[jira] [Commented] (CASSANDRA-15089) CassandraNetworkAuthorizer::authorize should get role details from Roles, not directly from IRoleManager

["Sam Tunnicliffe (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/CASSANDRA-15089?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16820006#comment-16820006 ] 

Sam Tunnicliffe commented on CASSANDRA-15089:
---------------------------------------------

The patch breaks a dtest which was relying on the LOGIN privilege not being cached.

||dtest PR||CI||
|[15089|https://github.com/apache/cassandra-dtest/pull/50]|[circle|https://circleci.com/gh/beobal/workflows/cassandra/tree/cci%2F15089-trunk]

> CassandraNetworkAuthorizer::authorize should get role details from Roles, not directly from IRoleManager
> --------------------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-15089
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15089
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Feature/Authorization
>            Reporter: Sam Tunnicliffe
>            Assignee: Sam Tunnicliffe
>            Priority: Normal
>             Fix For: 4.0
>
>
> If the network permissions cache doesn't contain any entry for a role, the authorize method is invoked on the configured INetworkAuthorizer. In the case of CassandraNetworkAuthorizer, this immediately checks whether the role in question has the LOGIN privilege set. It does this using the configured IRoleManager directly, which causes a read from the underlying table in system_auth. It should fetch the flag from Roles::canLogin, which uses the RolesCache, falling back to the IRoleManager if necessary.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org