You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Ted Zlatanov (JIRA)" <ji...@apache.org> on 2009/11/12 19:08:39 UTC
[jira] Created: (CASSANDRA-547) authentication and authorization
functions (stage 1)
authentication and authorization functions (stage 1)
----------------------------------------------------
Key: CASSANDRA-547
URL: https://issues.apache.org/jira/browse/CASSANDRA-547
Project: Cassandra
Issue Type: New Feature
Components: Core
Affects Versions: 0.5
Reporter: Ted Zlatanov
Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
Create file-based and LDAP backends to implement authentication and authorization.
Create AllowAll backend to allow all access.
Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Jonathan Ellis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802268#action_12802268 ]
Jonathan Ellis commented on CASSANDRA-547:
------------------------------------------
An article explaining why Java programmers write "x == null," among other things: http://www.ibm.com/developerworks/java/library/j-noaccent.html?ca=drs-
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Fix For: 0.7
>
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-auth2-4eevans.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Jonathan Ellis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-547:
-------------------------------------
Fix Version/s: (was: 0.7)
0.6
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Fix For: 0.6
>
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-auth2-4eevans.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Jonathan Ellis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795353#action_12795353 ]
Jonathan Ellis commented on CASSANDRA-547:
------------------------------------------
thanks, 34k is much easier to review than 600k.
style note: we start interface names with I, as in IAuthenticationBackend
I still see gratuitous renaming of variables, e.g. consistency_level to consistencyLevel (don't do that, we use underscores for thrift variable names on purpose)
upgrading thrift is still assumed (by the changing to CL enum at the least); this does not build with the current thrift we are using. if you decide that finishing the upgrade is easier than finishing the downgrade, please note that "separate patches" means one builds on the other, not one is a superset of the other. I really do think using a tool that can operate on sets of patches will make your life easier here, e.g. quilt or hg if you have something against git. :)
Is there a backend that is more than a no-op? we don't commit refactorings with no raison d'etre, even to trunk.
the keyspace argument to login is not passed to the authenticator, so either it is redundant or there is a bug there
I don't see any code that verifies that login was successfully called before allowing other methods to be called
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-auth.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-auth.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Eric Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Evans resolved CASSANDRA-547.
----------------------------------
Resolution: Fixed
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Fix For: 0.7
>
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-auth2-4eevans.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: CASSANDRA-547-auth.patch
CASSANDRA-547-thrift.patch
(learning quilt, sorry for the bad patches)
ThriftGlue is now only in the thrift patch.
login_done is a ThreadLocal<Boolean> singleton
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795369#action_12795369 ]
Ted Zlatanov commented on CASSANDRA-547:
----------------------------------------
It's hard to produce a useful auth backend when I'm spending all of my available time on patches and fixing Thrift errors. Also, this is stage 1, see at the beginning for the goals. I want to be sure we're OK with the design before I implement the backend. I'll get you the revised patches, as incrementals as you requested.
I don't want to work against the old Thrift. Backporting is possible but I don't see the point, since Thrift is not going back to the old version.
Keyspace + login fixes are coming. I have them but dropped them in the patch by accident.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: libthrift-r893324.jar
auth.patch
Note the above patch requires a newer libthrift!
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (CASSANDRA-547) authentication and
authorization functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12796213#action_12796213 ]
Ted Zlatanov edited comment on CASSANDRA-547 at 1/4/10 4:33 PM:
----------------------------------------------------------------
(learning quilt, sorry for the bad patches)
ThriftGlue is now only in the thrift patch.
login_done is a ThreadLocal<Boolean> singleton
IAuthenticationBackend is back.
was (Author: tzz):
(learning quilt, sorry for the bad patches)
ThriftGlue is now only in the thrift patch.
login_done is a ThreadLocal<Boolean> singleton
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795174#action_12795174 ]
Ted Zlatanov commented on CASSANDRA-547:
----------------------------------------
I left the libthrift upgrade out of my patches, but it's probably a good idea to do it as some point.
There are two patches, the auth one is a superset of the thrift one.
ThriftGlue has one (IMHO) nice feature: it lets us create ColumnOrSuperColumn objects with the explicit inclination to contain a Column or a SuperColumn. The old way was less readable.
