jmx_auth_test.py - cassandra-dtest - Git at Google

 import random
 import string
 import pytest
 import logging
 from distutils.version import LooseVersion

 from ccmlib.node import ToolError
 from dtest import Tester
 from tools.jmxutils import apply_jmx_authentication

 since = pytest.mark.since
 logger = logging.getLogger(__name__)


 @since('3.6')
 class TestJMXAuth(Tester):
     """
     Uses nodetool as a means of exercising the JMX interface as JolokiaAgent
     exposes its own connector which bypasses the in-built security features
     """

     def test_basic_auth(self):
         """
         Some basic smoke testing of JMX authentication and authorization.
         @jira_ticket CASSANDRA-10091
         """
         self.prepare()
         [node] = self.cluster.nodelist()
         node.nodetool('-u cassandra -pw cassandra status')

         session = self.patient_cql_connection(node, user='cassandra', password='cassandra')
         # the jmx_user role has no login privilege but give it a password anyway
         # to demonstrate that LOGIN is required for JMX authentication
         session.execute("CREATE ROLE jmx_user WITH LOGIN=false AND PASSWORD='321cba'")
         session.execute("GRANT SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' TO jmx_user")
         session.execute("GRANT DESCRIBE ON ALL MBEANS TO jmx_user")
         session.execute("CREATE ROLE test WITH LOGIN=true and PASSWORD='abc123'")

         with pytest.raises(ToolError, match=self.authentication_fail_message(node, 'baduser')):
             node.nodetool('-u baduser -pw abc123 gossipinfo')

         with pytest.raises(ToolError, match=self.authentication_fail_message(node, 'test')):
             node.nodetool('-u test -pw badpassword gossipinfo')

         with pytest.raises(ToolError, match="Required key 'username' is missing"):
             node.nodetool('gossipinfo')

         # role must have LOGIN attribute
         with pytest.raises(ToolError, match='jmx_user is not permitted to log in'):
             node.nodetool('-u jmx_user -pw 321cba gossipinfo')

         # test doesn't yet have any privileges on the necessary JMX resources
         with pytest.raises(ToolError, match='Access Denied'):
             node.nodetool('-u test -pw abc123 gossipinfo')

         session.execute("GRANT jmx_user TO test")
         node.nodetool('-u test -pw abc123 gossipinfo')

         # superuser status applies to JMX authz too
         node.nodetool('-u cassandra -pw cassandra gossipinfo')

     @since('4.1')
     def test_revoked_jmx_access(self):
         """
         if a user's access to a JMX MBean is revoked while they're connected,
         all of their requests should fail once the cache is cleared.
         @jira_ticket CASSANDRA-16404
         """
         self.prepare(permissions_validity=60000)
         [node] = self.cluster.nodelist()

         def test_revoked_access(cache_name):
             logger.debug('Testing with cache name: %s' % cache_name)
             username = self.username()
             session = self.patient_cql_connection(node, user='cassandra', password='cassandra')
             session.execute("CREATE ROLE %s WITH LOGIN=true AND PASSWORD='abc123'" % username)
             session.execute("GRANT SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' TO %s" % username)
             session.execute("GRANT DESCRIBE ON ALL MBEANS TO %s" % username)

             # works fine
             node.nodetool('-u %s -pw abc123 gossipinfo' % username)

             session.execute("REVOKE SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' FROM %s" % username)
             # works fine because the JMX permission is cached
             node.nodetool('-u %s -pw abc123 gossipinfo' % username)

             node.nodetool('-u cassandra -pw cassandra invalidatejmxpermissionscache')
             # the user has no permissions to the JMX resource anymore
             with pytest.raises(ToolError, match='Access Denied'):
                 node.nodetool('-u %s -pw abc123 gossipinfo' % username)

         test_revoked_access("JmxPermissionsCache")

         # deprecated cache name, scheduled for removal in 5.0
         if self.dtest_config.cassandra_version_from_build < '5.0':
             test_revoked_access("JMXPermissionsCache")

     def prepare(self, nodes=1, permissions_validity=0):
         config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator',
                   'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer',
                   'permissions_validity_in_ms': permissions_validity}
         self.cluster.set_configuration_options(values=config)
         self.cluster.populate(nodes)
         [node] = self.cluster.nodelist()
         apply_jmx_authentication(node)
         node.start()
         node.watch_log_for('Created default superuser')

     def authentication_fail_message(self, node, username):
         return "Provided username {user} and/or password are incorrect".format(user=username) \
             if node.cluster.version() >= LooseVersion('3.10') else "Username and/or password are incorrect"

     def username(self):
         return ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
	import random
	import string
	import pytest
	import logging
	from distutils.version import LooseVersion

	from ccmlib.node import ToolError
	from dtest import Tester
	from tools.jmxutils import apply_jmx_authentication

	since = pytest.mark.since
	logger = logging.getLogger(__name__)


