You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by sa...@apache.org on 2021/09/03 07:27:57 UTC
[cassandra-dtest] branch trunk updated (03cc411 -> 1f5aefd)
This is an automated email from the ASF dual-hosted git repository.
samt pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-dtest.git.
from 03cc411 Add test for CASSANDRA-16104
new 0ef8be4 Extend network auth test to check deprecated mbean name
new 1f5aefd Add JMX auth test
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
auth_test.py | 41 +++++++++++++++++++++++++----------------
jmx_auth_test.py | 47 +++++++++++++++++++++++++++++++++++++++++++++--
2 files changed, 70 insertions(+), 18 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org
[cassandra-dtest] 01/02: Extend network auth test to check
deprecated mbean name
Posted by sa...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
samt pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-dtest.git
commit 0ef8be46f8f729c80662a03fd515b6fe108531c8
Author: Sam Tunnicliffe <sa...@beobal.com>
AuthorDate: Tue Aug 17 14:26:45 2021 +0100
Extend network auth test to check deprecated mbean name
Patch by Sam Tunnicliffe; reviewed by Aleksei Zotov for
CASSANDRA-16404
---
auth_test.py | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/auth_test.py b/auth_test.py
index df57fb0..ca2056c 100644
--- a/auth_test.py
+++ b/auth_test.py
@@ -3079,8 +3079,8 @@ class TestNetworkAuth(Tester):
with JolokiaAgent(node) as jmx:
jmx.execute_method(mbean, 'invalidate')
- def clear_network_auth_cache(self, node):
- mbean = make_mbean('auth', type='NetworkAuthCache')
+ def clear_network_auth_cache(self, node, cache_name='NetworkPermissionsCache'):
+ mbean = make_mbean('auth', type=cache_name)
with JolokiaAgent(node) as jmx:
jmx.execute_method(mbean, 'invalidate')
@@ -3101,16 +3101,25 @@ class TestNetworkAuth(Tester):
if a user's access to a dc is revoked while they're connected,
all of their requests should fail once the cache is cleared
"""
- username = self.username()
- self.create_user("CREATE ROLE %s WITH password = 'password' AND LOGIN = true", username)
- self.assertConnectsTo(username, self.dc1_node)
- self.assertConnectsTo(username, self.dc2_node)
-
- # connect to the dc2 node, then remove permission for it
- session = self.exclusive_cql_connection(self.dc2_node, user=username, password='password')
- self.superuser.execute("ALTER ROLE %s WITH ACCESS TO DATACENTERS {'dc1'}" % username)
- self.clear_network_auth_cache(self.dc2_node)
- self.assertUnauthorized(lambda: session.execute("SELECT * FROM ks.tbl"))
+ def test_revoked_access(cache_name):
+ logger.debug('Testing with cache name: %s' % cache_name)
+ username = self.username()
+ self.create_user("CREATE ROLE %s WITH password = 'password' AND LOGIN = true", username)
+ self.assertConnectsTo(username, self.dc1_node)
+ self.assertConnectsTo(username, self.dc2_node)
+
+ # connect to the dc2 node, then remove permission for it
+ session = self.exclusive_cql_connection(self.dc2_node, user=username, password='password')
+ self.superuser.execute("ALTER ROLE %s WITH ACCESS TO DATACENTERS {'dc1'}" % username)
+ self.clear_network_auth_cache(self.dc2_node, cache_name)
+ self.assertUnauthorized(lambda: session.execute("SELECT * FROM ks.tbl"))
+
+ if self.dtest_config.cassandra_version_from_build > '4.0':
+ test_revoked_access("NetworkPermissionsCache")
+
+ # deprecated cache name, scheduled for removal in 5.0
+ if self.dtest_config.cassandra_version_from_build < '5.0':
+ test_revoked_access("NetworkAuthCache")
def test_create_dc_validation(self):
"""
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org
[cassandra-dtest] 02/02: Add JMX auth test
Posted by sa...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
samt pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-dtest.git
commit 1f5aefdc23b5cd27dea056d119ff5d9c9801030a
Author: Aleksei Zotov <az...@gmail.com>
AuthorDate: Sun Aug 22 19:30:34 2021 +0400
Add JMX auth test
Patch by Aleksei Zotov; reviewed by Sam Tunnicliffe for
CASSANDRA-16404
---
auth_test.py | 8 ++++----
jmx_auth_test.py | 47 +++++++++++++++++++++++++++++++++++++++++++++--
