You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Aleksey Yeschenko (JIRA)" <ji...@apache.org> on 2013/06/18 10:07:22 UTC

[jira] [Commented] (CASSANDRA-5651) Custom authentication plugin should not need to prepopulate users in system_auth.users column family

    [ https://issues.apache.org/jira/browse/CASSANDRA-5651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13686487#comment-13686487 ] 

Aleksey Yeschenko commented on CASSANDRA-5651:
----------------------------------------------

This is done how it's done for two reasons:

1. User existence validation. We don't want someone to accidentally grant/revoke/make superuser a non-existent user, silently, then have that user created later and have these accidental permissions. We chose to keep the registry in Cassandra itself because there are cases where an authenticator itself cannot answer the question (Auth.isExistingUser()) easily (with Kerberos, for example).

2. Superuser status management. For every implementation to not reinvent the wheel, Cassandra manages it itself.

So it's not there just for authentication purposes, it bridges different authenticator/authorizer implementations, too. So it's not as simple as " another boolean method similar to IAuthenticator.requireAuthentication() so that custom authentication plugin can skip this isExistingUser check if needed".
                
> Custom authentication plugin should not need to prepopulate users in system_auth.users column family
> ----------------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-5651
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-5651
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 1.2.5
>         Environment: RHEL 6.3, jdk 1.7
>            Reporter: Bao Le
>
> Current implementation in ClientState.login makes a call to Auth.isExistingUser(user.getName()) if the AuthenticatedUser is not Anonymous. This involves querying system_auth.users column family.
> Our custom authentication plugin does not need to pre-create and store users, and it worked fine under 1.1.5. On 1.2.5, however, we run into authentication problem because of this.
> I feel we  should either do this isExistingUser check inside IAuthenticator.authenticate, or expose another boolean method similar to IAuthenticator.requireAuthentication() so that custom authentication plugin can skip this isExistingUser check if needed. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira