You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by sa...@apache.org on 2021/09/03 07:27:59 UTC
[cassandra-dtest] 02/02: Add JMX auth test
This is an automated email from the ASF dual-hosted git repository.
samt pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-dtest.git
commit 1f5aefdc23b5cd27dea056d119ff5d9c9801030a
Author: Aleksei Zotov <az...@gmail.com>
AuthorDate: Sun Aug 22 19:30:34 2021 +0400
Add JMX auth test
Patch by Aleksei Zotov; reviewed by Sam Tunnicliffe for
CASSANDRA-16404
---
auth_test.py | 8 ++++----
jmx_auth_test.py | 47 +++++++++++++++++++++++++++++++++++++++++++++--
2 files changed, 49 insertions(+), 6 deletions(-)
diff --git a/auth_test.py b/auth_test.py
index ca2056c..bd46688 100644
--- a/auth_test.py
+++ b/auth_test.py
@@ -8,9 +8,9 @@ import re
import pytest
import logging
-from cassandra import AuthenticationFailed, InvalidRequest, Unauthorized, Unavailable
+from cassandra import AuthenticationFailed, InvalidRequest, Unauthorized
from cassandra.cluster import NoHostAvailable
-from cassandra.protocol import ServerError, SyntaxException
+from cassandra.protocol import SyntaxException
from dtest_setup_overrides import DTestSetupOverrides
from dtest import Tester
@@ -24,6 +24,7 @@ from tools.misc import ImmutableMapping
since = pytest.mark.since
logger = logging.getLogger(__name__)
+
class TestAuth(Tester):
@pytest.fixture(autouse=True)
@@ -3047,8 +3048,7 @@ class TestNetworkAuth(Tester):
fixture_dtest_setup.superuser.execute("CREATE TABLE ks.tbl (k int primary key, v int)")
def username(self):
- return ''.join(random.choice(string.ascii_lowercase) for _ in range(8));
-
+ return ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
def create_user(self, query_fmt, username):
"""
diff --git a/jmx_auth_test.py b/jmx_auth_test.py
index 199e525..e5b3d03 100644
--- a/jmx_auth_test.py
+++ b/jmx_auth_test.py
@@ -1,3 +1,5 @@
+import random
+import string
import pytest
import logging
from distutils.version import LooseVersion
@@ -12,12 +14,14 @@ logger = logging.getLogger(__name__)
@since('3.6')
class TestJMXAuth(Tester):
+ """
+ Uses nodetool as a means of exercising the JMX interface as JolokiaAgent
+ exposes its own connector which bypasses the in-built security features
+ """
def test_basic_auth(self):
"""
Some basic smoke testing of JMX authentication and authorization.
- Uses nodetool as a means of exercising the JMX interface as JolokiaAgent
- exposes its own connector which bypasses the in-built security features
@jira_ticket CASSANDRA-10091
"""
self.prepare()
@@ -55,6 +59,42 @@ class TestJMXAuth(Tester):
# superuser status applies to JMX authz too
node.nodetool('-u cassandra -pw cassandra gossipinfo')
+ @since('4.1')
+ def test_revoked_jmx_access(self):
+ """
+ if a user's access to a JMX MBean is revoked while they're connected,
+ all of their requests should fail once the cache is cleared.
+ @jira_ticket CASSANDRA-16404
+ """
+ self.prepare(permissions_validity=60000)
+ [node] = self.cluster.nodelist()
+
+ def test_revoked_access(cache_name):
+ logger.debug('Testing with cache name: %s' % cache_name)
+ username = self.username()
+ session = self.patient_cql_connection(node, user='cassandra', password='cassandra')
+ session.execute("CREATE ROLE %s WITH LOGIN=true AND PASSWORD='abc123'" % username)
+ session.execute("GRANT SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' TO %s" % username)
+ session.execute("GRANT DESCRIBE ON ALL MBEANS TO %s" % username)
+
+ # works fine
+ node.nodetool('-u %s -pw abc123 gossipinfo' % username)
+
+ session.execute("REVOKE SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' FROM %s" % username)
+ # works fine because the JMX permission is cached
+ node.nodetool('-u %s -pw abc123 gossipinfo' % username)
+
+ node.nodetool('-u cassandra -pw cassandra invalidatejmxpermissionscache')
+ # the user has no permissions to the JMX resource anymore
+ with pytest.raises(ToolError, match='Access Denied'):
+ node.nodetool('-u %s -pw abc123 gossipinfo' % username)
+
+ test_revoked_access("JmxPermissionsCache")
+
+ # deprecated cache name, scheduled for removal in 5.0
+ if self.dtest_config.cassandra_version_from_build < '5.0':
+ test_revoked_access("JMXPermissionsCache")
+
def prepare(self, nodes=1, permissions_validity=0):
config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator',
'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer',
@@ -69,3 +109,6 @@ class TestJMXAuth(Tester):
def authentication_fail_message(self, node, username):
return "Provided username {user} and/or password are incorrect".format(user=username) \
if node.cluster.version() >= LooseVersion('3.10') else "Username and/or password are incorrect"
+
+ def username(self):
+ return ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org