Repository: cassandra Updated Branches: refs/heads/trunk 91e64231e -> 217721ae9
http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/GrantPermissionsStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/GrantPermissionsStatement.java b/src/java/org/apache/cassandra/cql3/statements/GrantPermissionsStatement.java new file mode 100644 index 0000000..06a53e2 --- /dev/null +++ b/src/java/org/apache/cassandra/cql3/statements/GrantPermissionsStatement.java @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.cassandra.cql3.statements; + +import java.util.Set; + +import org.apache.cassandra.auth.IResource; +import org.apache.cassandra.auth.Permission; +import org.apache.cassandra.config.DatabaseDescriptor; +import org.apache.cassandra.cql3.RoleName; +import org.apache.cassandra.exceptions.RequestExecutionException; +import org.apache.cassandra.exceptions.RequestValidationException; +import org.apache.cassandra.service.ClientState; +import org.apache.cassandra.transport.messages.ResultMessage; + +public class GrantPermissionsStatement extends PermissionsManagementStatement +{ + public GrantPermissionsStatement(Set<Permission> permissions, IResource resource, RoleName grantee) + { + super(permissions, resource, grantee); + } + + public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException + { + DatabaseDescriptor.getAuthorizer().grant(state.getUser(), permissions, resource, grantee); + return null; + } +} http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/GrantStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/GrantStatement.java b/src/java/org/apache/cassandra/cql3/statements/GrantStatement.java deleted file mode 100644 index 561fee6..0000000 --- a/src/java/org/apache/cassandra/cql3/statements/GrantStatement.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.cassandra.cql3.statements; - -import java.util.Set; - -import org.apache.cassandra.auth.DataResource; -import org.apache.cassandra.auth.Permission; -import org.apache.cassandra.config.DatabaseDescriptor; -import org.apache.cassandra.cql3.RoleName; -import org.apache.cassandra.exceptions.RequestExecutionException; -import org.apache.cassandra.exceptions.RequestValidationException; -import org.apache.cassandra.service.ClientState; -import org.apache.cassandra.transport.messages.ResultMessage; - -public class GrantStatement extends PermissionAlteringStatement -{ - public GrantStatement(Set<Permission> permissions, DataResource resource, RoleName grantee) - { - super(permissions, resource, grantee); - } - - public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException - { - DatabaseDescriptor.getAuthorizer().grant(state.getUser(), permissions, resource, grantee); - return null; - } -} http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/ListPermissionsStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/ListPermissionsStatement.java b/src/java/org/apache/cassandra/cql3/statements/ListPermissionsStatement.java index d5b7e13..375d160 100644 --- a/src/java/org/apache/cassandra/cql3/statements/ListPermissionsStatement.java +++ b/src/java/org/apache/cassandra/cql3/statements/ListPermissionsStatement.java @@ -47,16 +47,16 @@ public class ListPermissionsStatement extends AuthorizationStatement } protected final Set<Permission> permissions; - protected DataResource resource; + protected IResource resource; protected final boolean recursive; - private final String grantee; + private final RoleResource grantee; - public ListPermissionsStatement(Set<Permission> permissions, DataResource resource, RoleName grantee, boolean recursive) + public ListPermissionsStatement(Set<Permission> permissions, IResource resource, RoleName grantee, boolean recursive) { this.permissions = permissions; this.resource = resource; this.recursive = recursive; - this.grantee = grantee.getName(); + this.grantee = grantee.hasName()? RoleResource.role(grantee.getName()) : null; } public void validate(ClientState state) throws RequestValidationException http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/ListRolesStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/ListRolesStatement.java b/src/java/org/apache/cassandra/cql3/statements/ListRolesStatement.java index 4ca9aeb..24071b0 100644 --- a/src/java/org/apache/cassandra/cql3/statements/ListRolesStatement.java +++ b/src/java/org/apache/cassandra/cql3/statements/ListRolesStatement.java @@ -24,8 +24,7 @@ import java.util.Set; import com.google.common.collect.ImmutableList; import com.google.common.collect.Lists; -import org.apache.cassandra.auth.AuthKeyspace; -import org.apache.cassandra.auth.IRoleManager; +import org.apache.cassandra.auth.