this comment.
I suppose this is wrong; should be ok to move forward if there is such constructor. However, if there is one and it failed, we should not silently skip that. This whole loop is for searching rather than falling back to another class if one class fails to get initialized.
We would also leave no trace about this fact with the current impl
There was a problem hiding this comment.
You're right, I have experienced this. If there's a constructor throws an exception this is silently catched here and the error provides no help.
Should we fix this here? Or fix it in C* (where this code was implemented) and later backported it here?
There was a problem hiding this comment.
I've made a proposal to fix this.
Uses ParameterizedClass for all auth-related implementations (i.e., IAuthorizer, IAuthenticator, IRoleManager, IInternodeAuthenticator, and INetworkAuthorizer) to enable their configuration directly from cassandra.yaml. This is a partial back-port from CASSANDRA-18554 (which originally introduced mTLS support but it's not part of the current changes) and CASSANDRA-19946.
When using PasswordAuthenticator or MutualTlsWithPasswordFallbackAuthenticator CassandraRoleManager is required due to the implicit dependency on how passwords are stored. On the other hand, CassandraRoleManager can be used with any IAuthenticator implementation. Improves message to make this dependency more explicit and comtemplate subclasses of PasswordAuthenticator.
When authorization is enabled, authentication must also be enabled. This is required because authorization needs a valid role to validate permissions which is only set when authentication is enabled.
tiagomlalves
force-pushed
the
HCD-82-main
branch
from
0a73643 to
6fbf52e
Compare
Improves instantiation of ParameterizedClasses by * Checking for constructors instead of relying on exceptions to do fallback as this hides the real cause of failures * Making it explicit when instantiating a class throws an error (e.g. due to validation) and reports the error directly.
Use explicit class names when instantiating them via ParameterizedClass instead of using Strings with the name.
tiagomlalves
force-pushed
the
HCD-82-main
branch
from
6fbf52e to
590c241
Compare
|
✔️ Build ds-cassandra-pr-gate/PR-1578 approved by ButlerApproved by Butler |
|
This change breaks the CNDB build and there is no PR ready to go for CNDB. This is being reverted. |
What is the issue
Enabling advanced authentication in CC requires a way to configure the auth* classes in
cassandra.yaml.These changes have been implemented in C* 5 tickets CASSANDRA-18554 and CASSANDRA-19946.
What does this PR fix and why was it fixed
Partially back-ports CASSANDRA-18554 introduced initial changes to support auth* classes configuration (ticket originally added mTLS support but those changes are not part of the current PR), and back-ports CASSANDRA-19946.
Triggered
ds-cassandra-build #953shows no test failures.