Andy Tolbert last 3 years


 16 Collaborator
Brandon Williams , Mick Semb Wever , Štefan Miklošovič , Francisco Guerrero , Bret McGuire , Jon Meredith , Dinesh Joshi , Ariel Weisberg , Chris Lohfink , Alexandre Dutra , Abe Ratnofsky , Jyothsna Konisa , Lukasz Antoniak , Tiago Alves , Jason Koch , Christian Aistleitner

 7 Patch  8 Review
4120b8ce4f1bc7bd7ce101e4e298fc2211a21fe0, c09d0d929baeaa02f3438313c7979ccf6b4b3c5a, b47bee42d3b15020fbae72b173e873fa57c8e0c8, 3bdd2caa22a0413929188536b41d8117177574fa, 4c7133c72e136d23dbcea795e0041df764568931, 445d97428fb6eb28de06a06e24743caf4c479270, f9b495bceaff82f2d0a05e6cb88f2b454ac8e0a4 50d94f4b462b7a3c4415cf508d6a8eff7bd5d32f, 25291ff3fd99f92cdb0a7d5d2125442282d42ff8, a0af41f666c23a840d9df3f06729ed5fd2c06cd1, f98e3433b91b49e0facfbce8e94e01e304714968, 8ebcd9f85afb548f38e953fb1190d9ff04d8df5a, a40e7587b175cc198fb533eadabd31e94f837369, 6d3ba47631ebde78460168a2d33c4facde0bd731, 432e107bc6a2dda19385b7c423d2768e3a879965

8ebcd9f85afb548f38e953fb1190d9ff04d8df5a | Author: Abe Ratnofsky <abe@aber.io>
 | 2024-10-15 19:24:00-04:00

    Fix DefaultSslEngineFactory missing null check on close
    
    patch by Abe Ratnofsky; reviewed by Andy Tolbert and Chris Lohfink for CASSANDRA-20001

50d94f4b462b7a3c4415cf508d6a8eff7bd5d32f | Author: Tiago Alves <tiago.alves@datastax.com>
 | 2024-10-07 10:56:46+01:00

    Enables IAuthenticator's to return own AuthenticateMessage
    
    Allows custom implementations of IAuthenticator to return their own
    AuthenticateMessage based on ClientState information.
    
    ClientState contains information about driver's name and version which
    could be used to determine the contents of the AuthenticateMessage that
    is sent back to the clients. This enables, for instance, returning
    driver's known authenticator implementations (e.g. DseAuthenticator)
    which enables SASL negotiation.
    
     patch by Tiago Alves; reviewed by Mick Semb Wever, Andy Tolbert for CASSANDRA-19984

f98e3433b91b49e0facfbce8e94e01e304714968 | Author: absurdfarce <absurdfarce@apache.org>
 | 2024-10-02 18:04:19-05:00

    Query builder support for NOT CQL syntax
    
    patch by Bret McGuire; reviewed by Bret McGuire and Andy Tolbert for CASSANDRA-19930

f9b495bceaff82f2d0a05e6cb88f2b454ac8e0a4 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
 | 2024-08-25 19:53:09-05:00

    Regenerate testdata/pki and include script for regenerating
    
    The existing certificates in testdata/pki expire on September 16 2024.
    
    This commit includes a 'generate_certs.sh' script for regenerating
    private keys and certificates as needed.
    
    As I couldn't find the original steps used to generate these, it's
    possible these certificates are generated differently, but they are
    done in a nominal way.
    
    One slight derivation with the original certificates is that I have
    opted to use PKCS12 format instead of the propertiary java JKS format
    for the .truststore and .keystore file.  The cassandra and gocql
    certificates also embed a spiffe in the SAN so they can eventually
    be used for mTLS authentication testing.
    
    patch by Andy Tolbert; reviewed by Bret McGuire for CASSANDRA-19862

445d97428fb6eb28de06a06e24743caf4c479270 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
 | 2024-08-22 22:49:15-05:00

    Don't restrict server authenticator in PasswordAuthenticator
    
    Currently gocql will only allow authenticating with authenticators
    defined in defaultApprovedAuthenticators in conn.go.
    
    There have been multiple occurrences of implementers needing to update
    this list, either when a vendor would like to add their authenticator,
    or a new authenticator being added.
    
    It would probably reduce friction to just accept any authenticator
    provided by the server. From what I know, other drivers behave in this
    way.
    
    If a user wanted to restrict this, they could use the existing
    configuration PasswordAuthenticator.AllowedAuthenticators.
    
    patch by Andy Tolbert; reviewed by Joao Reis, Lukasz Antoniak for CASSGO-19

6d3ba47631ebde78460168a2d33c4facde0bd731 | Author: Jason Koch <jkoch@netflix.com>
 | 2024-08-12 22:52:13-07:00

    Reduce lock held duration in ConcurrencyLimitingRequestThrottler
    
    It might take some (small) time for callback handling when the
    throttler request proceeds to submission.
    
    Before this change, the throttler proceed request will happen while
    holding the lock, preventing other tasks from proceeding when there is
    spare capacity and even preventing tasks from enqueuing until the
    callback completes.
    
