jmx_auth_test.py - cassandra-dtest - Git at Google

 import pytest
 import logging
 from distutils.version import LooseVersion

 from ccmlib.node import ToolError
 from dtest import Tester
 from tools.jmxutils import apply_jmx_authentication

 since = pytest.mark.since
 logger = logging.getLogger(__name__)


 @since('3.6')
 class TestJMXAuth(Tester):

     def test_basic_auth(self):
         """
         Some basic smoke testing of JMX authentication and authorization.
         Uses nodetool as a means of exercising the JMX interface as JolokiaAgent
         exposes its own connector which bypasses the in-built security features
         @jira_ticket CASSANDRA-10091
         """
         self.prepare()
         [node] = self.cluster.nodelist()
         node.nodetool('-u cassandra -pw cassandra status')

         session = self.patient_cql_connection(node, user='cassandra', password='cassandra')
         # the jmx_user role has no login privilege but give it a password anyway
         # to demonstrate that LOGIN is required for JMX authentication
         session.execute("CREATE ROLE jmx_user WITH LOGIN=false AND PASSWORD='321cba'")
         session.execute("GRANT SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' TO jmx_user")
         session.execute("GRANT DESCRIBE ON ALL MBEANS TO jmx_user")
         session.execute("CREATE ROLE test WITH LOGIN=true and PASSWORD='abc123'")

         with pytest.raises(ToolError, match=self.authentication_fail_message(node, 'baduser')):
             node.nodetool('-u baduser -pw abc123 gossipinfo')

         with pytest.raises(ToolError, match=self.authentication_fail_message(node, 'test')):
             node.nodetool('-u test -pw badpassword gossipinfo')

         with pytest.raises(ToolError, match="Required key 'username' is missing"):
             node.nodetool('gossipinfo')

         # role must have LOGIN attribute
         with pytest.raises(ToolError, match='jmx_user is not permitted to log in'):
             node.nodetool('-u jmx_user -pw 321cba gossipinfo')

         # test doesn't yet have any privileges on the necessary JMX resources
         with pytest.raises(ToolError, match='Access Denied'):
             node.nodetool('-u test -pw abc123 gossipinfo')

         session.execute("GRANT jmx_user TO test")
         node.nodetool('-u test -pw abc123 gossipinfo')

         # superuser status applies to JMX authz too
         node.nodetool('-u cassandra -pw cassandra gossipinfo')

     def prepare(self, nodes=1, permissions_validity=0):
         config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator',
                   'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer',
                   'permissions_validity_in_ms': permissions_validity}
         self.cluster.set_configuration_options(values=config)
         self.cluster.populate(nodes)
         [node] = self.cluster.nodelist()
         apply_jmx_authentication(node)
         node.start()
         node.watch_log_for('Created default superuser')

     def authentication_fail_message(self, node, username):
         return "Provided username {user} and/or password are incorrect".format(user=username) \
             if node.cluster.version() >= LooseVersion('3.10') else "Username and/or password are incorrect"
	import pytest
	import logging
	from distutils.version import LooseVersion

	from ccmlib.node import ToolError
	from dtest import Tester
	from tools.jmxutils import apply_jmx_authentication

	since = pytest.mark.since
	logger = logging.getLogger(__name__)


	@since('3.6')
	class TestJMXAuth(Tester):

	def test_basic_auth(self):
	"""
	Some basic smoke testing of JMX authentication and authorization.
	Uses nodetool as a means of exercising the JMX interface as JolokiaAgent
	exposes its own connector which bypasses the in-built security features
	@jira_ticket CASSANDRA-10091
	"""
	self.prepare()
	[node] = self.cluster.nodelist()
	node.nodetool('-u cassandra -pw cassandra status')

	session = self.patient_cql_connection(node, user='cassandra', password='cassandra')
	# the jmx_user role has no login privilege but give it a password anyway
	# to demonstrate that LOGIN is required for JMX authentication
	session.execute("CREATE ROLE jmx_user WITH LOGIN=false AND PASSWORD='321cba'")
	session.execute("GRANT SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' TO jmx_user")
	session.execute("GRANT DESCRIBE ON ALL MBEANS TO jmx_user")
	session.execute("CREATE ROLE test WITH LOGIN=true and PASSWORD='abc123'")

	with pytest.raises(ToolError, match=self.authentication_fail_message(node, 'baduser')):
	node.nodetool('-u baduser -pw abc123 gossipinfo')

	with pytest.raises(ToolError, match=self.authentication_fail_message(node, 'test')):
	node.nodetool('-u test -pw badpassword gossipinfo')

	with pytest.raises(ToolError, match="Required key 'username' is missing"):
	node.nodetool('gossipinfo')

	# role must have LOGIN attribute
	with pytest.raises(ToolError, match='jmx_user is not permitted to log in'):
	node.nodetool('-u jmx_user -pw 321cba gossipinfo')

	# test doesn't yet have any privileges on the necessary JMX resources
	with pytest.raises(ToolError, match='Access Denied'):
	node.nodetool('-u test -pw abc123 gossipinfo')

	session.execute("GRANT jmx_user TO test")
	node.nodetool('-u test -pw abc123 gossipinfo')

	# superuser status applies to JMX authz too
	node.nodetool('-u cassandra -pw cassandra gossipinfo')

	def prepare(self, nodes=1, permissions_validity=0):
	config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator',
	'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer',
	'permissions_validity_in_ms': permissions_validity}
	self.cluster.set_configuration_options(values=config)
	self.cluster.populate(nodes)
	[node] = self.cluster.nodelist()
	apply_jmx_authentication(node)
	node.start()
	node.watch_log_for('Created default superuser')

	def authentication_fail_message(self, node, username):
	return "Provided username {user} and/or password are incorrect".format(user=username) \
	if node.cluster.version() >= LooseVersion('3.10') else "Username and/or password are incorrect"