I remove the style changes for the useless else clauses.
I made ConsistencyLevel go all the way down the stack and changed the variable name to consistencyLevel while I was there, to be consistent (ha ha) with the other parameter names. There is one place where the int value is used to check enum superiority, but overall it looks and works better I think.
Let me know if all of this looks good. It's a real PITA to keep patching so I hope we're close to done.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Jonathan Ellis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12797204#action_12797204 ]
Jonathan Ellis commented on CASSANDRA-547:
------------------------------------------
right, for server-side issues you should throw a RuntimeException, the server will log that and return an internal error to the client.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12796219#action_12796219 ]
Ted Zlatanov commented on CASSANDRA-547:
----------------------------------------
External authentication like LDAP can authenticate a user name/password combination, but it doesn't tell us what's authorized. So we need a way to authorize user/keyspace combinations. If not in storage-conf.xml, we'll need to essentially duplicate the Keyspaces section like this:
Keyspaces:
AllowUser A
Keyspace X:
AllowUser B
DisallowUser A
This means user A has access to everything but X and user B can only access X (DisallowUser trumps AllowUser).
This scheme should not be backend-specific. Every IAuthenticationBackend should use this same authorization scheme (user-implemented ones can choose not to in order to accomodate more complex infrastructure, but the simple stuff Cassandra includes should use it). This will simplify the implementation of authentication backends and make them easier to configure.
If we agree on the authorization grants format, I will start work on the simple password backend and implement authorizations as described, plus a simple password storage mechanism.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Eric Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795608#action_12795608 ]
Eric Evans commented on CASSANDRA-547:
--------------------------------------
> If the latest patches are OK, I'll augment the auth patch with a working auth backend with static user
> credentials from the config file (user name and password specified in the configuration per keyspace).
> That >will be all for stage1 and I'll go on to stage2: the LDAP and other backends we discussed.
Can we avoid putting anything other than the back-end in storage-conf.xml? If the back-ends are to be pluggable, then trying to come up a standard set of directives that will cover them all is going to be a lot of Fail.
I'd rather see each back-end handle configuration on its own. For example, a static credential back-end could look in -Dstorage-config for a passwd.properties file or something. An LDAP back-end could look for an ldap.conf, etc.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Jonathan Ellis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795612#action_12795612 ]
Jonathan Ellis commented on CASSANDRA-547:
------------------------------------------
Agreed.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Eric Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12783940#action_12783940 ]
Eric Evans commented on CASSANDRA-547:
--------------------------------------
A couple of things... 1) This patch doesn't apply, could you please rebase? and 2) I'm starting to pick my way through the thread on cassandra-user, but it would be helpful if you could either summarize with a more comprehensive specification either here or in the wiki (the wiki being my preference).
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: CASSANDRA-547-authsimple.patch
CASSANDRA-547-onekeyspace.patch
Two more patches that build on the thrift and auth patches:
onekeyspace is an optional patch to remove the keyspace argument from all the Thrift calls. I think this is a good idea but it will break all the Cassandra clients.
authsimple contains a full implementation of a simple authentication backend (which assumes that any authenticated users are authorized). This code is a proof of concept and has not been tested (though I don't expect it to be too buggy, it's very simple code).
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-authsimple.patch, CASSANDRA-547-onekeyspace.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802237#action_12802237 ]
Hudson commented on CASSANDRA-547:
----------------------------------
Integrated in Cassandra #328 (See [http://hudson.zones.apache.org/hudson/job/Cassandra/328/])
authentication and authorization functions
Patch by Ted Zlatanov; reviewed by eevans for
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Fix For: 0.7
>
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-auth2-4eevans.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (CASSANDRA-547) authentication and
authorization functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795174#action_12795174 ]
Ted Zlatanov edited comment on CASSANDRA-547 at 12/29/09 10:33 PM:
-------------------------------------------------------------------
I left the libthrift upgrade out of my patches, but it's probably a good idea to do it as some point.
There are two patches, the auth one is a superset of the thrift one.
ThriftGlue has one (IMHO) nice feature: it lets us create ColumnOrSuperColumn objects with the explicit inclination to contain a Column or a SuperColumn. The old way was less readable.
I removed the style changes for the useless else clauses.
I made ConsistencyLevel go all the way down the stack and changed the variable name to consistencyLevel while I was there, to be consistent (ha ha) with the other parameter names. There is one place where the int value is used to check enum superiority, but overall it looks and works better I think.
Let me know if all of this looks good. It's a real PITA to keep patching so I hope we're close to done.
was (Author: tzz):
I left the libthrift upgrade out of my patches, but it's probably a good idea to do it as some point.
There are two patches, the auth one is a superset of the thrift one.
ThriftGlue has one (IMHO) nice feature: it lets us create ColumnOrSuperColumn objects with the explicit inclination to contain a Column or a SuperColumn. The old way was less readable.
I remove the style changes for the useless else clauses.
I made ConsistencyLevel go all the way down the stack and changed the variable name to consistencyLevel while I was there, to be consistent (ha ha) with the other parameter names. There is one place where the int value is used to check enum superiority, but overall it looks and works better I think.
Let me know if all of this looks good. It's a real PITA to keep patching so I hope we're close to done.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795146#action_12795146 ]
Ted Zlatanov commented on CASSANDRA-547:
----------------------------------------
the latest auth patch, as suggested on cassandra-users, offers just one method:
void login(String keyspace, Map<String, String> credentials)
The AllowAllAuthenticator, as before, simply allows any login and is intended to show the default usage.
The patch is based on a 2009-12-29 checkout. It also fixes the Thrift constructors by introducing a ThriftGlue convenience factory class, which IMHO is the best way to keep source code concise if the optional parameters can't be specified inline.
Finally, I made a few style fixes, where return or continue were used in the if clause, so the else was redundant.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Jonathan Ellis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795532#action_12795532 ]
Jonathan Ellis commented on CASSANDRA-547:
------------------------------------------
looking good. a few minor tweaks:
ThriftGlue belongs in the thrift patch
IAuthenticationBackend seems to have gone missing
login_done needs to be threadlocal
IMO addressing these in your pachset with the working auth backend is fine.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: libthrift-r893324.jar)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Eric Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12796845#action_12796845 ]
Eric Evans commented on CASSANDRA-547:
--------------------------------------
While I can appreciate that the thrift changes needed to be made, and while I do appreciate you doing them, they are out of context for this ticket and were making it unnecessarily difficult to review. In the future, please submit a separate ticket w/ separate patches.
I've applied the thrift changes, with some modification, can you please rebase the remainder against trunk? Try to add some sort of series info too, either in a comment, or when naming the patches (i.e. 01_foo, 02_bar, etc).
Thanks Ted.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-authsimple.patch, CASSANDRA-547-onekeyspace.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: auth.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-thrift.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Jonathan Ellis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-547:
-------------------------------------
Fix Version/s: 0.7
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Fix For: 0.7
>
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-auth2-4eevans.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12829075#action_12829075 ]
Ted Zlatanov commented on CASSANDRA-547:
----------------------------------------
I've been working on other tickets and proposals (HTTP server, configuration issues). Stage 2 will be a new ticket as you suggested. Go ahead and create it if you need it sooner or I'll do it when I have the tuits. Thanks!
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Fix For: 0.6
>
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-auth2-4eevans.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-auth.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: CASSANDRA-547-thrift.patch
CASSANDRA-547-auth.patch
Revised patches as requested.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Eric Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12797195#action_12797195 ]
Eric Evans commented on CASSANDRA-547:
--------------------------------------
With respect to: CASSANDRA-547-auth.patch
Why AuthenticationRequest? Why not pass a map directly to login()?
Also, these AuthenticationExceptions in SimpleAuthenticationBackend for things like invalid passwd.mode property, or for being unable to open the passwd.properties file are at best being delivered to the wrong entity (they are server side issues and the details are going to the client); at worst they are leaking potentially sensitive information.
Ideally these would be something other than AuthenticationExceptions, something that more explicitly indicated a server-side issue, TApplicationException maybe? Either way though, the specifics should probably logged for the admin, and a more opaque message delivered to the client.