	@since('3.6')
	class TestJMXAuth(Tester):
	"""
	Uses nodetool as a means of exercising the JMX interface as JolokiaAgent
	exposes its own connector which bypasses the in-built security features
	"""

	def test_basic_auth(self):
	"""
	Some basic smoke testing of JMX authentication and authorization.
	@jira_ticket CASSANDRA-10091
	"""
	self.prepare()
	[node] = self.cluster.nodelist()
	node.nodetool('-u cassandra -pw cassandra status')

	session = self.patient_cql_connection(node, user='cassandra', password='cassandra')
	# the jmx_user role has no login privilege but give it a password anyway
	# to demonstrate that LOGIN is required for JMX authentication
	session.execute("CREATE ROLE jmx_user WITH LOGIN=false AND PASSWORD='321cba'")
	session.execute("GRANT SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' TO jmx_user")
	session.execute("GRANT DESCRIBE ON ALL MBEANS TO jmx_user")
	session.execute("CREATE ROLE test WITH LOGIN=true and PASSWORD='abc123'")

	with pytest.raises(ToolError, match=self.authentication_fail_message(node, 'baduser')):
	node.nodetool('-u baduser -pw abc123 gossipinfo')

	with pytest.raises(ToolError, match=self.authentication_fail_message(node, 'test')):
	node.nodetool('-u test -pw badpassword gossipinfo')

	with pytest.raises(ToolError, match="Required key 'username' is missing"):
	node.nodetool('gossipinfo')

	# role must have LOGIN attribute
	with pytest.raises(ToolError, match='jmx_user is not permitted to log in'):
	node.nodetool('-u jmx_user -pw 321cba gossipinfo')

	# test doesn't yet have any privileges on the necessary JMX resources
	with pytest.raises(ToolError, match='Access Denied'):
	node.nodetool('-u test -pw abc123 gossipinfo')

	session.execute("GRANT jmx_user TO test")
	node.nodetool('-u test -pw abc123 gossipinfo')

	# superuser status applies to JMX authz too
	node.nodetool('-u cassandra -pw cassandra gossipinfo')

	@since('4.1')
	def test_revoked_jmx_access(self):
	"""
	if a user's access to a JMX MBean is revoked while they're connected,
	all of their requests should fail once the cache is cleared.
	@jira_ticket CASSANDRA-16404
	"""
	self.prepare(permissions_validity=60000)
	[node] = self.cluster.nodelist()

	def test_revoked_access(cache_name):
	logger.debug('Testing with cache name: %s' % cache_name)
	username = self.username()
	session = self.patient_cql_connection(node, user='cassandra', password='cassandra')
	session.execute("CREATE ROLE %s WITH LOGIN=true AND PASSWORD='abc123'" % username)
	session.execute("GRANT SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' TO %s" % username)
	session.execute("GRANT DESCRIBE ON ALL MBEANS TO %s" % username)

	# works fine
	node.nodetool('-u %s -pw abc123 gossipinfo' % username)

	session.execute("REVOKE SELECT ON MBEAN 'org.apache.cassandra.net:type=FailureDetector' FROM %s" % username)
	# works fine because the JMX permission is cached
	node.nodetool('-u %s -pw abc123 gossipinfo' % username)

	node.nodetool('-u cassandra -pw cassandra invalidatejmxpermissionscache')
	# the user has no permissions to the JMX resource anymore
	with pytest.raises(ToolError, match='Access Denied'):
	node.nodetool('-u %s -pw abc123 gossipinfo' % username)

	test_revoked_access("JmxPermissionsCache")

	# deprecated cache name, scheduled for removal in 5.0
	if self.dtest_config.cassandra_version_from_build < '5.0':
	test_revoked_access("JMXPermissionsCache")

	def prepare(self, nodes=1, permissions_validity=0):
	config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator',
	'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer',
	'permissions_validity_in_ms': permissions_validity}
	self.cluster.set_configuration_options(values=config)
	self.cluster.populate(nodes)
	[node] = self.cluster.nodelist()
	apply_jmx_authentication(node)
	node.start()
	node.watch_log_for('Created default superuser')

	def authentication_fail_message(self, node, username):
	return "Provided username {user} and/or password are incorrect".format(user=username) \
	if node.cluster.version() >= LooseVersion('3.10') else "Username and/or password are incorrect"

	def username(self):
	return ''.join(random.choice(string.ascii_lowercase) for _ in range(8))