You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by sa...@apache.org on 2021/09/03 07:27:59 UTC

[cassandra-dtest] 02/02: Add JMX auth test

This is an automated email from the ASF dual-hosted git repository.

samt pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-dtest.git

commit 1f5aefdc23b5cd27dea056d119ff5d9c9801030a
Author: Aleksei Zotov <az...@gmail.com>
AuthorDate: Sun Aug 22 19:30:34 2021 +0400

    Add JMX auth test
    
    Patch by Aleksei Zotov; reviewed by Sam Tunnicliffe for
    CASSANDRA-16404
---
 auth_test.py     |  8 ++++----
 jmx_auth_test.py | 47 +++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/auth_test.py b/auth_test.py
index ca2056c..bd46688 100644
--- a/auth_test.py
+++ b/auth_test.py
@@ -8,9 +8,9 @@ import re
 import pytest
 import logging
 
-from cassandra import AuthenticationFailed, InvalidRequest, Unauthorized, Unavailable
+from cassandra import AuthenticationFailed, InvalidRequest, Unauthorized
 from cassandra.cluster import NoHostAvailable
-from cassandra.protocol import ServerError, SyntaxException
+from cassandra.protocol import SyntaxException
 
 from dtest_setup_overrides import DTestSetupOverrides
 from dtest import Tester
@@ -24,6 +24,7 @@ from tools.misc import ImmutableMapping
 since = pytest.mark.since
 logger = logging.getLogger(__name__)
 
+
 class TestAuth(Tester):
 
     @pytest.fixture(autouse=True)
@@ -3047,8 +3048,7 @@ class TestNetworkAuth(Tester):
         fixture_dtest_setup.superuser.execute("CREATE TABLE ks.tbl (k int primary key, v int)")
 
     def username(self):
-        return ''.join(random.choice(string.ascii_lowercase) for _ in range(8));
-
+        return ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
 
     def create_user(self, query_fmt, username):
         """
diff --git a/jmx_auth_test.py b/jmx_auth_test.py
index 199e525..e5b3d03 100644
--- a/jmx_auth_test.py
+++ b/jmx_auth_test.py
@@ -1,3 +1,5 @@
+import random
+import string
 import pytest
 import logging
 from distutils.version import LooseVersion
@@ -12,12 +14,14 @@ logger = logging.getLogger(__name__)
 
 @since('3.6')
 class TestJMXAuth(Tester):
+    """
+    Uses nodetool as a means of exercising the JMX interface as JolokiaAgent
+    exposes its own connector which bypasses the in-built security features
+    """
 
     def test_basic_auth(self):
         """
         Some basic smoke testing of JMX authentication and authorization.
-        Uses nodetool as a means of exercising the JMX interface as JolokiaAgent
-        exposes its own connector which bypasses the in-built security features
         @jira_ticket CASSANDRA-10091
         """
         self.prepare()
@@ -55,6 +59,42 @@ class TestJMXAuth(Tester):
         # superuser status applies to JMX authz too
         node.nodetool('-u cassandra -pw cassandra gossipinfo')
 
+    @since('4.1')
+    def test_revoked_jmx_access(self):
+        """
+        if a user's access to a JMX MBean is revoked while they're connected,
+        all of their requests should fail once the cache is cleared.
+        @jira_ticket CASSANDRA-16404
+        """
+        self.prepare(permissions_validity=60000)
+        [node] = self.cluster.nodelist()
+
+        def test_revoked_access(cache_name):
+            logger.debug('Testing with cache name: %s' % cache_name)
+            username = self.username()
+            session = self.patient_cql_connection(node, user='cassandra', password='cassandra')
+            session.execute("CREATE ROLE %s WITH LOGIN=true AND PASSWORD='abc123'" % username)
+            session.execute("GRANT SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' TO %s" % username)
+            session.execute("GRANT DESCRIBE ON ALL MBEANS TO %s" % username)
+
+            # works fine
+            node.nodetool('-u %s -pw abc123 gossipinfo' % username)
+
+            session.execute("REVOKE SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' FROM %s" % username)
+            # works fine because the JMX permission is cached
+            node.nodetool('-u %s -pw abc123 gossipinfo' % username)
+
+            node.nodetool('-u cassandra -pw cassandra invalidatejmxpermissionscache')
+            # the user has no permissions to the JMX resource anymore
+            with pytest.raises(ToolError, match='Access Denied'):
+                node.nodetool('-u %s -pw abc123 gossipinfo' % username)
+
+        test_revoked_access("JmxPermissionsCache")
+
+        # deprecated cache name, scheduled for removal in 5.0
+        if self.dtest_config.cassandra_version_from_build < '5.0':
+            test_revoked_access("JMXPermissionsCache")
+
     def prepare(self, nodes=1, permissions_validity=0):
         config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator',
                   'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer',
@@ -69,3 +109,6 @@ class TestJMXAuth(Tester):
     def authentication_fail_message(self, node, username):
         return "Provided username {user} and/or password are incorrect".format(user=username) \
             if node.cluster.version() >= LooseVersion('3.10') else "Username and/or password are incorrect"
+
+    def username(self):
+        return ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
\ No newline at end of file

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org