I also have a couple of style nits:
* We're trying to get away from the trailing-underscore-on-private-members convention, so if you could avoid introducing any more, that would be great.
* I think appending the substring "Backend" to all of these classes is a little redundant, how about IAuthenticator, SimpleAuthenticator, etc?
Thanks again Ted.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12796864#action_12796864 ]
Ted Zlatanov commented on CASSANDRA-547:
----------------------------------------
In retrospect I would have done these patches differently. I was learning quilt and should have split the Thrift work out. Thanks for your and Jonathan's patience.
I took out the nokeyspace patch so there's only one patch now. The nokeyspace patch was really more Thrift work, intended to remove the keyspace argument from all Thrift code. It sort of belongs here, though, since the auth work has made the keyspace argument redundant. I'll redo the nokeyspace patch later, after the stage 1 auth work is done, if you prefer. Right now we're missing:
1) a way to specify a different auth backend in the Cassandra configuration
2) a common way to specify authorizations (see my earlier comment on a proposed scheme)
3) an LDAP auth backend
before stage 1 is done. I need your review of the current patch, though, before I continue with (1) and (2). (3) is last, after we've ironed out the backend mechanics. Also your opinions on (2) are very welcome.
Stage 2, btw, will involve documentation. I'm not forgetting it :)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12784230#action_12784230 ]
Ted Zlatanov commented on CASSANDRA-547:
----------------------------------------
Consider this simply a very early prototype.
The API is simple. Three functions are available:
void login(Map<String, String> credentials) throws AuthenticationException
void setKeyspace(String keyspace) throws AuthorizationException
String getKeyspace()
There is an AllowAllAuthenticator backend that implements the default (approve all) policy.
For backwards compatibility, the current API will still work. Whenever a function that takes a keyspace argument is called, it will call setKeyspace() on the auth backend, ignoring any exceptions (to keep the current API the same as far as exceptions). In a later API revision, this will be changed in favor of just setting the keyspace separately.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: CASSANDRA-547-auth2-4eevans.patch
Fixed the issues reported by eevans:
- remove setAuthenticator
- provide commented example of using the AllowAllAuthenticator in the storage-conf.xml file
- provide commented conf/{passwd,authorization}.properties
- rename CassandraServer.login_done to CassandraServer.loginDone
All this is in a second patch as requested.
Regarding the null == X to X == null, I think the former is better because it makes it impossible to assign null accidentally. In Java this doesn't happen as much but it can (if you're testing if a Boolean is null and forget the second '='). It's a good habit that has no significance to the compiler and I really doubt would confuse the reader. If you still want it in the X==null format, go ahead and make that change or I can produce the corresponding trivial patch.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-auth2-4eevans.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: CASSANDRA-547-authsimple.patch
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-authsimple.patch, CASSANDRA-547-onekeyspace.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (CASSANDRA-547) authentication and
authorization functions (stage 1)
Posted by "Eric Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12783940#action_12783940 ]
Eric Evans edited comment on CASSANDRA-547 at 12/1/09 12:00 AM:
----------------------------------------------------------------
A couple of things... 1) This patch doesn't apply, could you please rebase? and 2) I'm starting to pick my way through the thread on cassandra-user, but it would be helpful if you could summarize with a more comprehensive specification either here or in the wiki (the wiki being my preference).
was (Author: urandom):
A couple of things... 1) This patch doesn't apply, could you please rebase? and 2) I'm starting to pick my way through the thread on cassandra-user, but it would be helpful if you could either summarize with a more comprehensive specification either here or in the wiki (the wiki being my preference).
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Eric Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802366#action_12802366 ]
Eric Evans commented on CASSANDRA-547:
--------------------------------------
You can start work on it whenever you like, but please open another ticket.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Fix For: 0.7
>
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-auth2-4eevans.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: CASSANDRA-547-auth.patch
rebased auth patch, including the SimpleAuthenticationBackend
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: auth.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Eric Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12797181#action_12797181 ]
Eric Evans commented on CASSANDRA-547:
--------------------------------------
> 2) a common way to specify authorizations (see my earlier comment on a proposed scheme)
I'm not a fan of this. If it's being left out of storage-conf.xml because it isn't reasonable to define this upfront for all possible back-ends (and I still believe it is), then a separate file only moves the problem. This should really be left up to the back-end, and if there is a good standard, there is nothing to stop it from emerging naturally.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (CASSANDRA-547) authentication and
authorization functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795146#action_12795146 ]
Ted Zlatanov edited comment on CASSANDRA-547 at 12/29/09 8:59 PM:
------------------------------------------------------------------
the latest auth patch, as suggested on cassandra-users, offers just one method:
void login(String keyspace, Map<String, String> credentials)
The AllowAllAuthenticator, as before, simply allows any login and is intended to show the default usage.
