Pass client address to authenticator when attempting SASL auth
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/8a8427d7 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/8a8427d7 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/8a8427d7 Branch: refs/heads/trunk Commit: 8a8427d73044646488d3700d2b967f0dfa3c7148 Parents: 87f5e2e Author: Sam Tunnicliffe <s...@beobal.com> Authored: Tue Oct 27 16:36:49 2015 +0000 Committer: Sam Tunnicliffe <s...@beobal.com> Committed: Tue Nov 3 17:29:28 2015 +0000 ---------------------------------------------------------------------- CHANGES.txt | 1 + NEWS.txt | 3 +++ src/java/org/apache/cassandra/auth/AllowAllAuthenticator.java | 3 ++- src/java/org/apache/cassandra/auth/IAuthenticator.java | 5 ++++- src/java/org/apache/cassandra/auth/PasswordAuthenticator.java | 3 ++- src/java/org/apache/cassandra/transport/ServerConnection.java | 4 ++-- .../org/apache/cassandra/transport/messages/AuthResponse.java | 2 +- 7 files changed, 15 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/8a8427d7/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index e0208c6..9266386 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 3.0 + * Add client address argument to IAuthenticator::newSaslNegotiator (CASSANDRA-8068) * Fix implementation of LegacyLayout.LegacyBoundComparator (CASSANDRA-10602) * Don't use 'names query' read path for counters (CASSANDRA-10572) * Fix backward compatibility for counters (CASSANDRA-10470) http://git-wip-us.apache.org/repos/asf/cassandra/blob/8a8427d7/NEWS.txt ---------------------------------------------------------------------- diff --git a/NEWS.txt b/NEWS.txt index aa19fcb..fdebbf2 100644 --- a/NEWS.txt +++ b/NEWS.txt @@ -45,6 +45,9 @@ New features Upgrading --------- + - A new argument of type InetAdress has been added to IAuthenticator::newSaslNegotiator, + representing the IP address of the client attempting authentication. It will be a breaking + change for any custom implementations. - token-generator tool has been removed. - Upgrade to 3.0 is supported from Cassandra 2.1 versions greater or equal to 2.1.9, or Cassandra 2.2 versions greater or equal to 2.2.2. Upgrade from Cassandra 2.0 and http://git-wip-us.apache.org/repos/asf/cassandra/blob/8a8427d7/src/java/org/apache/cassandra/auth/AllowAllAuthenticator.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/AllowAllAuthenticator.java b/src/java/org/apache/cassandra/auth/AllowAllAuthenticator.java index bc00c3e..7b21dc6 100644 --- a/src/java/org/apache/cassandra/auth/AllowAllAuthenticator.java +++ b/src/java/org/apache/cassandra/auth/AllowAllAuthenticator.java @@ -17,6 +17,7 @@ */ package org.apache.cassandra.auth; +import java.net.InetAddress; import java.util.Collections; import java.util.Map; import java.util.Set; @@ -46,7 +47,7 @@ public class AllowAllAuthenticator implements IAuthenticator { } - public SaslNegotiator newSaslNegotiator() + public SaslNegotiator newSaslNegotiator(InetAddress clientAddress) { return AUTHENTICATOR_INSTANCE; } http://git-wip-us.apache.org/repos/asf/cassandra/blob/8a8427d7/src/java/org/apache/cassandra/auth/IAuthenticator.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/IAuthenticator.java b/src/java/org/apache/cassandra/auth/IAuthenticator.java index 24792f6..ccbdb75 100644 --- a/src/java/org/apache/cassandra/auth/IAuthenticator.java +++ b/src/java/org/apache/cassandra/auth/IAuthenticator.java @@ -17,6 +17,7 @@ */ package org.apache.cassandra.auth; +import java.net.InetAddress; import java.util.Map; import java.util.Set; @@ -56,10 +57,12 @@ public interface IAuthenticator * Provide a SASL handler to perform authentication for an single connection. SASL * is a stateful protocol, so a new instance must be used for each authentication * attempt. + * @param clientAddress the IP address of the client whom we wish to authenticate, or null + * if an internal client (one not connected over the remote transport). * @return org.apache.cassandra.auth.IAuthenticator.SaslNegotiator implementation * (see {@link org.apache.cassandra.auth.PasswordAuthenticator.PlainTextSaslAuthenticator}) */ - SaslNegotiator newSaslNegotiator(); + SaslNegotiator newSaslNegotiator(InetAddress clientAddress); /** * For implementations which support the Thrift login method that accepts arbitrary http://git-wip-us.apache.org/repos/asf/cassandra/blob/8a8427d7/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java index c0d2283..0482199 100644 --- a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java +++ b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java @@ -17,6 +17,7 @@ */ package org.apache.cassandra.auth; +import java.net.InetAddress; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Map; @@ -132,7 +133,7 @@ public class PasswordAuthenticator implements IAuthenticator return authenticate(username, password); } - public SaslNegotiator newSaslNegotiator() + public SaslNegotiator newSaslNegotiator(InetAddress clientAddress) { return new PlainTextSaslAuthenticator(); } http://git-wip-us.apache.org/repos/asf/cassandra/blob/8a8427d7/src/java/org/apache/cassandra/transport/ServerConnection.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/transport/ServerConnection.java b/src/java/org/apache/cassandra/transport/ServerConnection.java index dbaf123..d0796c3 100644 --- a/src/java/org/apache/cassandra/transport/ServerConnection.java +++ b/src/java/org/apache/cassandra/transport/ServerConnection.java @@ -110,10 +110,10 @@ public class ServerConnection extends Connection } } - public IAuthenticator.SaslNegotiator getSaslNegotiator() + public IAuthenticator.SaslNegotiator getSaslNegotiator(QueryState queryState) { if (saslNegotiator == null) - saslNegotiator = DatabaseDescriptor.getAuthenticator().newSaslNegotiator(); + saslNegotiator = DatabaseDescriptor.getAuthenticator().newSaslNegotiator(queryState.getClientAddress()); return saslNegotiator; } } http://git-wip-us.apache.org/repos/asf/cassandra/blob/8a8427d7/src/java/org/apache/cassandra/transport/messages/AuthResponse.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/transport/messages/AuthResponse.java b/src/java/org/apache/cassandra/transport/messages/AuthResponse.java index 257a26a..ca7a0c3 100644 --- a/src/java/org/apache/cassandra/transport/messages/AuthResponse.java +++ b/src/java/org/apache/cassandra/transport/messages/AuthResponse.java @@ -71,7 +71,7 @@ public class AuthResponse extends Message.Request { try { - IAuthenticator.SaslNegotiator negotiator = ((ServerConnection) connection).getSaslNegotiator(); + IAuthenticator.SaslNegotiator negotiator = ((ServerConnection) connection).getSaslNegotiator(queryState); byte[] challenge = negotiator.evaluateResponse(token); if (negotiator.isComplete()) {