This is an automated email from the ASF dual-hosted git repository. samt pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/cassandra-dtest.git
commit 1f5aefdc23b5cd27dea056d119ff5d9c9801030a Author: Aleksei Zotov <[email protected]> AuthorDate: Sun Aug 22 19:30:34 2021 +0400 Add JMX auth test Patch by Aleksei Zotov; reviewed by Sam Tunnicliffe for CASSANDRA-16404 --- auth_test.py | 8 ++++---- jmx_auth_test.py | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 49 insertions(+), 6 deletions(-) diff --git a/auth_test.py b/auth_test.py index ca2056c..bd46688 100644 --- a/auth_test.py +++ b/auth_test.py @@ -8,9 +8,9 @@ import re import pytest import logging -from cassandra import AuthenticationFailed, InvalidRequest, Unauthorized, Unavailable +from cassandra import AuthenticationFailed, InvalidRequest, Unauthorized from cassandra.cluster import NoHostAvailable -from cassandra.protocol import ServerError, SyntaxException +from cassandra.protocol import SyntaxException from dtest_setup_overrides import DTestSetupOverrides from dtest import Tester @@ -24,6 +24,7 @@ from tools.misc import ImmutableMapping since = pytest.mark.since logger = logging.getLogger(__name__) + class TestAuth(Tester): @pytest.fixture(autouse=True) @@ -3047,8 +3048,7 @@ class TestNetworkAuth(Tester): fixture_dtest_setup.superuser.execute("CREATE TABLE ks.tbl (k int primary key, v int)") def username(self): - return ''.join(random.choice(string.ascii_lowercase) for _ in range(8)); - + return ''.join(random.choice(string.ascii_lowercase) for _ in range(8)) def create_user(self, query_fmt, username): """ diff --git a/jmx_auth_test.py b/jmx_auth_test.py index 199e525..e5b3d03 100644 --- a/jmx_auth_test.py +++ b/jmx_auth_test.py @@ -1,3 +1,5 @@ +import random +import string import pytest import logging from distutils.version import LooseVersion @@ -12,12 +14,14 @@ logger = logging.getLogger(__name__) @since('3.6') class TestJMXAuth(Tester): + """ + Uses nodetool as a means of exercising the JMX interface as JolokiaAgent + exposes its own connector which bypasses the in-built security features + """ def test_basic_auth(self): """ Some basic smoke testing of JMX authentication and authorization. - Uses nodetool as a means of exercising the JMX interface as JolokiaAgent - exposes its own connector which bypasses the in-built security features @jira_ticket CASSANDRA-10091 """ self.prepare() @@ -55,6 +59,42 @@ class TestJMXAuth(Tester): # superuser status applies to JMX authz too node.nodetool('-u cassandra -pw cassandra gossipinfo') + @since('4.1') + def test_revoked_jmx_access(self): + """ + if a user's access to a JMX MBean is revoked while they're connected, + all of their requests should fail once the cache is cleared. + @jira_ticket CASSANDRA-16404 + """ + self.prepare(permissions_validity=60000) + [node] = self.cluster.nodelist() + + def test_revoked_access(cache_name): + logger.debug('Testing with cache name: %s' % cache_name) + username = self.username() + session = self.patient_cql_connection(node, user='cassandra', password='cassandra') + session.execute("CREATE ROLE %s WITH LOGIN=true AND PASSWORD='abc123'" % username) + session.execute("GRANT SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' TO %s" % username) + session.execute("GRANT DESCRIBE ON ALL MBEANS TO %s" % username) + + # works fine + node.nodetool('-u %s -pw abc123 gossipinfo' % username) + + session.execute("REVOKE SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' FROM %s" % username) + # works fine because the JMX permission is cached + node.nodetool('-u %s -pw abc123 gossipinfo' % username) + + node.nodetool('-u cassandra -pw cassandra invalidatejmxpermissionscache') + # the user has no permissions to the JMX resource anymore + with pytest.raises(ToolError, match='Access Denied'): + node.nodetool('-u %s -pw abc123 gossipinfo' % username) + + test_revoked_access("JmxPermissionsCache") + + # deprecated cache name, scheduled for removal in 5.0 + if self.dtest_config.cassandra_version_from_build < '5.0': + test_revoked_access("JMXPermissionsCache") + def prepare(self, nodes=1, permissions_validity=0): config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator', 'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer', @@ -69,3 +109,6 @@ class TestJMXAuth(Tester): def authentication_fail_message(self, node, username): return "Provided username {user} and/or password are incorrect".format(user=username) \ if node.cluster.version() >= LooseVersion('3.10') else "Username and/or password are incorrect" + + def username(self): + return ''.join(random.choice(string.ascii_lowercase) for _ in range(8)) \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
