Revert "HCD-82 Enables auth* classes configuration"

This reverts commit c28561f.

CHANGES.txt

@@ -1,7 +1,6 @@
 Future version (tbd)
  * Require only MODIFY permission on base when updating table with MV (STAR-564)
 Merged from 5.0:
- * Use ParameterizedClass for all auth-related implementations (CASSANDRA-19946 and partially CASSANDRA-18554)
  * Enables IAuthenticator's to return own AuthenticateMessage (CASSANDRA-19984)
  * Disable chronicle analytics (CASSANDRA-19656)
  * Remove mocking in InternalNodeProbe spying on StorageServiceMBean (CASSANDRA-18152)

conf/cassandra.yaml

@@ -127,10 +127,6 @@ batchlog_replay_throttle_in_kb: 1024
 # Authentication backend, implementing IAuthenticator; used to identify users
 # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthenticator,
 # PasswordAuthenticator}.
-# Optional parameters can be specified in the form of:
-#   parameters:
-#    param_key1: param_value1
-#    ...
 #
 # - AllowAllAuthenticator performs no checks - set it to disable authentication.
 # - PasswordAuthenticator relies on username/password pairs to authenticate
@@ -142,10 +138,6 @@ authenticator: AllowAllAuthenticator
 # Authorization backend, implementing IAuthorizer; used to limit access/provide permissions
 # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer,
 # CassandraAuthorizer}.
-# Optional parameters can be specified in the form of:
-#   parameters:
-#    param_key1: param_value1
-#    ...
 #
 # - AllowAllAuthorizer allows any action to any user - set it to disable authorization.
 # - CassandraAuthorizer stores permissions in system_auth.role_permissions table. Please
@@ -158,10 +150,6 @@ authorizer: AllowAllAuthorizer
 # which stores role information in the system_auth keyspace. Most functions of the
 # IRoleManager require an authenticated login, so unless the configured IAuthenticator
 # actually implements authentication, most of this functionality will be unavailable.
-# Optional parameters can be specified in the form of:
-#   parameters:
-#    param_key1: param_value1
-#    ...
 #
 # - CassandraRoleManager stores role data in the system_auth keyspace. Please
 #   increase system_auth keyspace replication factor if you use this role manager.
@@ -171,10 +159,6 @@ role_manager: CassandraRoleManager
 # access to certain DCs
 # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllNetworkAuthorizer,
 # CassandraNetworkAuthorizer}.
-# Optional parameters can be specified in the form of:
-#   parameters:
-#    param_key1: param_value1
-#    ...
 #
 # - AllowAllNetworkAuthorizer allows access to any DC to any user - set it to disable authorization.
 # - CassandraNetworkAuthorizer stores permissions in system_auth.network_permissions table. Please

src/java/org/apache/cassandra/auth/AuthConfig.java

@@ -18,15 +18,13 @@
 
 package org.apache.cassandra.auth;
 
-import java.util.List;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import org.apache.cassandra.config.Config;
 import org.apache.cassandra.config.DatabaseDescriptor;
-import org.apache.cassandra.config.ParameterizedClass;
 import org.apache.cassandra.exceptions.ConfigurationException;
+import org.apache.cassandra.utils.FBUtilities;
 
 /**
  * Only purpose is to Initialize authentication/authorization via {@link #applyAuth()}.
@@ -48,10 +46,11 @@ public static void applyAuth()
 
         Config conf = DatabaseDescriptor.getRawConfig();
 
+        IAuthenticator authenticator = new AllowAllAuthenticator();
 
-        /* Authentication, authorization and role management backend, implementing IAuthenticator, I*Authorizer & IRoleManager */
-
-        IAuthenticator authenticator = authInstantiate(conf.authenticator, AllowAllAuthenticator.class);
+        /* Authentication, authorization and role management backend, implementing IAuthenticator, IAuthorizer & IRoleMapper*/
+        if (conf.authenticator != null)
+            authenticator = FBUtilities.newAuthenticator(conf.authenticator);
 
         // the configuration options regarding credentials caching are only guaranteed to
         // work with PasswordAuthenticator, so log a message if some other authenticator
@@ -70,16 +69,23 @@ public static void applyAuth()
 
         // authorizer
 
-        IAuthorizer authorizer = authInstantiate(conf.authorizer, AllowAllAuthorizer.class);
+        IAuthorizer authorizer = new AllowAllAuthorizer();
+
+        if (conf.authorizer != null)
+            authorizer = FBUtilities.newAuthorizer(conf.authorizer);
 
         if (!authenticator.requireAuthentication() && authorizer.requireAuthorization())
-            throw new ConfigurationException(conf.authenticator.class_name + " can't be used with " + conf.authorizer, false);
+            throw new ConfigurationException(conf.authenticator + " can't be used with " + conf.authorizer, false);
 
         DatabaseDescriptor.setAuthorizer(authorizer);
 
