[jira] [Commented] (CASSANDRA-15089) CassandraNetworkAuthorizer::authorize should get role details from Roles, not directly from IRoleManager
[ https://issues.apache.org/jira/browse/CASSANDRA-15089?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16820518#comment-16820518 ] Blake Eggleston commented on CASSANDRA-15089: - +1 > CassandraNetworkAuthorizer::authorize should get role details from Roles, not > directly from IRoleManager > > > Key: CASSANDRA-15089 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15089 > Project: Cassandra > Issue Type: Bug > Components: Feature/Authorization >Reporter: Sam Tunnicliffe >Assignee: Sam Tunnicliffe >Priority: Normal > Fix For: 4.0 > > > If the network permissions cache doesn't contain any entry for a role, the > authorize method is invoked on the configured INetworkAuthorizer. In the case > of CassandraNetworkAuthorizer, this immediately checks whether the role in > question has the LOGIN privilege set. It does this using the configured > IRoleManager directly, which causes a read from the underlying table in > system_auth. It should fetch the flag from Roles::canLogin, which uses the > RolesCache, falling back to the IRoleManager if necessary. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15089) CassandraNetworkAuthorizer::authorize should get role details from Roles, not directly from IRoleManager
[ https://issues.apache.org/jira/browse/CASSANDRA-15089?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16820006#comment-16820006 ] Sam Tunnicliffe commented on CASSANDRA-15089: - The patch breaks a dtest which was relying on the LOGIN privilege not being cached. ||dtest PR||CI|| |[15089|https://github.com/apache/cassandra-dtest/pull/50]|[circle|https://circleci.com/gh/beobal/workflows/cassandra/tree/cci%2F15089-trunk] > CassandraNetworkAuthorizer::authorize should get role details from Roles, not > directly from IRoleManager > > > Key: CASSANDRA-15089 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15089 > Project: Cassandra > Issue Type: Bug > Components: Feature/Authorization >Reporter: Sam Tunnicliffe >Assignee: Sam Tunnicliffe >Priority: Normal > Fix For: 4.0 > > > If the network permissions cache doesn't contain any entry for a role, the > authorize method is invoked on the configured INetworkAuthorizer. In the case > of CassandraNetworkAuthorizer, this immediately checks whether the role in > question has the LOGIN privilege set. It does this using the configured > IRoleManager directly, which causes a read from the underlying table in > system_auth. It should fetch the flag from Roles::canLogin, which uses the > RolesCache, falling back to the IRoleManager if necessary. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
