/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.cassandra.auth;
import java.net.InetAddress;
import java.util.Map;
import java.util.Set;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
public interface IAuthenticator
{
/**
* Whether or not the authenticator requires explicit login.
* If false will instantiate user with AuthenticatedUser.ANONYMOUS_USER.
*/
boolean requireAuthentication();
/**
* Set of resources that should be made inaccessible to users and only accessible internally.
*
* @return Keyspaces, column families that will be unmodifiable by users; other resources.
*/
Set<? extends IResource> protectedResources();
/**
* Validates configuration of IAuthenticator implementation (if configurable).
*
* @throws ConfigurationException when there is a configuration error.
*/
void validateConfiguration() throws ConfigurationException;
/**
* Setup is called once upon system startup to initialize the IAuthenticator.
*
* For example, use this method to create any required keyspaces/column families.
*/
void setup();
/**
* Provide a SASL handler to perform authentication for an single connection. SASL
* is a stateful protocol, so a new instance must be used for each authentication
* attempt.
* @param clientAddress the IP address of the client whom we wish to authenticate, or null
* if an internal client (one not connected over the remote transport).
* @return org.apache.cassandra.auth.IAuthenticator.SaslNegotiator implementation
* (see {@link org.apache.cassandra.auth.PasswordAuthenticator.PlainTextSaslAuthenticator})
*/
SaslNegotiator newSaslNegotiator(InetAddress clientAddress);
/**
* A legacy method that is still used by JMX authentication.
*
* You should implement this for having JMX authentication through your
* authenticator.
*
* Should never return null - always throw AuthenticationException instead.
* Returning AuthenticatedUser.ANONYMOUS_USER is an option as well if authentication is not required.
*
* @param credentials implementation specific key/value pairs
* @return non-null representation of the authenticated subject
* @throws AuthenticationException
*/
AuthenticatedUser legacyAuthenticate(Map<String, String> credentials) throws AuthenticationException;
/**
* Performs the actual SASL negotiation for a single authentication attempt.
* SASL is stateful, so a new instance should be used for each attempt.
* Non-trivial implementations may delegate to an instance of {@link javax.security.sasl.SaslServer}
*/
public interface SaslNegotiator
{
/**
* Evaluates the client response data and generates a byte[] reply which may be a further challenge or purely
* informational in the case that the negotiation is completed on this round.
*
* This method is called each time a {@link org.apache.cassandra.transport.messages.AuthResponse} is received
* from a client. After it is called, {@link isComplete()} is checked to determine whether the negotiation has
* finished. If so, an AuthenticatedUser is obtained by calling {@link getAuthenticatedUser()} and that user
* associated with the active connection and the byte[] sent back to the client via an
* {@link org.apache.cassandra.transport.messages.AuthSuccess} message. If the negotiation is not yet complete,
* the byte[] is returned to the client as a further challenge in an
* {@link org.apache.cassandra.transport.messages.AuthChallenge} message. This continues until the negotiation
* does complete or an error is encountered.
*
* @param clientResponse The non-null (but possibly empty) response sent by the client
* @return The possibly null response to send to the client.
* @throws AuthenticationException
* see {@link javax.security.sasl.SaslServer#evaluateResponse(byte[])}
*/
public byte[] evaluateResponse(byte[] clientResponse) throws AuthenticationException;
/**
* Called after each invocation of {@link evaluateResponse(byte[])} to determine whether the authentication has
* completed successfully or should be continued.
*
* @return true if the authentication exchange has completed; false otherwise.
* see {@link javax.security.sasl.SaslServer#isComplete()}
*/
public boolean isComplete();
/**
* Following a sucessful negotiation, get the AuthenticatedUser representing the logged in subject.
* This method should only be called if {@link isComplete()} returns true.
* Should never return null - always throw AuthenticationException instead.
* Returning AuthenticatedUser.ANONYMOUS_USER is an option if authentication is not required.
*
* @return non-null representation of the authenticated subject
* @throws AuthenticationException
*/
public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException;
}
}