auth: add support for authc/authz via external api (#10)

Squash a series of commits related to authentication found on v5.0.1-criteo branch: * 34fe8d4 Add attributes support * bf5cf17 Implement List Roles * fe21809 Add alter user implementation to the rest role manager * 69fd387 Update ssl cert * 6a32079 Add authorization support with rest_auth * 2f92f8b deprecate internal_distributed_timeout_config * a39e509 Add rest_authenticator to manage authentication with a rest endpoint validating credentials Few changes introduced compared to 5.0.1 version: * fixed runtime assertion related to pending flush when scylla fails to communicate with rest auth api * picojson replaced by rapidjson (used by scylla) * rest_http_client replaced by seastar::http::experimental::connection * unit tests fixed and enriched * formatting aligned with rest of scylla code base * tools/rest_authenticator_server updated to match actual implementation (usage of TLS and of GET http verb instead of POST) * 73d02b1 make our rest_authenticator accepted by some clients make our rest_authenticator accepted by some clients authenticator_name is checked by some clients (go, rust) and connections are rejected if not in an allowed list on client side. We spoof cassandra authenticator name as scylla is doing for password authenticator.
criteo-forks · Dec 18, 2023 · 68e7133 · 68e7133
1 parent 83492ba
commit 68e7133
Show file tree

Hide file tree

Showing 44 changed files with 2,454 additions and 1 deletion.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -305,6 +305,8 @@ set(scylla_sources
     auth/common.cc
     auth/default_authorizer.cc
     auth/password_authenticator.cc
+    auth/rest_authenticator.cc
+    auth/rest_role_manager.cc
     auth/passwords.cc
     auth/permission.cc
     auth/permissions_cache.cc

diff --git a/README.md b/README.md
@@ -3,6 +3,10 @@
 [![Slack](https://img.shields.io/badge/slack-scylla-brightgreen.svg?logo=slack)](http://slack.scylladb.com)
 [![Twitter](https://img.shields.io/twitter/follow/ScyllaDB.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=ScyllaDB)
 
+## This is a fork of scylla
+
+Scylla forks adding support of a specific rest authenticator: [rest_authc_authz](docs/dev/rest_authc_authz.md)
+
 ## What is Scylla?
 
 Scylla is the real-time big data database that is API-compatible with Apache Cassandra and Amazon DynamoDB.

diff --git a/auth/authenticator.hh b/auth/authenticator.hh
@@ -8,6 +8,10 @@
  * SPDX-License-Identifier: (AGPL-3.0-or-later and Apache-2.0)
  */
 
+/*
+ * Modified by Criteo: June 2021
+ */
+
 #pragma once
 
 #include <string_view>
@@ -36,6 +40,14 @@ namespace auth {
 
 class authenticated_user;
 
+struct authenticator_config {
+    sstring rest_authenticator_endpoint_host;
+    uint16_t rest_authenticator_endpoint_port;
+    sstring rest_authenticator_endpoint_cafile_path;
+    uint32_t rest_authenticator_endpoint_ttl;
+    uint32_t rest_authenticator_endpoint_timeout;
+};
+
 ///
 /// Abstract client for authenticating role identity.
 ///
@@ -121,6 +133,13 @@ public:
     virtual const resource_set& protected_resources() const = 0;
 
     virtual ::shared_ptr<sasl_challenge> new_sasl_challenge() const = 0;
+
+    virtual void set_authenticator_config(const authenticator_config &ac) { _authenticator_config = ac; }
+
+    virtual const authenticator_config & get_authenticator_config() const { return _authenticator_config; }
+
+protected:
+    authenticator_config _authenticator_config;
 };
 
 }