         // role manager
 
-        IRoleManager roleManager = authInstantiate(conf.role_manager, CassandraRoleManager.class);
+        IRoleManager roleManager;
+        if (conf.role_manager != null)
+            roleManager = FBUtilities.newRoleManager(conf.role_manager);
+        else
+            roleManager = new CassandraRoleManager();
 
         if (authenticator instanceof PasswordAuthenticator && !(roleManager instanceof CassandraRoleManager))
             throw new ConfigurationException("CassandraRoleManager must be used with PasswordAuthenticator", false);
@@ -88,18 +94,15 @@ public static void applyAuth()
 
         // authenticator
 
-        IInternodeAuthenticator internodeAuthenticator = authInstantiate(conf.internode_authenticator,
-                                                                         AllowAllInternodeAuthenticator.class);
-        DatabaseDescriptor.setInternodeAuthenticator(internodeAuthenticator);
+        if (conf.internode_authenticator != null)
+            DatabaseDescriptor.setInternodeAuthenticator(FBUtilities.construct(conf.internode_authenticator, "internode_authenticator"));
 
         // network authorizer
-
-        INetworkAuthorizer networkAuthorizer = authInstantiate(conf.network_authorizer, AllowAllNetworkAuthorizer.class);
+        INetworkAuthorizer networkAuthorizer = FBUtilities.newNetworkAuthorizer(conf.network_authorizer);
         DatabaseDescriptor.setNetworkAuthorizer(networkAuthorizer);
-
         if (networkAuthorizer.requireAuthorization() && !authenticator.requireAuthentication())
         {
-            throw new ConfigurationException(conf.network_authorizer + " can't be used with " + conf.authenticator.class_name, false);
+            throw new ConfigurationException(conf.network_authorizer + " can't be used with " + conf.authenticator, false);
         }
 
         // Validate at last to have authenticator, authorizer, role-manager and internode-auth setup
@@ -111,21 +114,4 @@ public static void applyAuth()
         networkAuthorizer.validateConfiguration();
         DatabaseDescriptor.getInternodeAuthenticator().validateConfiguration();
     }
-
-    private static <T> T authInstantiate(ParameterizedClass authCls, Class<T> defaultCls) {
-        if (authCls != null && authCls.class_name != null)
-        {
-            String authPackage = AuthConfig.class.getPackage().getName();
-            return ParameterizedClass.newInstance(authCls, List.of("", authPackage));
-        }
-
-        try
-        {
-            return defaultCls.newInstance();
-        }
-        catch (InstantiationException | IllegalAccessException  e)
-        {
-            throw new ConfigurationException("Failed to instantiate " + defaultCls.getName(), e);
-        }
-    }
 }

src/java/org/apache/cassandra/auth/PasswordAuthenticator.java

@@ -23,7 +23,6 @@
 import java.util.Map;
 import java.util.Set;
 
-import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Lists;
 import org.slf4j.Logger;
@@ -172,8 +171,7 @@ private static SelectStatement prepare(String query)
         return (SelectStatement) QueryProcessor.getStatement(query, ClientState.forInternalCalls());
     }
 
-    @VisibleForTesting
-    class PlainTextSaslAuthenticator implements SaslNegotiator
+    private class PlainTextSaslAuthenticator implements SaslNegotiator
     {
         private boolean complete = false;
         private String username;

src/java/org/apache/cassandra/config/Config.java

@@ -54,10 +54,10 @@ public class Config
     public static final String PROPERTY_PREFIX = "cassandra.";
 
     public String cluster_name = "Test Cluster";
-    public ParameterizedClass authenticator;
-    public ParameterizedClass authorizer;
-    public ParameterizedClass role_manager;
-    public ParameterizedClass network_authorizer;
+    public String authenticator;
+    public String authorizer;
+    public String role_manager;
+    public String network_authorizer;
     public volatile int permissions_validity_in_ms = 2000;
     public volatile int permissions_cache_max_entries = 1000;
     public volatile int permissions_update_interval_in_ms = -1;
@@ -158,7 +158,7 @@ public class Config
     public boolean listen_interface_prefer_ipv6 = false;
     public String broadcast_address;
     public boolean listen_on_broadcast_address = false;
-    public ParameterizedClass internode_authenticator;
+    public String internode_authenticator;
 
     /*
      * RPC address and interface refer to the address/interface used for the native protocol used to communicate with

src/java/org/apache/cassandra/config/ParameterizedClass.java

@@ -17,15 +17,11 @@
  */
 package org.apache.cassandra.config;
 
-import java.lang.reflect.Constructor;
-import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
 import com.google.common.base.Objects;
 
-import org.apache.cassandra.exceptions.ConfigurationException;
-
 public class ParameterizedClass
 {
     public static final String CLASS_NAME = "class_name";
@@ -39,12 +35,6 @@ public ParameterizedClass()
         // for snakeyaml
     }
 
-    public ParameterizedClass(String class_name)
-    {
-        this.class_name = class_name;
-        this.parameters = Collections.emptyMap();
-    }
-
     public ParameterizedClass(String class_name, Map<String, String> parameters)
     {
         this.class_name = class_name;
@@ -58,46 +48,6 @@ public ParameterizedClass(Map<String, ?> p)
              p.containsKey(PARAMETERS) ? (Map<String, String>)((List<?>)p.get(PARAMETERS)).get(0) : null);
     }
 