2 files changed, 49 insertions(+), 6 deletions(-)
diff --git a/auth_test.py b/auth_test.py
index ca2056c..bd46688 100644
--- a/auth_test.py
+++ b/auth_test.py
@@ -8,9 +8,9 @@ import re
import pytest
import logging
-from cassandra import AuthenticationFailed, InvalidRequest, Unauthorized, Unavailable
+from cassandra import AuthenticationFailed, InvalidRequest, Unauthorized
from cassandra.cluster import NoHostAvailable
-from cassandra.protocol import ServerError, SyntaxException
+from cassandra.protocol import SyntaxException
from dtest_setup_overrides import DTestSetupOverrides
from dtest import Tester
@@ -24,6 +24,7 @@ from tools.misc import ImmutableMapping
since = pytest.mark.since
logger = logging.getLogger(__name__)
+
class TestAuth(Tester):
@pytest.fixture(autouse=True)
@@ -3047,8 +3048,7 @@ class TestNetworkAuth(Tester):
fixture_dtest_setup.superuser.execute("CREATE TABLE ks.tbl (k int primary key, v int)")
def username(self):
- return ''.join(random.choice(string.ascii_lowercase) for _ in range(8));
-
+ return ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
def create_user(self, query_fmt, username):
"""
diff --git a/jmx_auth_test.py b/jmx_auth_test.py
index 199e525..e5b3d03 100644
--- a/jmx_auth_test.py
+++ b/jmx_auth_test.py
@@ -1,3 +1,5 @@
+import random
+import string
import pytest
import logging
from distutils.version import LooseVersion
@@ -12,12 +14,14 @@ logger = logging.getLogger(__name__)
@since('3.6')
class TestJMXAuth(Tester):
+ """
+ Uses nodetool as a means of exercising the JMX interface as JolokiaAgent
+ exposes its own connector which bypasses the in-built security features
+ """
def test_basic_auth(self):
"""
Some basic smoke testing of JMX authentication and authorization.
- Uses nodetool as a means of exercising the JMX interface as JolokiaAgent
- exposes its own connector which bypasses the in-built security features
@jira_ticket CASSANDRA-10091
"""
self.prepare()
@@ -55,6 +59,42 @@ class TestJMXAuth(Tester):
# superuser status applies to JMX authz too
node.nodetool('-u cassandra -pw cassandra gossipinfo')
+ @since('4.1')
+ def test_revoked_jmx_access(self):
+ """
+ if a user's access to a JMX MBean is revoked while they're connected,
+ all of their requests should fail once the cache is cleared.
+ @jira_ticket CASSANDRA-16404
+ """
+ self.prepare(permissions_validity=60000)
+ [node] = self.cluster.nodelist()
+
+ def test_revoked_access(cache_name):
+ logger.debug('Testing with cache name: %s' % cache_name)
+ username = self.username()
+ session = self.patient_cql_connection(node, user='cassandra', password='cassandra')
+ session.execute("CREATE ROLE %s WITH LOGIN=true AND PASSWORD='abc123'" % username)
+ session.execute("GRANT SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' TO %s" % username)
+ session.execute("GRANT DESCRIBE ON ALL MBEANS TO %s" % username)
+
+ # works fine
+ node.nodetool('-u %s -pw abc123 gossipinfo' % username)
+
+ session.execute("REVOKE SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' FROM %s" % username)
+ # works fine because the JMX permission is cached
+ node.nodetool('-u %s -pw abc123 gossipinfo' % username)
+
+ node.nodetool('-u cassandra -pw cassandra invalidatejmxpermissionscache')
+ # the user has no permissions to the JMX resource anymore
+ with pytest.raises(ToolError, match='Access Denied'):
+ node.nodetool('-u %s -pw abc123 gossipinfo' % username)
+
+ test_revoked_access("JmxPermissionsCache")
+
+ # deprecated cache name, scheduled for removal in 5.0
+ if self.dtest_config.cassandra_version_from_build < '5.0':
+ test_revoked_access("JMXPermissionsCache")
+
def prepare(self, nodes=1, permissions_validity=0):
config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator',
'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer',
@@ -69,3 +109,6 @@ class TestJMXAuth(Tester):
def authentication_fail_message(self, node, username):
return "Provided username {user} and/or password are incorrect".format(user=username) \
if node.cluster.version() >= LooseVersion('3.10') else "Username and/or password are incorrect"
+
+ def username(self):
+ return ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org