*; import org.apache.cassandra.config.DatabaseDescriptor; import org.apache.cassandra.cql3.*; import org.apache.cassandra.db.marshal.BooleanType; @@ -45,7 +44,7 @@ public class ListRolesStatement extends AuthorizationStatement new ColumnSpecification(KS, CF, new ColumnIdentifier("super", true), BooleanType.instance), new ColumnSpecification(KS, CF, new ColumnIdentifier("login", true), BooleanType.instance)); - private final String grantee; + private final RoleResource grantee; private final boolean recursive; public ListRolesStatement() @@ -55,7 +54,7 @@ public class ListRolesStatement extends AuthorizationStatement public ListRolesStatement(RoleName grantee, boolean recursive) { - this.grantee = grantee.getName(); + this.grantee = grantee.hasName() ? RoleResource.role(grantee.getName()) : null; this.recursive = recursive; } @@ -73,7 +72,11 @@ public class ListRolesStatement extends AuthorizationStatement public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException { - if (state.getUser().isSuper()) + // If the executing user has DESCRIBE permission on the root roles resource, let them list any and all roles + boolean hasRootLevelSelect = DatabaseDescriptor.getAuthorizer() + .authorize(state.getUser(), RoleResource.root()) + .contains(Permission.DESCRIBE); + if (hasRootLevelSelect) { if (grantee == null) return resultMessage(DatabaseDescriptor.getRoleManager().getAllRoles()); @@ -82,34 +85,35 @@ public class ListRolesStatement extends AuthorizationStatement } else { + RoleResource currentUser = RoleResource.role(state.getUser().getName()); if (grantee == null) - return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(state.getUser().getName(), recursive)); - if (DatabaseDescriptor.getRoleManager().getRoles(state.getUser().getName(), true).contains(grantee)) + return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(currentUser, recursive)); + if (DatabaseDescriptor.getRoleManager().getRoles(currentUser, true).contains(grantee)) return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(grantee, recursive)); else - throw new UnauthorizedException(String.format("You are not authorized to view roles granted to %s ", grantee)); + throw new UnauthorizedException(String.format("You are not authorized to view roles granted to %s ", grantee.getRoleName())); } } - private ResultMessage resultMessage(Set<String> roles) + private ResultMessage resultMessage(Set<RoleResource> roles) { if (roles.isEmpty()) return new ResultMessage.Void(); - List<String> sorted = Lists.newArrayList(roles); + List<RoleResource> sorted = Lists.newArrayList(roles); Collections.sort(sorted); return formatResults(sorted); } // overridden in ListUsersStatement to include legacy metadata - protected ResultMessage formatResults(List<String> sortedRoles) + protected ResultMessage formatResults(List<RoleResource> sortedRoles) { ResultSet result = new ResultSet(metadata); IRoleManager roleManager = DatabaseDescriptor.getRoleManager(); - for (String role : sortedRoles) + for (RoleResource role : sortedRoles) { - result.addColumnValue(UTF8Type.instance.decompose(role)); + result.addColumnValue(UTF8Type.instance.decompose(role.getRoleName())); result.addColumnValue(BooleanType.instance.decompose(roleManager.isSuper(role))); result.addColumnValue(BooleanType.instance.decompose(roleManager.canLogin(role))); } http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/ListUsersStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/ListUsersStatement.java b/src/java/org/apache/cassandra/cql3/statements/ListUsersStatement.java index 0854166..3edf3a4 100644 --- a/src/java/org/apache/cassandra/cql3/statements/ListUsersStatement.java +++ b/src/java/org/apache/cassandra/cql3/statements/ListUsersStatement.java @@ -23,6 +23,7 @@ import com.google.common.collect.ImmutableList; import org.apache.cassandra.auth.AuthKeyspace; import org.apache.cassandra.auth.IRoleManager; +import org.apache.cassandra.auth.RoleResource; import org.apache.cassandra.config.DatabaseDescriptor; import org.apache.cassandra.cql3.ColumnIdentifier; import org.apache.cassandra.cql3.ColumnSpecification; @@ -42,16 +43,16 @@ public class ListUsersStatement extends ListRolesStatement new ColumnSpecification(KS, CF, new ColumnIdentifier("super", true), BooleanType.instance)); @Override - protected ResultMessage formatResults(List<String> sortedRoles) + protected ResultMessage formatResults(List<RoleResource> sortedRoles) { ResultSet result = new ResultSet(metadata); IRoleManager roleManager = DatabaseDescriptor.getRoleManager(); - for (String role : sortedRoles) + for (RoleResource role : sortedRoles) { if (!roleManager.canLogin(role)) continue; - result.addColumnValue(UTF8Type.instance.decompose(role)); + result.addColumnValue(UTF8Type.instance.decompose(role.getRoleName())); result.addColumnValue(BooleanType.instance.decompose(roleManager.isSuper(role))); } return new ResultMessage.Rows(result); http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/PermissionAlteringStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/PermissionAlteringStatement.java b/src/java/org/apache/cassandra/cql3/statements/PermissionAlteringStatement.java deleted file mode 100644 index 44c9ea1..0000000 --- a/src/java/org/apache/cassandra/cql3/statements/PermissionAlteringStatement.java +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.cassandra.cql3.statements; - -import java.util.Set; - -import org.apache.cassandra.auth.DataResource; -import org.apache.cassandra.auth.Permission; -import org.apache.cassandra.config.DatabaseDescriptor; -import org.apache.cassandra.cql3.RoleName; -import org.apache.cassandra.exceptions.InvalidRequestException; -import org.apache.cassandra.exceptions.RequestValidationException; -import org.apache.cassandra.exceptions.UnauthorizedException; -import org.apache.cassandra.service.ClientState; - -public abstract class PermissionAlteringStatement extends AuthorizationStatement -{ - protected final Set<Permission> permissions; - protected DataResource resource; - protected final String grantee; - - protected PermissionAlteringStatement(Set<Permission> permissions, DataResource resource, RoleName grantee) - { - this.permissions = permissions; - this.resource = resource; - this.grantee = grantee.getName(); - } - - public void validate(ClientState state) throws RequestValidationException - { - // validate login here before checkAccess to avoid leaking user existence to anonymous users. - state.ensureNotAnonymous(); - - if (!DatabaseDescriptor.getRoleManager().isExistingRole(grantee)) - throw new InvalidRequestException(String.format("Role %s doesn't exist", grantee)); - - // if a keyspace is omitted when GRANT/REVOKE ON TABLE <table>, we need to correct the resource. - resource = maybeCorrectResource(resource, state); - if (!resource.exists()) - throw new InvalidRequestException(String.format("Resource %s doesn't exist", resource)); - } - - public void checkAccess(ClientState state) throws UnauthorizedException - { - // check that the user has AUTHORIZE permission on the resource or its parents, otherwise reject GRANT/REVOKE. - state.ensureHasPermission(Permission.AUTHORIZE, resource); - // check that the user has [a single permission or all in case of ALL] on the resource or its parents. - for (Permission p : permissions) - state.ensureHasPermission(p, resource); - } -} http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java b/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java new file mode 100644 index 0000000..f360743 --- /dev/null +++ b/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java @@ -0,0 +1,67 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.cassandra.cql3.statements; + +import java.util.Set; + +import org.apache.cassandra.auth.IResource; +import org.apache.cassandra.auth.Permission; +import org.apache.cassandra.auth.RoleResource; +import org.apache.cassandra.config.DatabaseDescriptor; +import