Cassandra 16958 #1205

jmckenzie-dev · 2021-09-16T19:44:12Z

No description provided.

Patch by Blake Eggleston; reviewed by Sam Tunnicliffe, Jason Brown, and xxxx for CASSANDRA-16958 Co-authored by: Blake Eggleston <bdeggleston@gmail.com> Co-authored by: Josh McKenzie <jmckenzie@apache.org>

src/java/org/apache/cassandra/auth/AuthCacheService.java

test/unit/org/apache/cassandra/service/ClientStateTest.java

maedhroz · 2022-01-11T22:29:33Z

src/java/org/apache/cassandra/auth/AuthCacheService.java

+    private static final Logger logger = LoggerFactory.getLogger(AuthCacheService.class);
+    public static final AuthCacheService instance = new AuthCacheService();
+
+    private final Set<AuthCache<?, ?>> caches = new HashSet<>();


A few questions around this caches state and how it's protected...

The first thing I noticed is that warmCaches() isn't synchronized, so we might be left open to a ConcurrentModificationException. Then I started looking at the actual sources of possible concurrent access to caches. It seems like the primary startup pathway isn't really a concern, but the nodetool commands for resuming bootstrap and join might be, since they hit doAuthSetup(). It that's the case, the warmCaches() issue above stands, but also only Roles.init() seems to protect us against double-adding its cache. (For AuthenticatedUser, that would be permissionsCache and networkPermissionsCache.) Then again, registering a few more things to caches on those nodetool commands might no matter, given warmCaches() is only called from CassandraDaemon#setup(). Finally, Roles.init() and PasswordAuthenticator#setup() aren't synchronized, so their cache fields aren't protected.

...and as I finished writing that, I see that doAuthSetup() is guarded by authSetupCalled and should only happen once :)

So unless we're going to hit warmCaches() in CassandraDaemon#setup() somehow after a nodetool command, I'm not sure if there's a thread-safety issue at all. If that is possible, just throwing Collections.synchronizedSet() on AuthCacheService#caches would probably be sufficient (without synchronizing any methods here).

I think we should protect against dupe adding from all 4 sources as well as synchronize on the init and reg call. I'll whip that up and get another commit for that; forgot to come back to this.

Pushed a commit that hopefully addresses this. Running CI now.

AuthCacheService is at least thread-safe now, regardless of whether or not that's strictly necessary. The only thing that's still a bit odd to me is that the nodetool commands (unless I'm misreading something) can register caches that just sort of sit in caches forever, being neither removed nor warmed.

That... does not seem like something we want. Let me take a look.

Ok. Taking a page out of the guard around doAuthSetup to codify the intended usage of the method.

maedhroz · 2022-01-11T22:36:23Z

src/java/org/apache/cassandra/config/Config.java

     */
    public volatile int validation_preview_purge_head_start_in_sec = 60 * 60;

+    public boolean auth_cache_warming_enabled = true;


nit: Did the original Jira description mention making this opt-in?

Hm. Nope, should be optional. Changed to false and added to cassandra.yaml

test/unit/org/apache/cassandra/tools/nodetool/InvalidateJmxPermissionsCacheTest.java

src/java/org/apache/cassandra/service/StorageService.java

test/unit/org/apache/cassandra/tools/nodetool/InvalidateNetworkPermissionsCacheTest.java

test/unit/org/apache/cassandra/tools/nodetool/InvalidatePermissionsCacheTest.java

maedhroz · 2022-01-11T22:41:43Z

test/unit/org/apache/cassandra/tools/nodetool/InvalidateNetworkPermissionsCacheTest.java

        roleManager.createRole(AuthenticatedUser.SYSTEM_USER, ROLE_A, AuthTestUtils.getLoginRoleOptions());
        roleManager.createRole(AuthenticatedUser.SYSTEM_USER, ROLE_B, AuthTestUtils.getLoginRoleOptions());
+        roleManager.createRole(AuthenticatedUser.SYSTEM_USER, ROLE_A, AuthTestUtils.getLoginRoleOptions());
+        roleManager.createRole(AuthenticatedUser.SYSTEM_USER, ROLE_B, AuthTestUtils.getLoginRoleOptions());


Do we need to add these roles twice? The test still seems to pass if I remove the duplicates...

Not at all. Removed.

test/unit/org/apache/cassandra/tools/nodetool/InvalidateRolesCacheTest.java

test/unit/org/apache/cassandra/cql3/CQLTester.java

test/unit/org/apache/cassandra/auth/AuthCacheTest.java

test/unit/org/apache/cassandra/auth/CassandraAuthorizerTest.java

test/unit/org/apache/cassandra/auth/CassandraAuthorizerTruncatingTests.java

test/unit/org/apache/cassandra/auth/CassandraRoleManagerTest.java

maedhroz · 2022-01-11T23:20:57Z

test/unit/org/apache/cassandra/auth/CassandraRoleManagerTest.java

+        CassandraRoleManager crm = new CassandraRoleManager();
+
+        assertEquals(CassandraRoleManager.hasExistingRoles(), true);
+        assertEquals(crm.isClusterReady(), false);


nit: could use assertTrue() and assertFalse() respectively (although perhaps that's less important than throwing an explicit failure message in there)

Fleshed out a bit and swapped to the less tautological options.

maedhroz · 2022-01-11T23:33:00Z

test/unit/org/apache/cassandra/auth/PasswordAuthenticatorTest.java

 public class PasswordAuthenticatorTest extends CQLTester
 {
-
    private static PasswordAuthenticator authenticator = new PasswordAuthenticator();


nit: could be final

Interesting. We had a couple PasswordAuthenticator creations in the tests that shadowed the class static variable (ew), some vestigial throws Exception, a whitespace... and this. Tidied that file up.

test/unit/org/apache/cassandra/auth/PasswordAuthenticatorTest.java

…d make final

maedhroz · 2022-01-13T04:29:42Z

src/java/org/apache/cassandra/auth/CassandraRoleManager.java

    private final Set<Option> alterableOptions;

    // Will be set to true when all nodes in the cluster are on a version which supports roles (i.e. 2.2+)
    private volatile boolean isClusterReady = false;


Can we just remove isClusterReady altogether? We won't allow upgrading directly from 2.1 -> 4.1 right?

…nager.java

jmckenzie-dev force-pushed the cassandra-16958 branch 2 times, most recently from afe050f to 50c0199 Compare January 10, 2022 21:10

bdeggleston and others added 2 commits January 11, 2022 12:10

Prewarm role and credentials caches to avoid timeouts at startup

4e2cc4c

Patch by Blake Eggleston; reviewed by Sam Tunnicliffe, Jason Brown, and xxxx for CASSANDRA-16958 Co-authored by: Blake Eggleston <bdeggleston@gmail.com> Co-authored by: Josh McKenzie <jmckenzie@apache.org>

DO NOT COMMIT: hires circle

de1aeff

jmckenzie-dev force-pushed the cassandra-16958 branch from 9665c77 to de1aeff Compare January 11, 2022 17:10

DO NOT COMMIT: switch from git: to https: for circle

1598b95