smiklosovic commented on code in PR #3564:
URL: https://github.com/apache/cassandra/pull/3564#discussion_r1776586877
##########
conf/cassandra.yaml:
##########
@@ -157,83 +157,105 @@ auto_hints_cleanup_enabled: false
batchlog_replay_throttle: 1024KiB
# Authentication backend, implementing IAuthenticator; used to identify users
-# Out of the box, Cassandra provides
org.apache.cassandra.auth.{AllowAllAuthenticator,
-# PasswordAuthenticator}.
+# Optional parameters can be specified in the form of:
+# parameters:
+# param_key1: param_value1
+# ...
#
+# Out of the box, Cassandra provides
org.apache.cassandra.auth.{AllowAllAuthenticator,
+# PasswordAuthenticator, MutualTlsAuthenticator}.
# - AllowAllAuthenticator performs no checks - set it to disable
authentication.
# - PasswordAuthenticator relies on username/password pairs to authenticate
# users. It keeps usernames and hashed passwords in system_auth.roles table.
# Please increase system_auth keyspace replication factor if you use this
authenticator.
# If using PasswordAuthenticator, CassandraRoleManager must also be used
(see below)
+# - MutualTlsAuthenticator can be configured using the following parameter.
One can
+# add their own validator which implements MutualTlsCertificateValidator
class and
+# provide logic for extracting identity out of certificates and validating
certificates.
+# validator_class_name:
org.apache.cassandra.auth.SpiffeCertificateValidator
authenticator:
- class_name : org.apache.cassandra.auth.AllowAllAuthenticator
-# MutualTlsAuthenticator can be configured using the following configuration.
One can add their own validator
-# which implements MutualTlsCertificateValidator class and provide logic for
extracting identity out of certificates
-# and validating certificates.
-# class_name : org.apache.cassandra.auth.MutualTlsAuthenticator
-# parameters :
-# validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+ class_name: AllowAllAuthenticator
# Authorization backend, implementing IAuthorizer; used to limit
access/provide permissions
+# Optional parameters can be specified in the form of:
+# parameters:
+# param_key1: param_value1
+# ...
+#
# Out of the box, Cassandra provides
org.apache.cassandra.auth.{AllowAllAuthorizer,
# CassandraAuthorizer}.
-#
# - AllowAllAuthorizer allows any action to any user - set it to disable
authorization.
# - CassandraAuthorizer stores permissions in system_auth.role_permissions
table. Please
# increase system_auth keyspace replication factor if you use this
authorizer.
-authorizer: AllowAllAuthorizer
+authorizer:
+ class_name: AllowAllAuthorizer
# Part of the Authentication & Authorization backend, implementing
IRoleManager; used
# to maintain grants and memberships between roles.
+# Optional parameters can be specified in the form of:
+# parameters:
+# param_key1: param_value1
+# ...
+#
# Out of the box, Cassandra provides
org.apache.cassandra.auth.CassandraRoleManager,
# which stores role information in the system_auth keyspace. Most functions of
the
# IRoleManager require an authenticated login, so unless the configured
IAuthenticator
# actually implements authentication, most of this functionality will be
unavailable.
-#
# - CassandraRoleManager stores role data in the system_auth keyspace. Please
# increase system_auth keyspace replication factor if you use this role
manager.
-role_manager: CassandraRoleManager
+role_manager:
+ class_name: CassandraRoleManager
# Network authorization backend, implementing INetworkAuthorizer; used to
restrict user
# access to certain DCs
+# Optional parameters can be specified in the form of:
+# parameters:
+# param_key1: param_value1
+# ...
+#
# Out of the box, Cassandra provides
org.apache.cassandra.auth.{AllowAllNetworkAuthorizer,
# CassandraNetworkAuthorizer}.
-#
# - AllowAllNetworkAuthorizer allows access to any DC to any user - set it to
disable authorization.
# - CassandraNetworkAuthorizer stores permissions in
system_auth.network_permissions table. Please
# increase system_auth keyspace replication factor if you use this
authorizer.
-network_authorizer: AllowAllNetworkAuthorizer
+network_authorizer:
+ class_name: AllowAllNetworkAuthorizer
# CIDR authorization backend, implementing ICIDRAuthorizer; used to restrict
user
# access from certain CIDRs
+# Optional parameters can be specified in the form of:
+# parameters:
+# param_key1: param_value1
+# ...
+#
# Out of the box, Cassandra provides
org.apache.cassandra.auth.{AllowAllCIDRAuthorizer,
# CassandraCIDRAuthorizer}.
# - AllowAllCIDRAuthorizer allows access from any CIDR to any user - set it to
disable CIDR authorization.
# - CassandraCIDRAuthorizer stores user's CIDR permissions in
system_auth.cidr_permissions table. Please
# increase system_auth keyspace replication factor if you use this
authorizer, otherwise any changes to
# system_auth tables being used by this feature may be lost when a host goes
down.
+# Below parameters are used only when CIDR authorizer is enabled
Review Comment:
@tiagomlalves well, this pattern you use here is not what we exactly what.
The issue is with the ordering. How it is supposed to work is that as a reader
reads the configuration file, he will just un-comment respective configuration
property _in place_.
In other words, we do not want a user to copy + paste the configuration
properties as now it would be necessary because you moved everything above. We
just want him to read the configuration file and uncomment one `#` to make the
configuration property active and still have that configuration property
documented directly above it.
Just mention for a configuration for which it can take parameters into them,
where it is not already obvious, a simple one liner is enough.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