org.apache.cassandra.cql3.RoleName; +import org.apache.cassandra.exceptions.InvalidRequestException; +import org.apache.cassandra.exceptions.RequestValidationException; +import org.apache.cassandra.exceptions.UnauthorizedException; +import org.apache.cassandra.service.ClientState; + +public abstract class PermissionsManagementStatement extends AuthorizationStatement +{ + protected final Set<Permission> permissions; + protected IResource resource; + protected final RoleResource grantee; + + protected PermissionsManagementStatement(Set<Permission> permissions, IResource resource, RoleName grantee) + { + this.permissions = permissions; + this.resource = resource; + this.grantee = RoleResource.role(grantee.getName()); + } + + public void validate(ClientState state) throws RequestValidationException + { + // validate login here before checkAccess to avoid leaking user existence to anonymous users. + state.ensureNotAnonymous(); + + if (!DatabaseDescriptor.getRoleManager().isExistingRole(grantee)) + throw new InvalidRequestException(String.format("Role %s doesn't exist", grantee.getRoleName())); + + // if a keyspace is omitted when GRANT/REVOKE ON TABLE <table>, we need to correct the resource. + resource = maybeCorrectResource(resource, state); + if (!resource.exists()) + throw new InvalidRequestException(String.format("Resource %s doesn't exist", resource)); + } + + public void checkAccess(ClientState state) throws UnauthorizedException + { + // check that the user has AUTHORIZE permission on the resource or its parents, otherwise reject GRANT/REVOKE. + state.ensureHasPermission(Permission.AUTHORIZE, resource); + // check that the user has [a single permission or all in case of ALL] on the resource or its parents. + for (Permission p : permissions) + state.ensureHasPermission(p, resource); + } +} http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/RevokePermissionsStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/RevokePermissionsStatement.java b/src/java/org/apache/cassandra/cql3/statements/RevokePermissionsStatement.java new file mode 100644 index 0000000..9acc685 --- /dev/null +++ b/src/java/org/apache/cassandra/cql3/statements/RevokePermissionsStatement.java @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.cassandra.cql3.statements; + +import java.util.Set; + +import org.apache.cassandra.auth.IResource; +import org.apache.cassandra.auth.Permission; +import org.apache.cassandra.config.DatabaseDescriptor; +import org.apache.cassandra.cql3.RoleName; +import org.apache.cassandra.exceptions.RequestExecutionException; +import org.apache.cassandra.exceptions.RequestValidationException; +import org.apache.cassandra.service.ClientState; +import org.apache.cassandra.transport.messages.ResultMessage; + +public class RevokePermissionsStatement extends PermissionsManagementStatement +{ + public RevokePermissionsStatement(Set<Permission> permissions, IResource resource, RoleName grantee) + { + super(permissions, resource, grantee); + } + + public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException + { + DatabaseDescriptor.getAuthorizer().revoke(state.getUser(), permissions, resource, grantee); + return null; + } +} http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/RevokeRoleStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/RevokeRoleStatement.java b/src/java/org/apache/cassandra/cql3/statements/RevokeRoleStatement.java index 98c2b4e..4de905f 100644 --- a/src/java/org/apache/cassandra/cql3/statements/RevokeRoleStatement.java +++ b/src/java/org/apache/cassandra/cql3/statements/RevokeRoleStatement.java @@ -36,5 +36,4 @@ public class RevokeRoleStatement extends RoleManagementStatement DatabaseDescriptor.getRoleManager().revokeRole(state.getUser(), role, grantee); return null; } - } http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/RevokeStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/RevokeStatement.java b/src/java/org/apache/cassandra/cql3/statements/RevokeStatement.java deleted file mode 100644 index 7ce5259..0000000 --- a/src/java/org/apache/cassandra/cql3/statements/RevokeStatement.