[CASSANDRA-15089] CassandraNetworkAuthorizer::authorize should get role details from Roles, not directly from IRoleManager - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 4.0-alpha1, 4.0
Component/s: Feature/Authorization
Labels:
None

Bug Category:
Degradation - Performance Bug/Regression
Severity:
Low
Complexity:
Low Hanging Fruit
Discovered By:
Code Inspection
Platform:

All
Impacts:

None
Since Version:

4.0
Source Control Link:

https://github.com/apache/cassandra/commit/149caf01e08f58f306ff51379ab189c7a4b1ca6d
Test and Documentation Plan:

Hide

Additional unit test added.

Show
Additional unit test added.

Description

If the network permissions cache doesn't contain any entry for a role, the authorize method is invoked on the configured INetworkAuthorizer. In the case of CassandraNetworkAuthorizer, this immediately checks whether the role in question has the LOGIN privilege set. It does this using the configured IRoleManager directly, which causes a read from the underlying table in system_auth. It should fetch the flag from Roles::canLogin, which uses the RolesCache, falling back to the IRoleManager if necessary.

Attachments

Activity

People

Assignee:: Sam Tunnicliffe

Reporter:: Sam Tunnicliffe

Authors:: Sam Tunnicliffe

Reviewers:: Blake Eggleston

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 17/Apr/19 10:04

Updated:: 15/May/20 08:05

Resolved:: 11/Jul/19 16:17