The patch is based on a 2009-12-29 checkout. It also fixes the Thrift constructors by introducing a ThriftGlue convenience factory class, which IMHO is the best way to keep source code concise if the optional parameters can't be specified inline.
The ConsistencyLevel class is passed further down after the CassandraServer interface as an int currently. We may want to pass it as an enum everywhere instead.
Finally, I made a few style fixes, where return or continue were used in the if clause, so the else was redundant.
was (Author: tzz):
the latest auth patch, as suggested on cassandra-users, offers just one method:
void login(String keyspace, Map<String, String> credentials)
The AllowAllAuthenticator, as before, simply allows any login and is intended to show the default usage.
The patch is based on a 2009-12-29 checkout. It also fixes the Thrift constructors by introducing a ThriftGlue convenience factory class, which IMHO is the best way to keep source code concise if the optional parameters can't be specified inline.
Finally, I made a few style fixes, where return or continue were used in the if clause, so the else was redundant.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Eric Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802044#action_12802044 ]
Eric Evans commented on CASSANDRA-547:
--------------------------------------
Ok, this has been committed, with some changes.
This changeset breaks client compatibility and the current plan is to fast-track an 0.6 release with no-breaking changes. As a result, the biggest change I made was to special case AllowAllowAuthenticator so that it is not required to call login(). This is strictly temporary until we have an 0.6 branch, at which point we can reverse this in trunk.
(The other changes should be self-explanatory)
I believe there is more to do here, but I'm going to close this ticket. Let's open new issues for each additional item and track them separately.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Fix For: 0.7
>
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-auth2-4eevans.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12797103#action_12797103 ]
Hudson commented on CASSANDRA-547:
----------------------------------
Integrated in Cassandra #315 (See [http://hudson.zones.apache.org/hudson/job/Cassandra/315/])
cleanup test and contrib breakage from thrift upgrade
Patch by eevans for
reorganize ThriftGlue
* use static import of ThriftGlue methods
* move from o.a.c.glue to o.a.c.service package
Patch by eevans for
use factories to create Thrift types
Patch by Ted Zlatanov; reviewed by eevans for
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: auth.patch
first attempt, please comment
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Attachments: auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: CASSANDRA-547-auth.patch
added configuration stanza to specify the authenticator (AllowAll is the default)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: CASSANDRA-547-thrift.patch
CASSANDRA-547-auth.patch
the auth patch combines the thrift patch with the auth work
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-thrift.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-thrift.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-auth.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Eric Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12800351#action_12800351 ]
Eric Evans commented on CASSANDRA-547:
--------------------------------------
First off, sorry for the delay, I meant to get back to this sooner and got tied up.
I think we're at the point were we could commit, just a few remaining nits:
* Let's do away with DatabaseDescriptor.setAuthenticator, configuration like this should effectively be read-only.
* Can you include a default entry w/ comments in conf/storage-conf.xml for setting the Authenticator?
* I think we should also include commented samples for passwd.properties and authorization.properties in conf/
* I'd also like to see the username parsing in authorization.properties a bit more forgiving, at the very least splitting on one or more whitespace characters would be too easy not to do.
There are also a few styling nits I would change myself prior to committing, but while you are in there...
* can you rename CassandraServer.login_done to CassandraServer.loginDone to fit with convention.
* (null == foo()) strikes me as odd every-time I see it, (foo() == null) is more idiomatic, at least for the Cassandra code base.
And one last thing.
It would make review simpler if you could group logical changes by patch and, when it makes sense, to attach follow-up patches that are meant to be applied on top of the previous one (while obviously leaving the previous patch attached to the issue).