-    static public <K> K newInstance(ParameterizedClass parameterizedClass, List<String> searchPackages)
-    {
-        Exception last = null;
-        if (searchPackages == null || searchPackages.isEmpty())
-            searchPackages = Collections.singletonList("");
-        for (String searchPackage : searchPackages)
-        {
-            try
-            {
-                if (!searchPackage.isEmpty() && !searchPackage.endsWith("."))
-                    searchPackage = searchPackage + '.';
-                String name = searchPackage + parameterizedClass.class_name;
-                Class<?> providerClass = Class.forName(name);
-                try
-                {
-                    Constructor<?> constructor = providerClass.getConstructor(Map.class);
-                    K instance = (K) constructor.newInstance(parameterizedClass.parameters);
-                    return instance;
-                }
-                catch (Exception constructorEx)
-                {
-                    //no-op
-                }
-                // fallback to no arg constructor if no params present
-                if (parameterizedClass.parameters == null || parameterizedClass.parameters.isEmpty())
-                {
-                    Constructor<?> constructor = providerClass.getConstructor();
-                    K instance = (K) constructor.newInstance();
-                    return instance;
-                }
-            }
-            // there are about 5 checked exceptions that could be thrown here.
-            catch (Exception e)
-            {
-                last = e;
-            }
-        }
-        throw new ConfigurationException("Unable to create parameterized class " + parameterizedClass.class_name, last);
-    }
-
     @Override
     public boolean equals(Object that)
     {

src/java/org/apache/cassandra/utils/FBUtilities.java

@@ -72,6 +72,11 @@
 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.cassandra.audit.IAuditLogger;
+import org.apache.cassandra.auth.AllowAllNetworkAuthorizer;
+import org.apache.cassandra.auth.IAuthenticator;
+import org.apache.cassandra.auth.IAuthorizer;
+import org.apache.cassandra.auth.INetworkAuthorizer;
+import org.apache.cassandra.auth.IRoleManager;
 import org.apache.cassandra.config.DatabaseDescriptor;
 import org.apache.cassandra.db.DecoratedKey;
 import org.apache.cassandra.db.SerializationHeader;
@@ -707,6 +712,40 @@ static IPartitioner newPartitioner(String partitionerClassName, Optional<Abstrac
         return FBUtilities.instanceOrConstruct(partitionerClassName, "partitioner");
     }
 
+    public static IAuthorizer newAuthorizer(String className) throws ConfigurationException
+    {
+        if (!className.contains("."))
+            className = "org.apache.cassandra.auth." + className;
+        return FBUtilities.construct(className, "authorizer");
+    }
+
+    public static IAuthenticator newAuthenticator(String className) throws ConfigurationException
+    {
+        if (!className.contains("."))
+            className = "org.apache.cassandra.auth." + className;
+        return FBUtilities.construct(className, "authenticator");
+    }
+
+    public static IRoleManager newRoleManager(String className) throws ConfigurationException
+    {
+        if (!className.contains("."))
+            className = "org.apache.cassandra.auth." + className;
+        return FBUtilities.construct(className, "role manager");
+    }
+
+    public static INetworkAuthorizer newNetworkAuthorizer(String className)
+    {
+        if (className == null)
+        {
+            return new AllowAllNetworkAuthorizer();
+        }
+        if (!className.contains("."))
+        {
+            className = "org.apache.cassandra.auth." + className;
+        }
+        return FBUtilities.construct(className, "network authorizer");
+    }
+
     public static IAuditLogger newAuditLogger(String className, Map<String, String> parameters) throws ConfigurationException
     {
         if (!className.contains("."))

test/unit/org/apache/cassandra/audit/AuditLoggerAuthTest.java

@@ -67,9 +67,9 @@ public class AuditLoggerAuthTest
     public static void setup() throws Exception
     {
         OverrideConfigurationLoader.override((config) -> {
-            config.authenticator = new ParameterizedClass("PasswordAuthenticator");
-            config.role_manager = new ParameterizedClass("CassandraRoleManager");
-            config.authorizer = new ParameterizedClass("CassandraAuthorizer");
+            config.authenticator = "PasswordAuthenticator";
+            config.role_manager = "CassandraRoleManager";
+            config.authorizer = "CassandraAuthorizer";
             config.audit_logging_options.enabled = true;
             config.audit_logging_options.logger = new ParameterizedClass("InMemoryAuditLogger", null);
         });

test/unit/org/apache/cassandra/transport/CQLUserAuditTest.java

@@ -63,8 +63,8 @@ public class CQLUserAuditTest
     public static void setup() throws Exception
     {
         OverrideConfigurationLoader.override((config) -> {
-            config.authenticator = new ParameterizedClass("PasswordAuthenticator");
-            config.role_manager = new ParameterizedClass("CassandraRoleManager");
+            config.authenticator = "PasswordAuthenticator";
+            config.role_manager = "CassandraRoleManager";
             config.diagnostic_events_enabled = true;
             config.audit_logging_options.enabled = true;
             config.audit_logging_options.logger = new ParameterizedClass("DiagnosticEventAuditLogger", null);