http://git-wip-us.apache.org/repos/asf/cassandra-dtest/blob/a06c0e70/auth_test.py ---------------------------------------------------------------------- diff --git a/auth_test.py b/auth_test.py index e7aef05..8d82b63 100644 --- a/auth_test.py +++ b/auth_test.py @@ -13,7 +13,7 @@ from cassandra.cluster import NoHostAvailable from cassandra.protocol import ServerError, SyntaxException from dtest_setup_overrides import DTestSetupOverrides -from dtest import CASSANDRA_VERSION_FROM_BUILD, Tester +from dtest import Tester from tools.assertions import (assert_all, assert_exception, assert_invalid, assert_length_equal, assert_one, assert_unauthorized) @@ -397,20 +397,32 @@ class TestAuth(Tester): self.prepare() session = self.get_session(user='cassandra', password='cassandra') - assert_one(session, "LIST USERS", ['cassandra', True] + all_dcs) + if self.dtest_config.cassandra_version_from_build >= '4.0': + assert_one(session, "LIST USERS", ['cassandra', True, 'ALL']) + else: + assert_one(session, "LIST USERS", ['cassandra', True]) session.execute("CREATE USER IF NOT EXISTS aleksey WITH PASSWORD 'sup'") session.execute("CREATE USER IF NOT EXISTS aleksey WITH PASSWORD 'ignored'") self.get_session(user='aleksey', password='sup') - assert_all(session, "LIST USERS", [['aleksey', False] + all_dcs, ['cassandra', True] + all_dcs]) + if self.dtest_config.cassandra_version_from_build >= '4.0': + assert_all(session, "LIST USERS", [['aleksey', False, 'ALL'], ['cassandra', True, 'ALL']]) + else: + assert_all(session, "LIST USERS", [['aleksey', False], ['cassandra', True]]) session.execute("DROP USER IF EXISTS aleksey") - assert_one(session, "LIST USERS", ['cassandra', True] + all_dcs) + if self.dtest_config.cassandra_version_from_build >= '4.0': + assert_one(session, "LIST USERS", ['cassandra', True, 'ALL']) + else: + assert_one(session, "LIST USERS", ['cassandra', True]) session.execute("DROP USER IF EXISTS aleksey") - assert_one(session, "LIST USERS", ['cassandra', True] + all_dcs) + if self.dtest_config.cassandra_version_from_build >= '4.0': + assert_one(session, "LIST USERS", ['cassandra', True, 'ALL']) + else: + assert_one(session, "LIST USERS", ['cassandra', True]) def test_create_ks_auth(self): """ @@ -1010,15 +1022,17 @@ class TestAuth(Tester): self.cluster.stop() config = {'authenticator': 'org.apache.cassandra.auth.AllowAllAuthenticator', - 'authorizer': 'org.apache.cassandra.auth.AllowAllAuthorizer', - 'network_authorizer': 'org.apache.cassandra.auth.AllowAllNetworkAuthorizer'} + 'authorizer': 'org.apache.cassandra.auth.AllowAllAuthorizer'} + if self.dtest_config.cassandra_version_from_build >= '4.0': + config['network_authorizer'] = 'org.apache.cassandra.auth.AllowAllNetworkAuthorizer' self.cluster.set_configuration_options(values=config) self.cluster.start(wait_for_binary_proto=True) self.cluster.stop() config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator', - 'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer', - 'network_authorizer': 'org.apache.cassandra.auth.CassandraNetworkAuthorizer'} + 'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer'} + if self.dtest_config.cassandra_version_from_build >= '4.0': + config['network_authorizer'] = 'org.apache.cassandra.auth.CassandraNetworkAuthorizer' self.cluster.set_configuration_options(values=config) self.cluster.start(wait_for_binary_proto=True) @@ -1077,8 +1091,9 @@ class TestAuth(Tester): """ config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator', 'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer', - 'network_authorizer': 'org.apache.cassandra.auth.CassandraNetworkAuthorizer', 'permissions_validity_in_ms': permissions_validity} + if self.dtest_config.cassandra_version_from_build >= '4.0': + config['network_authorizer'] = 'org.apache.cassandra.auth.CassandraNetworkAuthorizer' self.cluster.set_configuration_options(values=config) self.cluster.populate(nodes).start() @@ -1129,38 +1144,66 @@ def data_resource_creator_permissions(creator, resource): return permissions -# First value is the