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.cassandra.cql3.statements; - -import java.util.Set; - -import org.apache.cassandra.auth.DataResource; -import org.apache.cassandra.auth.Permission; -import org.apache.cassandra.config.DatabaseDescriptor; -import org.apache.cassandra.cql3.RoleName; -import org.apache.cassandra.exceptions.RequestExecutionException; -import org.apache.cassandra.exceptions.RequestValidationException; -import org.apache.cassandra.service.ClientState; -import org.apache.cassandra.transport.messages.ResultMessage; - -public class RevokeStatement extends PermissionAlteringStatement -{ - public RevokeStatement(Set<Permission> permissions, DataResource resource, RoleName grantee) - { - super(permissions, resource, grantee); - } - - public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException - { - DatabaseDescriptor.getAuthorizer().revoke(state.getUser(), permissions, resource, grantee); - return null; - } -} http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/RoleManagementStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/RoleManagementStatement.java b/src/java/org/apache/cassandra/cql3/statements/RoleManagementStatement.java index d67b42c..e12b626 100644 --- a/src/java/org/apache/cassandra/cql3/statements/RoleManagementStatement.java +++ b/src/java/org/apache/cassandra/cql3/statements/RoleManagementStatement.java @@ -17,6 +17,8 @@ */ package org.apache.cassandra.cql3.statements; +import org.apache.cassandra.auth.Permission; +import org.apache.cassandra.auth.RoleResource; import org.apache.cassandra.config.DatabaseDescriptor; import org.apache.cassandra.cql3.RoleName; import org.apache.cassandra.exceptions.InvalidRequestException; @@ -24,21 +26,20 @@ import org.apache.cassandra.exceptions.RequestValidationException; import org.apache.cassandra.exceptions.UnauthorizedException; import org.apache.cassandra.service.ClientState; -public abstract class RoleManagementStatement extends AuthorizationStatement +public abstract class RoleManagementStatement extends AuthenticationStatement { - protected final String role; - protected final String grantee; + protected final RoleResource role; + protected final RoleResource grantee; public RoleManagementStatement(RoleName name, RoleName grantee) { - this.role = name.getName(); - this.grantee = grantee.getName(); + this.role = RoleResource.role(name.getName()); + this.grantee = RoleResource.role(grantee.getName()); } - public void checkAccess(ClientState state) throws UnauthorizedException, InvalidRequestException + public void checkAccess(ClientState state) throws UnauthorizedException { - if (!state.getUser().isSuper()) - throw new UnauthorizedException("Only superusers are allowed to perform role management queries"); + super.checkPermission(state, Permission.AUTHORIZE, role); } public void validate(ClientState state) throws RequestValidationException @@ -46,9 +47,9 @@ public abstract class RoleManagementStatement extends AuthorizationStatement state.ensureNotAnonymous(); if (!DatabaseDescriptor.getRoleManager().isExistingRole(role)) - throw new InvalidRequestException(String.format("%s doesn't exist", role)); + throw new InvalidRequestException(String.format("%s doesn't exist", role.getRoleName())); if (!DatabaseDescriptor.getRoleManager().isExistingRole(grantee)) - throw new InvalidRequestException(String.format("%s doesn't exist", grantee)); + throw new InvalidRequestException(String.format("%s doesn't exist", grantee.getRoleName())); } } http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/service/ClientState.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java index 21d10f9..57a57e4 100644 --- a/src/java/org/apache/cassandra/service/ClientState.java +++ b/src/java/org/apache/cassandra/service/ClientState.java @@ -215,7 +215,7 @@ public class ClientState // Login privilege is not inherited via granted roles, so just // verify that the role with the credentials that were actually // supplied has it - if (user.isAnonymous() || DatabaseDescriptor.getRoleManager().canLogin(user.getName())) + if (user.isAnonymous() || DatabaseDescriptor.getRoleManager().canLogin(user.getPrimaryRole())) this.user = user; else throw new AuthenticationException(String.format("%s is not permitted to log in", user.getName()));