Juju Charms Collection
cassandra package

Merge lp:~stub/charms/trusty/cassandra/noauthentication into lp:~stub/charms/trusty/cassandra/ulimit-warning

  1. Trusty Tahr (14.04)
  2. noauthentication
  3. Merge into ulimit-warning
Proposed by Stuart Bishop
Status: Superseded
Proposed branch: lp:~stub/charms/trusty/cassandra/noauthentication
Merge into: lp:~stub/charms/trusty/cassandra/ulimit-warning
Diff against target: 314 lines (+82/-25)
9 files modified
Makefile (+7/-0)
config.yaml (+8/-1)
hooks/actions.py (+23/-3)
hooks/definitions.py (+4/-1)
hooks/helpers.py (+16/-13)
tests/test_actions.py (+1/-1)
tests/test_helpers.py (+5/-5)
tests/test_integration.py (+17/-1)
tests/tests.yaml (+1/-0)
To merge this branch: bzr merge lp:~stub/charms/trusty/cassandra/noauthentication
Reviewer Review Type Date Requested Status
Stuart Bishop Pending
Review via email: mp+275860@code.launchpad.net

Description of the change

Allow use of the AllowAllAuthenticator, turning off authentication entirely. This is needed for legacy applications which have no facility to provide authentication credentials.

To post a comment you must log in.
lp:~stub/charms/trusty/cassandra/noauthentication updated
428. By Stuart Bishop

