auth: add maintenance_socket_role_manager

Add `maintenance_socket_role_manager` which will disable all operations associated with roles to not depend on system_auth keyspace, which may be not yet created when the maintenance socket starts listening
2023-11-24 10:43:46 +01:00
parent e682e362a3
commit 11a2748d7f
4 changed files with 183 additions and 1 deletions
--- a/auth/CMakeLists.txt
+++ b/auth/CMakeLists.txt
@@ -20,7 +20,8 @@ target_sources(scylla_auth
    sasl_challenge.cc
    service.cc
    standard_role_manager.cc
-    transitional.cc)
+    transitional.cc
+    maintenance_socket_role_manager.cc)
 target_include_directories(scylla_auth
  PUBLIC
    ${CMAKE_SOURCE_DIR})
--- a/auth/maintenance_socket_role_manager.cc
+++ b/auth/maintenance_socket_role_manager.cc
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2023-present ScyllaDB
+ */
+
+/*
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+#include "auth/maintenance_socket_role_manager.hh"
+
+#include <seastar/core/future.hh>
+#include <stdexcept>
+#include <string_view>
+#include "log.hh"
+#include "utils/class_registrator.hh"
+
+namespace auth {
+
+constexpr std::string_view maintenance_socket_role_manager_name = "com.scylladb.auth.MaintenanceSocketRoleManager";
+
+static const class_registrator<
+        role_manager,
+        maintenance_socket_role_manager,
+        cql3::query_processor&,
+        ::service::migration_manager&> registration(sstring{maintenance_socket_role_manager_name});
+
+
+std::string_view maintenance_socket_role_manager::qualified_java_name() const noexcept {
+    return maintenance_socket_role_manager_name;
+}
+
+const resource_set& maintenance_socket_role_manager::protected_resources() const {
+    static const resource_set resources{};
+
+    return resources;
+}
+
+future<> maintenance_socket_role_manager::start() {
+    return make_ready_future<>();
+}
+
+future<> maintenance_socket_role_manager::stop() {
+    return make_ready_future<>();
+}
+
+template<typename T = void>
+future<T> operation_not_supported_exception(std::string_view operation) {
+    return make_exception_future<T>(
+        std::runtime_error(format("role manager: {} operation not supported through maintenance socket", operation)));
+}
+
+future<> maintenance_socket_role_manager::create(std::string_view role_name, const role_config&) {
+    return operation_not_supported_exception("CREATE");
+}
+
+future<> maintenance_socket_role_manager::drop(std::string_view role_name) {
+    return operation_not_supported_exception("DROP");
+}
+
+future<> maintenance_socket_role_manager::alter(std::string_view role_name, const role_config_update&) {
+    return operation_not_supported_exception("ALTER");
+}
+
+future<> maintenance_socket_role_manager::grant(std::string_view grantee_name, std::string_view role_name) {
+    return operation_not_supported_exception("GRANT");
+}
+
+future<> maintenance_socket_role_manager::revoke(std::string_view revokee_name, std::string_view role_name) {
+    return operation_not_supported_exception("REVOKE");
+}
+
+future<role_set> maintenance_socket_role_manager::query_granted(std::string_view grantee_name, recursive_role_query) {
+    return operation_not_supported_exception<role_set>("QUERY GRANTED");
+}
+
+future<role_set> maintenance_socket_role_manager::query_all() {
+    return operation_not_supported_exception<role_set>("QUERY ALL");
+}
+
+future<bool> maintenance_socket_role_manager::exists(std::string_view role_name) {
+    return operation_not_supported_exception<bool>("EXISTS");
+}
+
+future<bool> maintenance_socket_role_manager::is_superuser(std::string_view role_name) {
+    return make_ready_future<bool>(true);
+}
+
+future<bool> maintenance_socket_role_manager::can_login(std::string_view role_name) {
+    return make_ready_future<bool>(true);
+}
+
+future<std::optional<sstring>> maintenance_socket_role_manager::get_attribute(std::string_view role_name, std::string_view attribute_name) {
+    return operation_not_supported_exception<std::optional<sstring>>("GET ATTRIBUTE");
+}
+
+future<role_manager::attribute_vals> maintenance_socket_role_manager::query_attribute_for_all(std::string_view attribute_name) {
+    return operation_not_supported_exception<role_manager::attribute_vals>("QUERY ATTRIBUTE");
+}
+
+future<> maintenance_socket_role_manager::set_attribute(std::string_view role_name, std::string_view attribute_name, std::string_view attribute_value) {
+    return operation_not_supported_exception("SET ATTRIBUTE");
+}
+
+future<> maintenance_socket_role_manager::remove_attribute(std::string_view role_name, std::string_view attribute_name) {
+    return operation_not_supported_exception("REMOVE ATTRIBUTE");
+}
+
+}
--- a/auth/maintenance_socket_role_manager.hh
+++ b/auth/maintenance_socket_role_manager.hh
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2023-present ScyllaDB
+ */
+
+/*
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+#pragma once
+
+#include "auth/resource.hh"
+#include "auth/role_manager.hh"
+#include "authorizer.hh"
+#include "seastar/core/future.hh"
+#include <stdexcept>
+
+namespace cql3 {
+class query_processor;
+}
+
+namespace service {
+class migration_manager;
+}
+
+namespace auth {
+
+extern const std::string_view maintenance_socket_role_manager_name;
+
+// This role manager is used by the maintenance socket. It has disabled all role management operations to not depend on
+// system_auth keyspace, which may be not yet created when the maintenance socket starts listening.
+class maintenance_socket_role_manager final : public role_manager {
+public:
+    maintenance_socket_role_manager(cql3::query_processor&, ::service::migration_manager&) {}
+
+    virtual std::string_view qualified_java_name() const noexcept override;
+
+    virtual const resource_set& protected_resources() const override ;
+
+    virtual future<> start() override;
+
+    virtual future<> stop() override;
+
+    virtual future<> create(std::string_view role_name, const role_config&) override;
+
+    virtual future<> drop(std::string_view role_name) override;
+
+    virtual future<> alter(std::string_view role_name, const role_config_update&) override;
+
+    virtual future<> grant(std::string_view grantee_name, std::string_view role_name) override;
+
+    virtual future<> revoke(std::string_view revokee_name, std::string_view role_name) override;
+
+    virtual future<role_set> query_granted(std::string_view grantee_name, recursive_role_query) override;
+
+    virtual future<role_set> query_all() override;
+
+    virtual future<bool> exists(std::string_view role_name) override;
+
+    virtual future<bool> is_superuser(std::string_view role_name) override;
+
+    virtual future<bool> can_login(std::string_view role_name) override;
+
+    virtual future<std::optional<sstring>> get_attribute(std::string_view role_name, std::string_view attribute_name) override;
+
+    virtual future<role_manager::attribute_vals> query_attribute_for_all(std::string_view attribute_name) override;
+
+    virtual future<> set_attribute(std::string_view role_name, std::string_view attribute_name, std::string_view attribute_value) override;
+
+    virtual future<> remove_attribute(std::string_view role_name, std::string_view attribute_name) override;
+};
+
+}
--- a/configure.py
+++ b/configure.py
@@ -1135,6 +1135,7 @@ scylla_core = (['message/messaging_service.cc',
                'auth/service.cc',
                'auth/standard_role_manager.cc',
                'auth/transitional.cc',
+                'auth/maintenance_socket_role_manager.cc',
                'auth/role_or_anonymous.cc',
                'auth/sasl_challenge.cc',
                'auth/certificate_authenticator.cc',