In fact, if you could incorporate this latest round of feedback as a new patch that applied on top of the existing one, so that I can more easily see those specific changes, I promise to expedite it.
Thanks Ted.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Eric Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828813#action_12828813 ]
Eric Evans commented on CASSANDRA-547:
--------------------------------------
> Stage 2, btw, will involve documentation. I'm not forgetting it :)
Did you forget it, or did I miss it somewhere?
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Fix For: 0.6
>
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-auth2-4eevans.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-auth.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Jonathan Ellis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795153#action_12795153 ]
Jonathan Ellis commented on CASSANDRA-547:
------------------------------------------
Oh, I see, ThriftGlue is to work around the breakage the Thrift guys introduced. That part looks fine.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: auth.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: CASSANDRA-547-auth.patch
one more update, adding a simple built-in authorization scheme
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (CASSANDRA-547) authentication and
authorization functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12797236#action_12797236 ]
Ted Zlatanov edited comment on CASSANDRA-547 at 1/6/10 6:47 PM:
----------------------------------------------------------------
updated patch for eevans comments:
I think abstracting the credentials inside the AuthenticationRequest makes sense because it's very likely authentication and authorization will evolve over time. Limiting them to just a string-string map is going to bite us eventually. I'd like to leave this as it is.
I changed to RuntimeException where it made sense (missing MD5 algorithm is still announced to the user since it's requested by them).
I removed the keyspace_ member altogether from AllowAllAuthenticator. It was not used anyhow.
Everything is named *Authenticator now (save the bytes!)
was (Author: tzz):
updated patch for eevans comments
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: CASSANDRA-547-auth.patch
updated patch for eevans comments
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: auth.patch
rebased patch as of 2009-12-01
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-authsimple.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-auth.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Jonathan Ellis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795151#action_12795151 ]
Jonathan Ellis commented on CASSANDRA-547:
------------------------------------------
thanks for the progress!
these should be separate patches:
- upgrading libthrift
- refactoring existing code like your introduction of ThriftGlue (which I am skeptical of, btw; I don't see the value in introducing gratuitous factories)
- adding new functionality
don't submit recompiled gen-java code in your patch; that makes it difficult to eyeball what is really changing. the committer will take care of that for you.
We know patch management via Jira is painful, but there are some links about how to use git to minimize the pain here: http://wiki.apache.org/cassandra/HowToContribute
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-onekeyspace.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795434#action_12795434 ]
Ted Zlatanov commented on CASSANDRA-547:
----------------------------------------
If the latest patches are OK, I'll augment the auth patch with a working auth backend with static user credentials from the config file (user name and password specified in the configuration per keyspace). That will be all for stage1 and I'll go on to stage2: the LDAP and other backends we discussed.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802280#action_12802280 ]
Ted Zlatanov commented on CASSANDRA-547:
----------------------------------------
Thanks for working on this, guys. I'll do stage 2 (LDAP authentication, primarily) next. Should I wait for 0.7 or start immediately?
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Fix For: 0.7
>
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-auth2-4eevans.patch
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (CASSANDRA-547) authentication and
authorization functions (stage 1)
Posted by "Jonathan Ellis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795153#action_12795153 ]
Jonathan Ellis edited comment on CASSANDRA-547 at 12/29/09 9:08 PM:
--------------------------------------------------------------------
Oh, I see, ThriftGlue is to work around the breakage the Thrift guys introduced. That part looks fine. But, other "style fixes" should still be separated out into their own patch.
was (Author: jbellis):
Oh, I see, ThriftGlue is to work around the breakage the Thrift guys introduced. That part looks fine.
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Affects Versions: 0.5
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: auth.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CASSANDRA-547) authentication and authorization
functions (stage 1)
Posted by "Ted Zlatanov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Zlatanov updated CASSANDRA-547:
-----------------------------------
Attachment: (was: CASSANDRA-547-authsimple.patch)
> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
> Key: CASSANDRA-547
> URL: https://issues.apache.org/jira/browse/CASSANDRA-547
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Ted Zlatanov
> Assignee: Ted Zlatanov
> Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-authsimple.patch, CASSANDRA-547-onekeyspace.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace(). Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.