Re: [PR] CEP-50/CASS-20834: Factoring out assumption of a single node-wide authenticator [cassandra]

via GitHub Wed, 29 Oct 2025 10:15:14 -0700


smiklosovic commented on code in PR #4427:
URL: https://github.com/apache/cassandra/pull/4427#discussion_r2474310242



##########
test/unit/org/apache/cassandra/auth/AuthConfigTest.java:
##########
@@ -78,26 +115,64 @@ public void 
testNewInstanceForMutualTlsWithPasswordFallbackAuthenticator()
         config.authenticator.class_name = 
"org.apache.cassandra.auth.MutualTlsWithPasswordFallbackAuthenticator";
         config.authenticator.parameters = 
Collections.singletonMap("validator_class_name", 
"org.apache.cassandra.auth.SpiffeCertificateValidator");
         DatabaseDescriptor.setConfig(config);
-        MutualTlsWithPasswordFallbackAuthenticator authenticator = 
ParameterizedClass.newInstance(config.authenticator,
-                                                                               
                   Arrays.asList("", "org.apache.cassandra.auth."));
+        AuthConfig.applyAuth();
+
+        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
         assertNotNull(authenticator);
-        unregisterIdentitesCache();
+
+        // MutualTlsWithPasswordFallbackAuthenticator is-a 
PasswordAuthenticator, so we expect getAuthenticator to
+        // return it when asked to return a PasswordAuthenticator.
+        
assertThat(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class))
+            .isPresent()
+            .get()
+            .isSameAs(authenticator);
+        
assertThat(DatabaseDescriptor.getAuthenticator(MutualTlsAuthenticator.class)).isEmpty();
+        
assertThat(DatabaseDescriptor.getAuthenticator(MutualTlsWithPasswordFallbackAuthenticator.class))
+            .isPresent()
+            .get()
+            .isSameAs(authenticator);
+
+        // Similarly, we expect the same role options as for 
PasswordAuthenticator.
+        
assertTrue(DatabaseDescriptor.getRoleManager().supportedOptions().containsAll(CassandraRoleManager.DEFAULT_SUPPORTED_ROLE_OPTIONS));
+        
assertTrue(DatabaseDescriptor.getRoleManager().supportedOptions().containsAll(PasswordAuthenticator.SUPPORTED_ROLE_OPTIONS));
+        
assertTrue(DatabaseDescriptor.getRoleManager().alterableOptions().containsAll(CassandraRoleManager.DEFAULT_ALTERABLE_ROLE_OPTIONS));
+        
assertTrue(DatabaseDescriptor.getRoleManager().alterableOptions().containsAll(PasswordAuthenticator.ALTERABLE_ROLE_OPTIONS));
     }
 
     @Test
-    public void testNewInstanceForMutualTlsAuthenticator() throws IOException, 
CertificateException
+    public void testNewInstanceForMutualTlsAuthenticator()
     {
         Config config = load("cassandra-mtls.yaml");
         config.client_encryption_options.applyConfig();
         DatabaseDescriptor.setConfig(config);
-        MutualTlsAuthenticator authenticator = 
ParameterizedClass.newInstance(config.authenticator,
-                                                                              
Arrays.asList("", "org.apache.cassandra.auth."));
+        AuthConfig.applyAuth();
+
+        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
         assertNotNull(authenticator);
-        unregisterIdentitesCache();
+
+        
assertThat(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class)).isEmpty();
+        
assertThat(DatabaseDescriptor.getAuthenticator(MutualTlsAuthenticator.class))
+            .isPresent()
+            .get()
+            .isSameAs(authenticator);
+        
assertThat(DatabaseDescriptor.getAuthenticator(MutualTlsWithPasswordFallbackAuthenticator.class)).isEmpty();
+
+        
assertTrue(DatabaseDescriptor.getRoleManager().supportedOptions().containsAll(CassandraRoleManager.DEFAULT_SUPPORTED_ROLE_OPTIONS));
+        
assertTrue(DatabaseDescriptor.getRoleManager().supportedOptions().containsAll(authenticator.getSupportedRoleOptions()));
+        
assertTrue(DatabaseDescriptor.getRoleManager().alterableOptions().containsAll(CassandraRoleManager.DEFAULT_ALTERABLE_ROLE_OPTIONS));
+        
assertTrue(DatabaseDescriptor.getRoleManager().alterableOptions().containsAll(authenticator.getAlterableRoleOptions()));
     }
 
-    private void unregisterIdentitesCache()
+    private void unregisterCaches()
     {
-        
MBeanWrapper.instance.unregisterMBean("org.apache.cassandra.auth:type=IdentitiesCache");
+        if 
(MBeanWrapper.instance.isRegistered("org.apache.cassandra.auth:type=IdentitiesCache"))
+        {
+            
MBeanWrapper.instance.unregisterMBean("org.apache.cassandra.auth:type=IdentitiesCache");

Review Comment:
   You can reuse `AuthCache.MBEAN_NAME_BASE` constant and you would add just 
values for "type" here.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] CEP-50/CASS-20834: Factoring out assumption of a single node-wide authenticator [cassandra]

Reply via email to