Fix tests with Juju 1.25

429. By Stuart Bishop

Fix test command return code

430. By Stuart Bishop

Fix a better hidden failure from Juju 1.25 unit numbering changes

431. By Stuart Bishop

Fix remaining AllowAllAuthenticator tests

432. By Stuart Bishop

Handle rogue cqlshrc files from previous installs

Unmerged revisions

432. By Stuart Bishop

Handle rogue cqlshrc files from previous installs

431. By Stuart Bishop

Fix remaining AllowAllAuthenticator tests

430. By Stuart Bishop

Fix a better hidden failure from Juju 1.25 unit numbering changes

429. By Stuart Bishop

Fix test command return code

428. By Stuart Bishop

Fix tests with Juju 1.25

427. By Stuart Bishop

no auth tests

426. By Stuart Bishop

Fix unittests

425. By Stuart Bishop

Get AllowAllAuthenticator working

424. By Stuart Bishop

Merge ulimit-warning

423. By Stuart Bishop

Turn off code paths requiring authentication

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'Makefile'
2--- Makefile 2015-08-19 09:57:40 +0000
3+++ Makefile 2015-10-27 15:23:26 +0000
4@@ -82,6 +82,13 @@
5 AMULET_TIMEOUT=7200 \
6 $(NOSETESTS) tests.test_integration:Test3UnitDeployment 2>&1 | ts
7
8+authtest: unittest TestAllowAllAuthenticatorDeployment
9+TestAllowAllAuthenticatorDeployment: deps
10+ date
11+ AMULET_TIMEOUT=7200 \
12+ $(NOSETESTS) \
13+ tests.test_integration:TestAllowAllAuthenticatorDeployment 2>&1 | ts
14+
15 # Place a copy of the Oracle Java SE 7 Server Runtime tarball in ./lib
16 # to run these tests.
17 jretest: unittest
18
19=== modified file 'config.yaml'
20--- config.yaml 2015-06-23 11:32:12 +0000
21+++ config.yaml 2015-10-27 15:23:26 +0000
22@@ -242,7 +242,14 @@
23 default: 7001
24 description: >
25 Cluster secure communication port. TODO: Unused. configure SSL.
26-
27+ authenticator:
28+ type: string
29+ default: PasswordAuthenticator
30+ description: >
31+ Authentication backend. Only PasswordAuthenticator and
32+ AllowAllAuthenticator are supported. You should only
33+ use AllowAllAuthenticator for legacy applications that
34+ cannot provide authentication credentials.
35 authorizer:
36 type: string
37 default: AllowAllAuthorizer
38
39=== modified file 'hooks/actions.py'
40--- hooks/actions.py 2015-10-27 11:32:00 +0000
41+++ hooks/actions.py 2015-10-27 15:23:26 +0000
42@@ -59,6 +59,7 @@
43 'num_tokens',
44 'max_heap_size',
45 'heap_newsize',
46+ 'authenticator',
47 'authorizer',
48 'compaction_throughput_mb_per_sec',
49 'stream_throughput_outbound_megabits_per_sec',
50@@ -115,6 +116,21 @@
51 return wrapper
52
53
54+def authentication(func):
55+ '''Decorated function is skipped if authentication is disabled.'''
56+ @wraps(func)
57+ def wrapper(*args, **kw):
58+ auth = hookenv.config()['authenticator']
59+ if auth == 'PasswordAuthenticator':
60+ return func(*args, **kw)
61+ elif auth == 'AllowAllAuthenticator':
62+ hookenv.log('Skipped. Authentication disabled.', DEBUG)
63+ return None
64+ helpers.status_set('blocked', 'Unknown authenticator {}'.format(auth))
65+ raise SystemExit(0)
66+ return wrapper
67+
68+
69 @action
70 def set_proxy():
71 config = hookenv.config()
72@@ -432,6 +448,7 @@
73
74 @leader_only
75 @action
76+@authentication
77 @coordinator.require('repair', needs_reset_auth_keyspace_replication)
78 def reset_auth_keyspace_replication():
79 # Cassandra requires you to manually set the replication factor of
80@@ -482,8 +499,8 @@
81
82 # If our IP address has changed, we need to restart.
83 if config.changed('unit_private_ip'):
84- hookenv.log('waiting',
85- 'IP address changed. Waiting for restart permission.')
86+ helpers.status_set('waiting', 'IP address changed. '
87+ 'Waiting for restart permission.')
88 return True
89
90 # If the directory paths have changed, we need to migrate data
91@@ -574,6 +591,7 @@
92
93 @leader_only
94 @action
95+@authentication
96 def create_unit_superusers():
97 # The leader creates and updates accounts for nodes, using the
98 # encrypted password they provide in relations.PeerRelation. We
99@@ -702,7 +720,7 @@
100 @action
101 def emit_cluster_info():
102 helpers.emit_describe_cluster()
103- helpers.emit_auth_keyspace_status()
104+ helpers.emit_status()
105 helpers.emit_netstats()
106
107
108@@ -852,6 +870,7 @@
109
110 @leader_only
111 @action
112+@authentication
113 def reset_default_password():
114 if hookenv.leader_get('default_admin_password_changed'):
115 hookenv.log('Default admin password already changed')
116@@ -911,6 +930,7 @@
117
118
119 @action
120+@authentication
121 def request_unit_superuser():
122 relid = helpers.peer_relid()
123 if relid is None:
124
125=== modified file 'hooks/definitions.py'
126--- hooks/definitions.py 2015-10-22 08:44:52 +0000
127+++ hooks/definitions.py 2015-10-27 15:23:26 +0000
128@@ -109,7 +109,10 @@
129
130 if helpers.is_cassandra_running():
131 hookenv.log('Cassandra is running')
132- if hookenv.local_unit() in helpers.get_unit_superusers():
133+ auth = hookenv.config()['authenticator']
134+ if auth == 'AllowAllAuthenticator':
135+ return True
136+ elif hookenv.local_unit() in helpers.get_unit_superusers():
137 hookenv.log('Credentials created')
138 return True
139 else:
140
141=== modified file 'hooks/helpers.py'
142--- hooks/helpers.py 2015-09-11 05:07:47 +0000
143+++ hooks/helpers.py 2015-10-27 15:23:26 +0000
144@@ -459,8 +459,12 @@
145 if username is None or password is None:
146 username, password = superuser_credentials()
147
148- auth_provider = cassandra.auth.PlainTextAuthProvider(username=username,
149- password=password)
150+ auth = hookenv.config()['authenticator']
151+ if auth == 'AllowAllAuthenticator':
152+ auth_provider = None
153+ else:
154+ auth_provider = cassandra.auth.PlainTextAuthProvider(username=username,
155+ password=password)
156
157 # Although we specify a reconnection_policy, it does not apply to
158 # the initial connection so we retry in a loop.
159@@ -519,6 +523,10 @@
160 @logged
161 def ensure_user(session, username, encrypted_password, superuser=False):
162 '''Create the DB user if it doesn't already exist & reset the password.'''
163+ auth = hookenv.config()['authenticator']
164+ if auth == 'AllowAllAuthenticator':
165+ return # No authentication means we cannot create users
166+
167 if superuser:
168 hookenv.log('Creating SUPERUSER {}'.format(username))
169 else:
170@@ -683,7 +691,7 @@
171 # Using the same name is preferred to match the actual Cassandra
172 # documentation.
173 simple_config_keys = ['cluster_name', 'num_tokens',
174- 'partitioner', 'authorizer',
175+ 'partitioner', 'authorizer', 'authenticator',
176 'compaction_throughput_mb_per_sec',
177 'stream_throughput_outbound_megabits_per_sec',
178 'tombstone_warn_threshold',
179@@ -704,11 +712,6 @@
180 dirs = get_all_database_directories()
181 cassandra_yaml.update(dirs)
182
183- # The charm only supports password authentication. In the future we
184- # may also support AllowAllAuthenticator. I'm not sure if others
185- # such as Kerboros can be supported or are useful.
186- cassandra_yaml['authenticator'] = 'PasswordAuthenticator'
187-
188 # GossipingPropertyFileSnitch is the only snitch recommended for
189 # production. It we allow others, we need to consider how to deal
190 # with the system_auth keyspace replication settings.
191@@ -745,7 +748,7 @@
192 # is not running.
193 os.kill(pid, 0)
194
195- if subprocess.call(["nodetool", "status", "system_auth"],
196+ if subprocess.call(["nodetool", "status"],
197 stdout=subprocess.DEVNULL,
198 stderr=subprocess.DEVNULL) == 0:
199 hookenv.log(
200@@ -870,9 +873,9 @@
201
202
203 @logged
204-def emit_auth_keyspace_status():
205- '''Run 'nodetool status system_auth' for the logs.'''
206- nodetool('status', 'system_auth') # Implicit emit
207+def emit_status():
208+ '''Run 'nodetool status' for the logs.'''
209+ nodetool('status') # Implicit emit
210
211
212 @logged
213@@ -883,7 +886,7 @@
214
215 def emit_cluster_info():
216 emit_describe_cluster()
217- emit_auth_keyspace_status()
218+ emit_status()
219 emit_netstats()
220
221
222
223=== modified file 'tests/test_actions.py'
224--- tests/test_actions.py 2015-09-10 07:22:22 +0000
225+++ tests/test_actions.py 2015-10-27 15:23:26 +0000
226@@ -833,7 +833,7 @@
227 self.assertIn(expected, contents)
228
229 @patch('helpers.emit_netstats')
230- @patch('helpers.emit_auth_keyspace_status')
231+ @patch('helpers.emit_status')
232 @patch('helpers.emit_describe_cluster')
233 def test_emit_cluster_info(self, emit_desc, emit_status, emit_netstats):
234 actions.emit_cluster_info('')
235
236=== modified file 'tests/test_helpers.py'
237--- tests/test_helpers.py 2015-09-04 11:12:27 +0000
238+++ tests/test_helpers.py 2015-10-27 15:23:26 +0000
239@@ -890,7 +890,7 @@
240 is_running.return_value = True
241 backoff.return_value = repeat(True)
242 check_output.side_effect = iter(['ONE Error: stuff', 'TWO OK'])
243- self.assertEqual(helpers.nodetool('status', 'system_auth'), 'TWO OK')
244+ self.assertEqual(helpers.nodetool('status'), 'TWO OK')
245
246 # The output was emitted.
247 helpers.emit.assert_called_once_with('TWO OK')
248@@ -908,7 +908,7 @@
249 subprocess.CalledProcessError([], 1, 'fail 4'),
250 subprocess.CalledProcessError([], 1, 'fail 5'),
251 'OK'])
252- self.assertEqual(helpers.nodetool('status', 'system_auth'), 'OK')
253+ self.assertEqual(helpers.nodetool('status'), 'OK')
254
255 # Later fails and final output was emitted.
256 helpers.emit.assert_has_calls([call('fail 5'), call('OK')])
257@@ -1261,9 +1261,9 @@
258 nodetool.assert_called_once_with('describecluster')
259
260 @patch('helpers.nodetool')
261- def test_emit_auth_keyspace_status(self, nodetool):
262- helpers.emit_auth_keyspace_status()
263- nodetool.assert_called_once_with('status', 'system_auth')
264+ def test_emit_status(self, nodetool):
265+ helpers.emit_status()
266+ nodetool.assert_called_once_with('status')
267
268 @patch('helpers.nodetool')
269 def test_emit_netstats(self, nodetool):
270
271=== modified file 'tests/test_integration.py'
272--- tests/test_integration.py 2015-08-19 09:57:40 +0000
273+++ tests/test_integration.py 2015-10-27 15:23:26 +0000
274@@ -314,7 +314,6 @@
275 found = set(contents['directories'])
276 self.assertIn(keyspace, found)
277 self.assertIn('system', found)
278- self.assertIn('system_auth', found)
279 break
280 except Exception:
281 if time.time() > timeout:
282@@ -544,6 +543,23 @@
283 super(TestDSEDeployment, cls).setUpClass()
284
285
286+class TestAllowAllAuthenticatorDeployment(Test3UnitDeployment):
287+ test_config = dict(authenticator='AllowAllAuthenticator')
288+
289+ def client_session(self, relname):
290+ '''A session using invalid credentials.'''
291+ relinfo = self.get_client_relinfo(relname)
292+ self.assertIn('host', relinfo.keys())
293+ cluster = self.cluster('random', 'nonsense',
294+ [relinfo['host']],
295+ int(relinfo['native_transport_port']))
296+ session = cluster.connect()
297+ self.addCleanup(session.shutdown)
298+ return session
299+
300+ test_default_superuser_account_closed = None
301+
302+
303 class Test20Deployment(Test1UnitDeployment):
304 """Tests run on a single node Apache Cassandra 2.0 cluster.
305 """
306
307=== modified file 'tests/tests.yaml'
308--- tests/tests.yaml 2015-06-29 10:09:24 +0000
309+++ tests/tests.yaml 2015-10-27 15:23:26 +0000
310@@ -10,3 +10,4 @@
311 - Test1UnitDeployment
312 - Test3UnitDeployment
313 - Test20Deployment
314+ - TestAllowAllAuthenticatorDeployment

Subscribers

People subscribed via source and target branches

to all changes: