CEP-50/CASS-20834: Factoring out assumption of a single node-wide authenticator #4427
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…RA-20834) With negotiated authentication (CEP-50), nodes may be configured with multiple authenticators. Prior to this change, a number of areas in the code assumed that there was a single configured authenticator and contained logic that switched depending on the authenticator type. This logic won't work when multiple authenticators can be configured. This change eliminates most calls to DataDescriptor.getAuthenticator(), by either requiring dependencies to specify the type of authenticator they're looking for, or (in the case of authenticator-specific role attributes) enabling individual authenticators to declare the role attributes they need. patch by jcshepherd; reviewed by <Reviewers> for CASSANDRA-20834
jcshepherd
commented
Oct 14, 2025
|
|
||
| /** | ||
| * Resets the initialized flag, enabling AuthConfig to be reconfigured multiple times within a single | ||
| * test case. |
There was a problem hiding this comment.
Specifically, see AuthConfigTest in this same PR.
jcshepherd
commented
Oct 14, 2025
|
|
||
| /** | ||
| * Returns the authenticator configured for this node. | ||
| */ |
There was a problem hiding this comment.
In the future this will become getDefaultAuthenticator(). Additional methods will be added to enable/disable negotiation and provide access to the node's supported authenticators.
jcshepherd
commented
Oct 14, 2025
|
|
||
| /** | ||
| * Indicates if this node uses an authenticator that requires authentication. | ||
| */ |
There was a problem hiding this comment.
In the future, the semantics will change from "'The' authenticator requires authentication" to "Any supported authenticator requires authentication." Existing callers to this method should be unaffected by that change.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Factoring out assumption of a single node-wide authenticator (CASSANDRA-20834 for CEP-50)
With negotiated authentication (CEP-50), nodes may be configured with multiple authenticators. Prior to this change, a number of areas in the code assumed that there was a single configured authenticator and contained logic that switched depending on the authenticator type. This logic won't work when multiple authenticators can be configured. This change eliminates most calls to DataDescriptor.getAuthenticator(), by either directly returning whether the node can enforce authn or not, requiring dependencies to specify the type of authenticator they're looking for, or (in the case of authenticator-specific role attributes) enabling individual authenticators to declare the role attributes they need.
Testing done: Unit tests for auth and config packages; d-tests for auth-related functionality (e.g. ColumnMasks).
patch by jcshepherd; reviewed by for CASSANDRA-20834