    By tracking the expected outcome, we can perform the callback outside
    of the lock. This means that request registration and submission can
    proceed even when a long callback is being processed.
    
    patch by Jason Koch; Reviewed by Andy Tolbert and Chris Lohfink for CASSANDRA-19922

25291ff3fd99f92cdb0a7d5d2125442282d42ff8 | Author: Francisco Guerrero <frank.guerrero@gmail.com>
 | 2024-07-22 10:56:21-07:00

    Allow configuring log format for Audit Logs
    
    patch by Francisco Guerrero; reviewed by Stefan Miklosovic, Andy Tolbert for CASSANDRA-19792

a40e7587b175cc198fb533eadabd31e94f837369 | Author: Christian Aistleitner <christian.aistleitner@outlook.com>
 | 2024-06-06 09:14:16+02:00

    Fix uncaught exception during graceful channel shutdown
    
    after exceeding max orphan ids
    
    patch by Christian Aistleitner; reviewed by Andy Tolbert, and Bret McGuire for #1938

432e107bc6a2dda19385b7c423d2768e3a879965 | Author: Lukasz Antoniak <Lukasz.Antoniak@gmail.com>
 | 2024-05-16 14:13:05+02:00

    CASSANDRA-19635: Run integration tests with C* 5.x
    
    patch by Lukasz Antoniak; reviewed by Andy Tolbert, and Bret McGuire for CASSANDRA-19635

a0af41f666c23a840d9df3f06729ed5fd2c06cd1 | Author: Francisco Guerrero <frank.guerrero@gmail.com>
 | 2024-02-15 13:19:28-08:00

    CASSANDRA-18951: Add option for MutualTlsAuthenticator to restrict the certificate validity period
    
    In this commit, we introduce two new optional options for the `server_encryption_options`
    and the `client_encryption_options`. The options are `max_certificate_validity_period` and
    `certificate_validity_warn_threshold`. Both options can be configured as a duration
    configuration parameter as defined by the `DurationSpec` (see CASSANDRA-15234). The resolution
    for these new properties is minutes.
    
    When specified, the certificate validation implementation will take that information
    and reject certificates that are older than the maximum allowed certificate validity period,
    translating into a rejection from the authenticating user.
    
    The `certificate_validity_warn_threshold` option can be configured to emit warnings (log entries)
    when the certificate exceeds the validity threshold.
    
    patch by Francisco Guerrero; reviewed by Andy Tolbert, Abe Ratnofsky, Dinesh Joshi for CASSANDRA-18951

4120b8ce4f1bc7bd7ce101e4e298fc2211a21fe0 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
 | 2024-01-31 11:06:59-06:00

    Expose auth mode in system_views.clients, nodetool clientstats, metrics
    
    Adds 'authenticationMode' and 'metadata' fields to AuthenticatedUser to add context
    about how the user was authenticated and updates system_views.clients,
    nodetool clientstats (behind --verbose flag) to include this information.
    
    Also adds new metrics to ClientMetrics to help operators identify which
    authentication modes are being used.
    
    patch by Andy Tolbert; reviewed by Francisco Guerrero, Stefan Miklosovic for CASSANDRA-19366

c09d0d929baeaa02f3438313c7979ccf6b4b3c5a | Author: Andy Tolbert <andy_tolbert@apple.com>
 | 2024-01-30 16:41:54-08:00

    Allow CQL client certificate authentication to work without sending an AUTHENTICATE request
    
    patch by Andy Tolbert; reviewed by Abe Ratnofsky, Dinesh Joshi, Francisco Guerrero, Jyothsna Konisa for CASSANDRA-18857

4c7133c72e136d23dbcea795e0041df764568931 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
 | 2024-01-23 10:21:02-06:00

    Replace uses of AttributeKey.newInstance
    
    The java driver uses netty channel attributes to decorate a
    connection's channel with the cluster name (returned from
    the system.local table) and the map from the OPTIONS response, both
    of which are obtained on connection initialization.
    
    There's an issue here that I wouldn't expect to see in practice in
    that the AttributeKey's used are created using
    AttributeKey.newInstance, which throws an exception if an
    AttributeKey of that name is defined anywhere else in evaluated code.
    
    This change attempts to resolve this issue by changing AttributeKey
    initialiation in DriverChannel from newInstance to valueOf, which avoids
    throwing an exception if an AttributeKey of the same name was previously
    instantiated.
    
    patch by Andy Tolbert; reviewed by Bret McGuire, Alexandre Dutra, Abe Ratnofsky for CASSANDRA-19290

b47bee42d3b15020fbae72b173e873fa57c8e0c8 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
 | 2023-08-18 09:33:57-05:00

    Allow empty keystore_password in encryption_options
    
    patch by Andy Tolbert; reviewed by Jon Meredith and Stefan Miklosovic for CASSANDRA-18778

3bdd2caa22a0413929188536b41d8117177574fa | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
 | 2022-10-06 14:04:38-04:00

    Fix StorageService.getNativeaddress handling of IPv6 addresses
    
    StorageService.getNativeaddress does not currently correctly handle
    IPv6 addresses correctly when NATIVE_ADDRESS_AND_PORT are not present in
    that it simply concatenates the IP address with the default native port,
    e.g.:
    
    0:0:0:0:0:0:5a:3:9042
    
    This does not parse into an InetSocketAddress as the address and port
    can't be disambiguated.
    
    Such a case would usually be present when there are 3.x nodes present in a
    cluster with 4.0 nodes.
    
    Change updates RPC_ADDRESS and else case to create InetAddressAndPort instances
    with DatabaseDescriptor.getNativeTransportPort and returns the
    getHostAddress(withPort) which properly bracket encodes the address,
    e.g.:
    
    [0:0:0:0:0:0:5a:3]:9042
    
    which can be parsed as an InetSocketAddress.
    
    patch by Andy Tolbert; reviewed by Ariel Weisberg, Brandon Williams for CASSANDRA-17945