role name -# Second value is superuser status -# Third value is login status -# Fourth value is role options -# See CASSANDRA-7653 for explanations of these -dcs_field = [] if CASSANDRA_VERSION_FROM_BUILD < '4.0' else ['dcs'] -Role = namedtuple('Role', ['name', 'superuser', 'login', 'options'] + dcs_field) - -all_dcs = [] if CASSANDRA_VERSION_FROM_BUILD < '4.0' else ['ALL'] -na_dcs = [] if CASSANDRA_VERSION_FROM_BUILD < '4.0' else ['n/a'] -mike_role = Role('mike', False, True, {}, *all_dcs) -role1_role = Role('role1', False, False, {}, *na_dcs) -role2_role = Role('role2', False, False, {}, *na_dcs) -cassandra_role = Role('cassandra', True, True, {}, *all_dcs) - - @since('2.2') class TestAuthRoles(Tester): + Role = None + cassandra_role = None + + @pytest.fixture(autouse=True) + def fixture_setup_auth(self, fixture_dtest_setup): + if fixture_dtest_setup.dtest_config.cassandra_version_from_build >= '4.0': + fixture_dtest_setup.cluster.set_configuration_options(values={ + 'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator', + 'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer', + 'network_authorizer': 'org.apache.cassandra.auth.CassandraNetworkAuthorizer', + 'role_manager': 'org.apache.cassandra.auth.CassandraRoleManager', + 'permissions_validity_in_ms': 0, + 'roles_validity_in_ms': 0, + 'num_tokens': 1 + }) + else: + fixture_dtest_setup.cluster.set_configuration_options(values={ + 'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator', + 'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer', + 'role_manager': 'org.apache.cassandra.auth.CassandraRoleManager', + 'permissions_validity_in_ms': 0, + 'roles_validity_in_ms': 0, + 'num_tokens': 1 + }) + fixture_dtest_setup.cluster.populate(1, debug=True).start(wait_for_binary_proto=True, jvm_args=['-XX:-PerfDisableSharedMem']) + nodes = fixture_dtest_setup.cluster.nodelist() + fixture_dtest_setup.superuser = fixture_dtest_setup.patient_exclusive_cql_connection(nodes[0], user='cassandra', password='cassandra') + @pytest.fixture(scope='function', autouse=True) - def fixture_dtest_setup_overrides(self): + def fixture_dtest_setup_overrides(self, dtest_config): """ @jira_ticket CASSANDRA-7653 """ dtest_setup_overrides = DTestSetupOverrides() - if CASSANDRA_VERSION_FROM_BUILD >= '3.0': + if dtest_config.cassandra_version_from_build >= '3.0': dtest_setup_overrides.cluster_options = ImmutableMapping({'enable_user_defined_functions': 'true', - 'enable_scripted_user_defined_functions': 'true'}) + 'enable_scripted_user_defined_functions': 'true'}) + else: + dtest_setup_overrides.cluster_options = ImmutableMapping({'enable_user_defined_functions': 'true'}) + + if dtest_config.cassandra_version_from_build >= '4.0': + self.Role = namedtuple('Role', ['name', 'superuser', 'login', 'options', 'dcs']) + self.cassandra_role = self.Role('cassandra', True, True, {}, 'ALL') else: - dtest_setup_overrides.cluster_options.cluster_options = ImmutableMapping({'enable_user_defined_functions': 'true'}) + self.Role = namedtuple('Role', ['name', 'superuser', 'login', 'options']) + self.cassandra_role = self.Role('cassandra', True, True, {}) + return dtest_setup_overrides + def role(self, name, superuser=False, login=True, options=None): + options = options or {} + if self.dtest_config.cassandra_version_from_build >= '4.0': + dcs = 'n/a' if not login else 'ALL' + return self.Role(name, superuser, login, options, dcs) + else: + return self.Role(name, superuser, login, options) + def test_create_drop_role(self): """ * Launch a one node cluster @@ -1168,15 +1211,17 @@ class TestAuthRoles(Tester): * Create a new role, check it exists * Drop the role, check it is gone """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - assert_one(cassandra, 'LIST ROLES', list(cassandra_role)) + # self.prepare() + # cassandra = self.get_session(user='cassandra', password='cassandra') + role1 = self.role('role1', login=False) - cassandra.execute("CREATE ROLE role1") - assert_all(cassandra, "LIST ROLES", [list(cassandra_role), list(role1_role)]) + assert_one(self.superuser, 