[jira] [Commented] (CASSANDRA-5651) Custom authentication plugin should not need to prepopulate users in system_auth.users column family

[Aleksey Yeschenko (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-5651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13686487#comment-13686487
 ] 

Aleksey Yeschenko commented on CASSANDRA-5651:
----------------------------------------------

This is done how it's done for two reasons:

1. User existence validation. We don't want someone to accidentally 
grant/revoke/make superuser a non-existent user, silently, then have that user 
created later and have these accidental permissions. We chose to keep the 
registry in Cassandra itself because there are cases where an authenticator 
itself cannot answer the question (Auth.isExistingUser()) easily (with 
Kerberos, for example).

2. Superuser status management. For every implementation to not reinvent the 
wheel, Cassandra manages it itself.

So it's not there just for authentication purposes, it bridges different 
authenticator/authorizer implementations, too. So it's not as simple as " 
another boolean method similar to IAuthenticator.requireAuthentication() so 
that custom authentication plugin can skip this isExistingUser check if needed".
                
> Custom authentication plugin should not need to prepopulate users in 
> system_auth.users column family
> ----------------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-5651
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-5651
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 1.2.5
>         Environment: RHEL 6.3, jdk 1.7
>            Reporter: Bao Le
>
> Current implementation in ClientState.login makes a call to 
> Auth.isExistingUser(user.getName()) if the AuthenticatedUser is not 
> Anonymous. This involves querying system_auth.users column family.
> Our custom authentication plugin does not need to pre-create and store users, 
> and it worked fine under 1.1.5. On 1.2.5, however, we run into authentication 
> problem because of this.
> I feel we  should either do this isExistingUser check inside 
> IAuthenticator.authenticate, or expose another boolean method similar to 
> IAuthenticator.requireAuthentication() so that custom authentication plugin 
> can skip this isExistingUser check if needed. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira