auth: add support for authc/authz via external api (#10)

Squash a serie of commits related to authentication found on v5.0.1-criteo branch: * 34fe8d4 Add attributes support * bf5cf17 Implement List Roles * fe21809 Add alter user implementation to the rest role manager * 69fd387 Update ssl cert * 6a32079 Add authorization support with rest_auth * 2f92f8b deprecate internal_distributed_timeout_config * a39e509 Add rest_authenticator to manage authentication with a rest endpoint validating credentials Few changes introduced compared to 5.0.1 version: * fixed runtime assertion related to pending flush when scylla fails to communicate with rest auth api * picojson replaced by rapidjson (used by scylla) * rest_http_client replaced by seastar::http::experimental::connection * unit tests fixed and enriched * formatting aligned with rest of scylla code base * tools/rest_authenticator_server updated to match actual implementation (usage of TLS and of GET http verb instead of POST)
criteo-forks · Aug 14, 2023 · 1686c5f · 1686c5f
1 parent b2ca1f7
commit 1686c5f
Show file tree

Hide file tree

Showing 44 changed files with 2,453 additions and 1 deletion.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -305,6 +305,8 @@ set(scylla_sources
     auth/common.cc
     auth/default_authorizer.cc
     auth/password_authenticator.cc
+    auth/rest_authenticator.cc
+    auth/rest_role_manager.cc
     auth/passwords.cc
     auth/permission.cc
     auth/permissions_cache.cc

diff --git a/README.md b/README.md
@@ -3,6 +3,10 @@
 [![Slack](https://img.shields.io/badge/slack-scylla-brightgreen.svg?logo=slack)](http://slack.scylladb.com)
 [![Twitter](https://img.shields.io/twitter/follow/ScyllaDB.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=ScyllaDB)
 
+## This is a fork of scylla
+
+Scylla forks adding support of a specific rest authenticator: [rest_authc_authz](docs/dev/rest_authc_authz.md)
+
 ## What is Scylla?
 
 Scylla is the real-time big data database that is API-compatible with Apache Cassandra and Amazon DynamoDB.

diff --git a/auth/authenticator.hh b/auth/authenticator.hh
@@ -8,6 +8,10 @@
  * SPDX-License-Identifier: (AGPL-3.0-or-later and Apache-2.0)
  */
 
+/*
+ * Modified by Criteo: June 2021
+ */
+
 #pragma once
 
 #include <string_view>
@@ -36,6 +40,14 @@ namespace auth {
 
 class authenticated_user;
 
+struct authenticator_config {
+    sstring rest_authenticator_endpoint_host;
+    uint16_t rest_authenticator_endpoint_port;
+    sstring rest_authenticator_endpoint_cafile_path;
+    uint32_t rest_authenticator_endpoint_ttl;
+    uint32_t rest_authenticator_endpoint_timeout;
+};
+
 ///
 /// Abstract client for authenticating role identity.
 ///
@@ -121,6 +133,13 @@ public:
     virtual const resource_set& protected_resources() const = 0;
 
     virtual ::shared_ptr<sasl_challenge> new_sasl_challenge() const = 0;
+
+    virtual void set_authenticator_config(const authenticator_config &ac) { _authenticator_config = ac; }
+
+    virtual const authenticator_config & get_authenticator_config() const { return _authenticator_config; }
+
+protected:
+    authenticator_config _authenticator_config;
 };
 
 }