Currently, the implementation works in such way that if this plugin is on the class path and configured properly and Cassandra starts, default Cassandra user is created. The actual creation is done in CassandraRoleManager#setupDefaultRole and it is a task which is scheduled as part of CassandraRoleManager#setup. There is not deterministic resolution as when cassandra user is created hence if it happens that LDAPAuthenticator#setup is run first (the order is nicely visible in StorageService#doAuthSetup), the subsequent check in CassandraRoleManager#hasExistingRoles returns true, because the last condition where we check there is at least one role present is fulfilled and thats because LDAPAuthenticator did it in the meanwhile. So no cassandra user is created.
The behaviour in the above paragraph is wrong. There should be cassandra user created too but not utilised but ready to be authenticated against.
Default cassandra user is created as a side-effect by trying to login on ClientState in setup() method of our impl but that will internally call queries which use QUORUM and it fails e.g in situations when more then quorum nodes are down and we do not use NTS in a cluster which renders cluster unusable.
One possible solution is to wait in a loop and we wait for cassandra role to be created by CassandraRoleManager by periodically doing select with CL ONE and only after such user is created we proceed with the authentication against LDAP and create LDAP "super user".
smiklosovic
commented
5 years ago
Currently, the implementation works in such way that if this plugin is on the class path and configured properly and Cassandra starts, default Cassandra user is created. The actual creation is done in
CassandraRoleManager#setupDefaultRoleand it is a task which is scheduled as part ofCassandraRoleManager#setup. There is not deterministic resolution as whencassandrauser is created hence if it happens thatLDAPAuthenticator#setupis run first (the order is nicely visible inStorageService#doAuthSetup), the subsequent check inCassandraRoleManager#hasExistingRolesreturns true, because the last condition where we check there is at least one role present is fulfilled and thats because LDAPAuthenticator did it in the meanwhile. So no cassandra user is created.The behaviour in the above paragraph is wrong. There should be
cassandrauser created too but not utilised but ready to be authenticated against.Default
cassandrauser is created as a side-effect by trying to login onClientStateinsetup()method of our impl but that will internally call queries which use QUORUM and it fails e.g in situations when more then quorum nodes are down and we do not use NTS in a cluster which renders cluster unusable.One possible solution is to wait in a loop and we wait for
cassandrarole to be created by CassandraRoleManager by periodically doing select with CL ONE and only after such user is created we proceed with the authentication against LDAP and create LDAP "super user".