Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B26C2200BAE for ; Fri, 28 Oct 2016 17:20:26 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id AFC0D160B08; Fri, 28 Oct 2016 15:20:26 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D73E6160B03 for ; Fri, 28 Oct 2016 17:20:25 +0200 (CEST) Received: (qmail 40851 invoked by uid 500); 28 Oct 2016 15:20:23 -0000 Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cassandra.apache.org Delivered-To: mailing list commits@cassandra.apache.org Received: (qmail 40639 invoked by uid 99); 28 Oct 2016 15:20:23 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Oct 2016 15:20:23 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 7ED40EFE5E; Fri, 28 Oct 2016 15:20:23 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: samt@apache.org To: commits@cassandra.apache.org Date: Fri, 28 Oct 2016 15:20:25 -0000 Message-Id: <0fbc79c2ea20430d8c552c7525af2860@git.apache.org> In-Reply-To: <6c9182fe865f4a1095779811eb310a94@git.apache.org> References: <6c9182fe865f4a1095779811eb310a94@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [03/10] cassandra git commit: Prepare legacy auth statements if tables initialised after node startup archived-at: Fri, 28 Oct 2016 15:20:26 -0000 Prepare legacy auth statements if tables initialised after node startup Patch by Alex Petrov; reviewed by Sam Tunnicliffe for CASSANDRA-12813 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/312e21bd Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/312e21bd Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/312e21bd Branch: refs/heads/cassandra-3.X Commit: 312e21bda7c50f05fc5f8868740b513022385951 Parents: eaf46a1 Author: Alex Petrov Authored: Fri Oct 21 16:58:33 2016 +0200 Committer: Sam Tunnicliffe Committed: Fri Oct 28 16:04:36 2016 +0100 ---------------------------------------------------------------------- CHANGES.txt | 1 + .../cassandra/auth/CassandraAuthorizer.java | 14 +++++-- .../cassandra/auth/PasswordAuthenticator.java | 40 ++++++++++++++------ 3 files changed, 40 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/312e21bd/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index a22439b..b33ef8d 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 2.2.9 + * Prepare legacy authenticate statement if credentials table initialised after node startup (CASSANDRA-12813) * Change cassandra.wait_for_tracing_events_timeout_secs default to 0 (CASSANDRA-12754) * Clean up permissions when a UDA is dropped (CASSANDRA-12720) * Limit colUpdateTimeDelta histogram updates to reasonable deltas (CASSANDRA-11117) http://git-wip-us.apache.org/repos/asf/cassandra/blob/312e21bd/src/java/org/apache/cassandra/auth/CassandraAuthorizer.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/CassandraAuthorizer.java b/src/java/org/apache/cassandra/auth/CassandraAuthorizer.java index 88069a2..360d59a 100644 --- a/src/java/org/apache/cassandra/auth/CassandraAuthorizer.java +++ b/src/java/org/apache/cassandra/auth/CassandraAuthorizer.java @@ -209,11 +209,19 @@ public class CassandraAuthorizer implements IAuthorizer Lists.newArrayList(ByteBufferUtil.bytes(role.getRoleName()), ByteBufferUtil.bytes(resource.getName()))); + SelectStatement statement; // If it exists, read from the legacy user permissions table to handle the case where the cluster // is being upgraded and so is running with mixed versions of the authz schema - SelectStatement statement = Schema.instance.getCFMetaData(AuthKeyspace.NAME, USER_PERMISSIONS) == null - ? authorizeRoleStatement - : legacyAuthorizeRoleStatement; + if (Schema.instance.getCFMetaData(AuthKeyspace.NAME, USER_PERMISSIONS) == null) + statement = authorizeRoleStatement; + else + { + // If the permissions table was initialised only after the statement got prepared, re-prepare (CASSANDRA-12813) + if (legacyAuthorizeRoleStatement == null) + legacyAuthorizeRoleStatement = prepare(USERNAME, USER_PERMISSIONS); + statement = legacyAuthorizeRoleStatement; + } + ResultMessage.Rows rows = statement.execute(QueryState.forInternalCalls(), options) ; UntypedResultSet result = UntypedResultSet.create(rows.result); http://git-wip-us.apache.org/repos/asf/cassandra/blob/312e21bd/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java index c0d2283..20f8790 100644 --- a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java +++ b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java @@ -77,11 +77,7 @@ public class PasswordAuthenticator implements IAuthenticator { try { - // If the legacy users table exists try to verify credentials there. This is to handle the case - // where the cluster is being upgraded and so is running with mixed versions of the authn tables - SelectStatement authenticationStatement = Schema.instance.getCFMetaData(AuthKeyspace.NAME, LEGACY_CREDENTIALS_TABLE) == null - ? authenticateStatement - : legacyAuthenticateStatement; + SelectStatement authenticationStatement = authenticationStatement(); return doAuthenticate(username, password, authenticationStatement); } catch (RequestExecutionException e) @@ -91,6 +87,23 @@ public class PasswordAuthenticator implements IAuthenticator } } + /** + * If the legacy users table exists try to verify credentials there. This is to handle the case + * where the cluster is being upgraded and so is running with mixed versions of the authn tables + */ + private SelectStatement authenticationStatement() + { + if (Schema.instance.getCFMetaData(AuthKeyspace.NAME, LEGACY_CREDENTIALS_TABLE) == null) + return authenticateStatement; + else + { + // If the credentials was initialised only after statement got prepared, re-prepare (CASSANDRA-12813). + if (legacyAuthenticateStatement == null) + prepareLegacyAuthenticateStatement(); + return legacyAuthenticateStatement; + } + } + public Set protectedResources() { // Also protected by CassandraRoleManager, but the duplication doesn't hurt and is more explicit @@ -110,13 +123,16 @@ public class PasswordAuthenticator implements IAuthenticator authenticateStatement = prepare(query); if (Schema.instance.getCFMetaData(AuthKeyspace.NAME, LEGACY_CREDENTIALS_TABLE) != null) - { - query = String.format("SELECT %s from %s.%s WHERE username = ?", - SALTED_HASH, - AuthKeyspace.NAME, - LEGACY_CREDENTIALS_TABLE); - legacyAuthenticateStatement = prepare(query); - } + prepareLegacyAuthenticateStatement(); + } + + private void prepareLegacyAuthenticateStatement() + { + String query = String.format("SELECT %s from %s.%s WHERE username = ?", + SALTED_HASH, + AuthKeyspace.NAME, + LEGACY_CREDENTIALS_TABLE); + legacyAuthenticateStatement = prepare(query); } public AuthenticatedUser legacyAuthenticate(Map credentials) throws AuthenticationException