Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix #3102: add authentication cache #3161

Merged
merged 5 commits into from
Jun 30, 2015
Merged

fix #3102: add authentication cache #3161

merged 5 commits into from
Jun 30, 2015

Conversation

dgnorton
Copy link
Contributor

No description provided.

otoolep
otoolep reviewed Jun 26, 2015
View reviewed changes
influxql/parser.go
@@ -94,7 +94,7 @@ func (p *Parser) ParseStatement() (Statement, error) {
case ALTER:
return p.parseAlterStatement()
case SET:
return p.parseSetStatement()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this because the only use of SET in our system is for setting a password?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed the name of the function to match the pattern we use for all the other parse... functions.

@otoolep
Copy link
Contributor

otoolep commented Jun 26, 2015

+1, makes sense to me. We'll want this cherry-picked to the 0.9.1 branch too.

If there is already a test for altering and dropping a user, and ensuring he or she can't still authenticate (to ensure cache is cleared), we should be good.

pauldix
pauldix reviewed Jun 26, 2015
View reviewed changes
meta/store.go
@@ -980,11 +984,18 @@ func (s *Store) Authenticate(username, password string) (ui *UserInfo, err error
return ErrUserNotFound
}

// Check the local auth cache first.
if p, ok := s.authCache[username]; ok && p == password {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should change this. if it's ok but p != password we should return an authentication error rather than doing the bcrypt. Means that someone could easily DDOS an InfluxDB server with bad auth info

@pauldix pauldix mentioned this pull request Jun 26, 2015
Closed
otoolep
otoolep reviewed Jun 26, 2015
View reviewed changes
meta/store.go
@@ -96,6 +96,9 @@ type Store struct {
// The amount of time without an apply before sending a heartbeat.
CommitTimeout time.Duration

// Authentication cache.
authCache map[string]string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically speaking, I think this also needs synchronization. The code which checks the cache could run in a different goroutine than that which process DROP or `ALTER'.

@otoolep
Copy link
Contributor

otoolep commented Jun 29, 2015

+1, thanks for the tests.

I presume you will cherry-pick this over to the 0.9.1 branch.

jwilder
jwilder reviewed Jun 30, 2015
View reviewed changes
meta/store.go

// GetHashPasswordFn returns the current password hashing function.
func (s *Store) GetHashPasswordFn() HashPasswordFn {
s.mu.Lock()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could probably use a read-lock here.

@jwilder jwilder force-pushed the auth-cache-3102 branch 2 times, most recently from 821202f to e0a472b Compare June 30, 2015 22:16
@otoolep
Copy link
Contributor

otoolep commented Jun 30, 2015

+1, as long as the calls to delete take place holding the same RWLock.

@jwilder
Copy link
Contributor

jwilder commented Jun 30, 2015

Takes them here: https://github.com/influxdb/influxdb/blob/master/meta/store.go#L1315

otoolep added a commit that referenced this pull request Jun 30, 2015
@otoolep
Merge pull request #3161 from influxdb/auth-cache-3102
ca417e1 
fix #3102: add authentication cache
@otoolep otoolep merged commit ca417e1 into master Jun 30, 2015
@otoolep
Copy link
Contributor

otoolep commented Jun 30, 2015

Cherry-picked to 0.9.1

@jwilder jwilder mentioned this pull request Jun 30, 2015
Merged
@pauldix pauldix mentioned this pull request Jul 2, 2015
Closed
@jwilder jwilder deleted the auth-cache-3102 branch July 23, 2015 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dgnorton @otoolep @jwilder @pauldix