Currently, the implementation works in such way that if this plugin is on the class path and configured properly and Cassandra starts, default Cassandra user is created. The actual creation is done in CassandraRoleManager#setupDefaultRole and it is a task which is scheduled as part of CassandraRoleManager#setup. There is not deterministic resolution as when cassandra user is created hence if it happens that LDAPAuthenticator#setup is run first (the order is nicely visible in StorageService#doAuthSetup), the subsequent check in CassandraRoleManager#hasExistingRoles returns true, because the last condition where we check there is at least one role present is fulfilled and thats because LDAPAuthenticator did it in the meanwhile. So no cassandra user is created.
The behaviour in the above paragraph is wrong. There should be cassandra user created too but not utilised but ready to be authenticated against.
Default cassandra user is created as a side-effect by trying to login on ClientState in setup() method of our impl but that will internally call queries which use QUORUM and it fails e.g in situations when more then quorum nodes are down and we do not use NTS in a cluster which renders cluster unusable.
One possible solution is to wait in a loop and we wait for cassandra role to be created by CassandraRoleManager by periodically doing select with CL ONE and only after such user is created we proceed with the authentication against LDAP and create LDAP "super user".
Currently, the implementation works in such way that if this plugin is on the class path and configured properly and Cassandra starts, default Cassandra user is created. The actual creation is done in
CassandraRoleManager#setupDefaultRole
and it is a task which is scheduled as part ofCassandraRoleManager#setup
. There is not deterministic resolution as whencassandra
user is created hence if it happens thatLDAPAuthenticator#setup
is run first (the order is nicely visible inStorageService#doAuthSetup
), the subsequent check inCassandraRoleManager#hasExistingRoles
returns true, because the last condition where we check there is at least one role present is fulfilled and thats because LDAPAuthenticator did it in the meanwhile. So no cassandra user is created.The behaviour in the above paragraph is wrong. There should be
cassandra
user created too but not utilised but ready to be authenticated against.Default
cassandra
user is created as a side-effect by trying to login onClientState
insetup()
method of our impl but that will internally call queries which use QUORUM and it fails e.g in situations when more then quorum nodes are down and we do not use NTS in a cluster which renders cluster unusable.One possible solution is to wait in a loop and we wait for
cassandra
role to be created by CassandraRoleManager by periodically doing select with CL ONE and only after such user is created we proceed with the authentication against LDAP and create LDAP "super user".