[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16281250#comment-16281250 ]
Jeremiah Jordan commented on CASSANDRA-14088: --------------------------------------------- Agreed, we should just limit to only splitting the first "/". Patch LGTM +1. > Forward slash in role name breaks CassandraAuthorizer > ----------------------------------------------------- > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). > Reporter: Jesse Haber-Kucharsky > Assignee: Kurt Greaves > Priority: Minor > Fix For: 3.0.16, 3.11.2, 4.0 > > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > -----------+-------+-------+--------- > cassandra | True | True | {} > emperor | False | False | {} > ki/ng | False | False | {} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > -----------+---------------+-------------------------------- > emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > [na:1.8.0_151] > at > org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) > [main/:na] > at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) > [main/:na] > at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,812 > ErrorMessage.java:389 - Unexpected exception during request > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > [na:1.8.0_151] > at > org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) > [main/:na] > at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) > [main/:na] > at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org