'LIST ROLES', list(self.cassandra_role)) - cassandra.execute("DROP ROLE role1") - assert_one(cassandra, "LIST ROLES", list(cassandra_role)) + self.superuser.execute("CREATE ROLE role1") + assert_all(self.superuser, "LIST ROLES", [list(self.cassandra_role), list(role1)]) + + self.superuser.execute("DROP ROLE role1") + assert_one(self.superuser, "LIST ROLES", list(self.cassandra_role)) def test_conditional_create_drop_role(self): """ @@ -1187,17 +1232,16 @@ class TestAuthRoles(Tester): * Drop the new role twice, using IF EXISTS * Check neither query failed, but only superuser remains """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - assert_one(cassandra, "LIST ROLES", list(cassandra_role)) + role1 = self.role('role1', login=False) + assert_one(self.superuser, "LIST ROLES", list(self.cassandra_role)) - cassandra.execute("CREATE ROLE IF NOT EXISTS role1") - cassandra.execute("CREATE ROLE IF NOT EXISTS role1") - assert_all(cassandra, "LIST ROLES", [list(cassandra_role), list(role1_role)]) + self.superuser.execute("CREATE ROLE IF NOT EXISTS role1") + self.superuser.execute("CREATE ROLE IF NOT EXISTS role1") + assert_all(self.superuser, "LIST ROLES", [list(self.cassandra_role), list(role1)]) - cassandra.execute("DROP ROLE IF EXISTS role1") - cassandra.execute("DROP ROLE IF EXISTS role1") - assert_one(cassandra, "LIST ROLES", list(cassandra_role)) + self.superuser.execute("DROP ROLE IF EXISTS role1") + self.superuser.execute("DROP ROLE IF EXISTS role1") + assert_one(self.superuser, "LIST ROLES", list(self.cassandra_role)) def test_create_drop_role_validation(self): """ @@ -1212,23 +1256,21 @@ class TestAuthRoles(Tester): * Drop the new role. * Try to drop the new role again, assert throws InvalidRequest """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") mike = self.get_session(user='mike', password='12345') assert_unauthorized(mike, "CREATE ROLE role2", "User mike does not have sufficient privileges to perform the requested operation") - cassandra.execute("CREATE ROLE role1") + self.superuser.execute("CREATE ROLE role1") assert_unauthorized(mike, "DROP ROLE role1", "User mike does not have sufficient privileges to perform the requested operation") - assert_invalid(cassandra, "CREATE ROLE role1", "role1 already exists") - cassandra.execute("DROP ROLE role1") - assert_invalid(cassandra, "DROP ROLE role1", "role1 doesn't exist") + assert_invalid(self.superuser, "CREATE ROLE role1", "role1 already exists") + self.superuser.execute("DROP ROLE role1") + assert_invalid(self.superuser, "DROP ROLE role1", "role1 doesn't exist") def test_role_admin_validation(self): """ @@ -1246,51 +1288,52 @@ class TestAuthRoles(Tester): * Verify mike can drop roles * Verify roles without admin cannot drop roles """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE administrator WITH SUPERUSER = false AND LOGIN = false") - cassandra.execute("GRANT ALL ON ALL ROLES TO administrator") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("GRANT administrator TO mike") - cassandra.execute("CREATE ROLE klaus WITH PASSWORD = '54321' AND SUPERUSER = false AND LOGIN = true") - mike = self.get_session(user='mike', password='12345') - klaus = self.get_session(user='klaus', password='54321') + self.superuser.execute("CREATE ROLE administrator WITH SUPERUSER = false AND LOGIN = false") + self.superuser.execute("GRANT ALL ON ALL ROLES TO administrator") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("GRANT administrator TO mike") + self.superuser.execute("CREATE ROLE klaus WITH PASSWORD = '54321' AND SUPERUSER = false AND LOGIN = true") + administrator = self.role('administrator', login=False) + mike = self.role('mike') + as_mike = self.get_session(user='mike', password='12345') + klaus = self.role('klaus') + as_klaus = self.get_session(user='klaus', password='54321') # roles with CREATE on ALL ROLES can create roles - mike.execute("CREATE ROLE role1 WITH PASSWORD = '11111' AND LOGIN = false") + as_mike.execute("CREATE ROLE role1 WITH PASSWORD = '11111' AND LOGIN = false") # require ALTER on ALL ROLES or a SPECIFIC ROLE to modify self.assert_login_not_allowed('role1', '11111') - cassandra.execute("GRANT ALTER on ROLE role1 TO klaus") - klaus.execute("ALTER ROLE role1 WITH LOGIN = true") - mike.execute("ALTER ROLE role1 WITH PASSWORD = '22222'") - role1 = self.get_session(user='role1', password='22222') + self.superuser.execute("GRANT ALTER on ROLE role1 TO klaus") + as_klaus.execute("ALTER ROLE role1 WITH LOGIN = true") + as_mike.execute("ALTER ROLE role1 WITH PASSWORD = '22222'") + as_role1 = self.get_session(user='role1', password='22222') # only superusers can set superuser status - assert_unauthorized(mike, "ALTER ROLE role1 WITH SUPERUSER = true", + assert_unauthorized(as_mike, "ALTER ROLE role1 WITH SUPERUSER = true", "Only superusers are allowed to alter superuser status") - assert_unauthorized(mike, "ALTER ROLE mike WITH SUPERUSER = true", + assert_unauthorized(as_mike, "ALTER ROLE mike WITH SUPERUSER = true", "You aren't allowed to alter your own superuser status or that of a role granted to you") # roles without necessary permissions cannot create, drop or alter roles except themselves - assert_unauthorized(role1, "CREATE ROLE role2 WITH LOGIN = false", + assert_unauthorized(as_role1, "CREATE ROLE role2 WITH LOGIN = false", "User role1 does not have sufficient privileges to perform the requested operation") - assert_unauthorized(role1, "ALTER ROLE mike WITH LOGIN = false", + assert_unauthorized(as_role1, "ALTER ROLE mike WITH LOGIN = false", "User role1 does not have sufficient privileges to perform the requested operation") - assert_unauthorized(role1, "DROP ROLE mike", + assert_unauthorized(as_role1, "DROP ROLE mike", "User role1 does not have sufficient privileges to perform the requested operation") - role1.execute("ALTER ROLE role1 WITH PASSWORD = '33333'") + as_role1.execute("ALTER ROLE role1 WITH PASSWORD = '33333'") # roles with roleadmin can drop roles - mike.execute("DROP ROLE role1") - assert_all(cassandra, "LIST ROLES", [['administrator', False, False, {}] + na_dcs, - list(cassandra_role), - ['klaus', False, True, {}] + all_dcs, - list(mike_role)]) + as_mike.execute("DROP ROLE role1") + assert_all(self.superuser, "LIST ROLES", [list(administrator), + list(self.cassandra_role), + list(klaus), + list(mike)]) # revoking role admin removes its privileges - cassandra.execute("REVOKE administrator FROM mike") - assert_unauthorized(mike, "CREATE ROLE role3 WITH LOGIN = false", + self.superuser.execute("REVOKE administrator FROM mike") + assert_unauthorized(as_mike, "CREATE ROLE role3 WITH LOGIN = false", "User mike does not have sufficient privileges to perform the requested operation") def test_creator_of_db_resource_granted_all_permissions(self): @@ -1301,23 +1344,21 @@ class TestAuthRoles(Tester): * Connect as mike * Verify that mike is automatically granted permissions on any resource he creates """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("GRANT CREATE ON ALL KEYSPACES TO mike") - cassandra.execute("GRANT CREATE ON ALL ROLES TO mike") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("GRANT CREATE ON ALL KEYSPACES TO mike") + self.superuser.execute("GRANT CREATE ON ALL ROLES TO mike") - mike = self.get_session(user='mike', password='12345') + as_mike = self.get_session(user='mike', password='12345') # mike should automatically be granted permissions on any resource he creates, i.e. tables or roles - mike.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") - mike.execute("CREATE TABLE ks.cf (id int primary key, val int)") - mike.execute("CREATE ROLE role1 WITH PASSWORD = '11111' AND SUPERUSER = false AND LOGIN = true") - mike.execute("""CREATE FUNCTION ks.state_function_1(a int, b int) + as_mike.