[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jesse Haber-Kucharsky updated CASSANDRA-14088: ---------------------------------------------- Description: The standard system authorizer ({org.apache.cassandra.auth.CassandraAuthorizer}) stores the permissions granted to each user for a given resource in {system_auth.role_permissions}. A resource like the {my_keyspace.items} table is stored as {"data/my_keyspace/items"} (note the {/} delimiter). Similarly, role resources (like the {joe} role) are formatted as {"roles/joe"}. The problem is that roles can be created with {/} in their names, which confuses the authorizer when the table is queried. For example, {code} $ bin/cqlsh -u cassandra -p cassandra Connected to Test Cluster at 127.0.0.1:9042. [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] Use HELP for help. cassandra@cqlsh> CREATE ROLE emperor; cassandra@cqlsh> CREATE ROLE "ki/ng"; cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; cassandra@cqlsh> LIST ROLES; role | super | login | options -----------+-------+-------+--------- cassandra | True | True | {} emperor | False | False | {} ki/ng | False | False | {} (3 rows) cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; role | resource | permissions -----------+---------------+-------------------------------- emperor | roles/ki/ng | {'ALTER'} cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} (3 rows) cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name {code} Here's the backtrace from the server process: {code} ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 QueryMessage.java:129 - Unexpected error during query java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na] at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) ~[main/:na] at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) ~[main/:na] at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) ~[main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) [main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na] at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) [netty-all-4.1.14.Final.jar:4.1.14.Final] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151] at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na] at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,812 ErrorMessage.java:389 - Unexpected exception during request java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na] at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) ~[main/:na] at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) ~[main/:na] at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) ~[main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) [main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na] at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) [netty-all-4.1.14.Final.jar:4.1.14.Final] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151] at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na] at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] {code} was: The standard system authorizer (`org.apache.cassandra.auth.CassandraAuthorizer`) stores the permissions granted to each user for a given resource in `system_auth.role_permissions`. A resource like the `my_keyspace.items` table is stored as `"data/my_keyspace/items"` (note the `/` delimiter). Similarly, role resources (like the `joe` role) are formatted as `"roles/joe"`. The problem is that roles can be created with `/` in their names, which confuses the authorizer when the table is queried. For example, ``` $ bin/cqlsh -u cassandra -p cassandra Connected to Test Cluster at 127.0.0.1:9042. [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] Use HELP for help. cassandra@cqlsh> CREATE ROLE emperor; cassandra@cqlsh> CREATE ROLE "ki/ng"; cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; cassandra@cqlsh> LIST ROLES; role | super | login | options -----------+-------+-------+--------- cassandra | True | True | {} emperor | False | False | {} ki/ng | False | False | {} (3 rows) cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; role | resource | permissions -----------+---------------+-------------------------------- emperor | roles/ki/ng | {'ALTER'} cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} (3 rows) cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name ``` Here's the backtrace from the server process: ``` ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 QueryMessage.java:129 - Unexpected error during query java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na] at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) ~[main/:na] at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) ~[main/:na] at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) ~[main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) [main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na] at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) [netty-all-4.1.14.Final.jar:4.1.14.Final] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151] at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na] at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,812 ErrorMessage.java:389 - Unexpected exception during request java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na] at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) ~[main/:na] at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) ~[main/:na] at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) ~[main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) [main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na] at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) [netty-all-4.1.14.Final.jar:4.1.14.Final] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151] at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na] at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] ``` > Forward slash in role name breaks CassandraAuthorizer > ----------------------------------------------------- > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > (`HEAD` of `trunk`). > Reporter: Jesse Haber-Kucharsky > Priority: Minor > > The standard system authorizer > ({org.apache.cassandra.auth.CassandraAuthorizer}) stores the permissions > granted to each user for a given resource in {system_auth.role_permissions}. > A resource like the {my_keyspace.items} table is stored as > {"data/my_keyspace/items"} (note the {/} delimiter). > Similarly, role resources (like the {joe} role) are formatted as > {"roles/joe"}. > The problem is that roles can be created with {/} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > -----------+-------+-------+--------- > cassandra | True | True | {} > emperor | False | False | {} > ki/ng | False | False | {} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > -----------+---------------+-------------------------------- > emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > [na:1.8.0_151] > at > org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) > [main/:na] > at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) > [main/:na] > at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,812 > ErrorMessage.java:389 - Unexpected exception during request > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > [na:1.8.0_151] > at > org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) > [main/:na] > at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) > [main/:na] > at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org