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") + as_mike.execute("CREATE TABLE ks.cf (id int primary key, val int)") + as_mike.execute("CREATE ROLE role1 WITH PASSWORD = '11111' AND SUPERUSER = false AND LOGIN = true") + as_mike.execute("""CREATE FUNCTION ks.state_function_1(a int, b int) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS ' a + b'""") - mike.execute("""CREATE AGGREGATE ks.simple_aggregate_1(int) + as_mike.execute("""CREATE AGGREGATE ks.simple_aggregate_1(int) SFUNC state_function_1 STYPE int INITCOND 0""") @@ -1332,7 +1373,7 @@ class TestAuthRoles(Tester): mike_permissions.extend(function_resource_creator_permissions('mike', '<function ks.simple_aggregate_1(int)>')) self.assert_permissions_listed(cassandra_permissions + mike_permissions, - cassandra, + self.superuser, "LIST ALL PERMISSIONS") def test_create_and_grant_roles_with_superuser_status(self): @@ -1344,26 +1385,24 @@ class TestAuthRoles(Tester): * Connect as mike * Verify mike can create new roles, but not grant them superuser """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE another_superuser WITH SUPERUSER = true AND LOGIN = false") - cassandra.execute("CREATE ROLE non_superuser WITH SUPERUSER = false AND LOGIN = false") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE another_superuser WITH SUPERUSER = true AND LOGIN = false") + self.superuser.execute("CREATE ROLE non_superuser WITH SUPERUSER = false AND LOGIN = false") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") # mike can create and grant any role, except superusers - cassandra.execute("GRANT CREATE ON ALL ROLES TO mike") - cassandra.execute("GRANT AUTHORIZE ON ALL ROLES TO mike") + self.superuser.execute("GRANT CREATE ON ALL ROLES TO mike") + self.superuser.execute("GRANT AUTHORIZE ON ALL ROLES TO mike") # mike can create roles, but not with superuser status # and can grant any role, including those with superuser status - mike = self.get_session(user='mike', password='12345') - mike.execute("CREATE ROLE role1 WITH SUPERUSER = false") - mike.execute("GRANT non_superuser TO role1") - mike.execute("GRANT another_superuser TO role1") - assert_unauthorized(mike, "CREATE ROLE role2 WITH SUPERUSER = true", + as_mike = self.get_session(user='mike', password='12345') + as_mike.execute("CREATE ROLE role1 WITH SUPERUSER = false") + as_mike.execute("GRANT non_superuser TO role1") + as_mike.execute("GRANT another_superuser TO role1") + assert_unauthorized(as_mike, "CREATE ROLE role2 WITH SUPERUSER = true", "Only superusers can create a role with superuser status") - assert_all(cassandra, "LIST ROLES OF role1", [['another_superuser', True, False, {}] + na_dcs, - ['non_superuser', False, False, {}] + na_dcs, - ['role1', False, False, {}] + na_dcs]) + assert_all(self.superuser, "LIST ROLES OF role1", [list(self.role('another_superuser', superuser=True, login=False)), + list(self.role('non_superuser', login=False)), + list(self.role('role1', login=False))]) def test_drop_and_revoke_roles_with_superuser_status(self): """ @@ -1374,23 +1413,21 @@ class TestAuthRoles(Tester): * Connect as mike * Verify mike can drop or revoke any roles, regardless of its superuser status """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE another_superuser WITH SUPERUSER = true AND LOGIN = false") - cassandra.execute("CREATE ROLE non_superuser WITH SUPERUSER = false AND LOGIN = false") - cassandra.execute("CREATE ROLE role1 WITH SUPERUSER = false") - cassandra.execute("GRANT another_superuser TO role1") - cassandra.execute("GRANT non_superuser TO role1") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("GRANT DROP ON ALL ROLES TO mike") - cassandra.execute("GRANT AUTHORIZE ON ALL ROLES TO mike") + self.superuser.execute("CREATE ROLE another_superuser WITH SUPERUSER = true AND LOGIN = false") + self.superuser.execute("CREATE ROLE non_superuser WITH SUPERUSER = false AND LOGIN = false") + self.superuser.execute("CREATE ROLE role1 WITH SUPERUSER = false") + self.superuser.execute("GRANT another_superuser TO role1") + self.superuser.execute("GRANT non_superuser TO role1") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("GRANT DROP ON ALL ROLES TO mike") + self.superuser.execute("GRANT AUTHORIZE ON ALL ROLES TO mike") # mike can drop and revoke any role, including superusers - mike = self.get_session(user='mike', password='12345') - mike.execute("REVOKE another_superuser FROM role1") - mike.execute("REVOKE non_superuser FROM role1") - mike.execute("DROP ROLE non_superuser") - mike.execute("DROP ROLE role1") + as_mike = self.get_session(user='mike', password='12345') + as_mike.execute("REVOKE another_superuser FROM role1") + as_mike.execute("REVOKE non_superuser FROM role1") + as_mike.execute("DROP ROLE non_superuser") + as_mike.execute("DROP ROLE role1") def test_drop_role_removes_memberships(self): """ @@ -1403,26 +1440,27 @@ class TestAuthRoles(Tester): * Recreate role2. Grant to role1 again. Verify is in LIST ROLES of mike * DROP role1. Verify mike's roles only include mike, but LIST ROLES still includes role2 """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE role1") - cassandra.execute("CREATE ROLE role2") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("GRANT role2 TO role1") - cassandra.execute("GRANT role1 TO mike") - assert_all(cassandra, "LIST ROLES OF mike", [list(mike_role), list(role1_role), list(role2_role)]) + self.superuser.execute("CREATE ROLE role1") + self.superuser.execute("CREATE ROLE role2") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("GRANT role2 TO role1") + self.superuser.execute("GRANT role1 TO mike") + mike = self.role('mike') + role1 = self.role('role1', login=False) + role2 = self.role('role2', login=False) + assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(role1), list(role2)]) # drop the role indirectly granted - cassandra.execute("DROP ROLE role2") - assert_all(cassandra, "LIST ROLES OF mike", [list(mike_role), list(role1_role)]) + self.superuser.execute("DROP ROLE role2") + assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(role1)]) - cassandra.execute("CREATE ROLE role2") - cassandra.execute("GRANT role2 to role1") - assert_all(cassandra, "LIST ROLES OF mike", [list(mike_role), list(role1_role), list(role2_role)]) + self.superuser.execute("CREATE ROLE role2") + self.superuser.execute("GRANT role2 to role1") + assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(role1), list(role2)]) # drop the directly granted role - cassandra.execute("DROP ROLE role1") - assert_one(cassandra, "LIST ROLES OF mike", list(mike_role)) - assert_all(cassandra, "LIST ROLES", [list(cassandra_role), list(mike_role), list(role2_role)]) + self.superuser.execute("DROP ROLE role1") + assert_one(self.superuser, "LIST ROLES OF mike", list(mike)) + assert_all(self.superuser, "LIST ROLES", [list(self.cassandra_role), list(mike), list(role2)]) def test_drop_role_revokes_permissions_granted_on_it(self): """ @@ -1434,22 +1472,20 @@ class TestAuthRoles(Tester): * Drop role1 and role2 * Assert mike has no permissions remaining """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE role1") - cassandra.execute("CREATE ROLE role2") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("GRANT ALTER ON ROLE role1 TO mike") - cassandra.execute("GRANT AUTHORIZE ON ROLE role2 TO mike") + self.superuser.execute("CREATE ROLE role1") + self.superuser.execute("CREATE ROLE role2") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("GRANT ALTER ON ROLE role1 TO mike") + self.superuser.execute("GRANT AUTHORIZE ON ROLE role2 TO mike") self.assert_permissions_listed([("mike", "<role role1>", "ALTER"), ("mike", "<role role2>", "AUTHORIZE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("DROP ROLE role1") - cassandra.execute("DROP ROLE role2") - assert list(cassandra.execute("LIST ALL PERMISSIONS OF mike")) == [] + self.superuser.execute("DROP ROLE role1") + self.superuser.execute("DROP ROLE role2") + assert list(self.superuser.execute("LIST ALL PERMISSIONS OF mike")) == [] def test_grant_revoke_roles(self): """ @@ -1460,23 +1496,24 @@ class TestAuthRoles(Tester): * Verify the output of LIST ROLES * REVOKE various roles, verify the output of LIST ROLES """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("CREATE ROLE role1") - cassandra.execute("CREATE ROLE role2") - cassandra.execute("GRANT role1 TO role2") - cassandra.execute("GRANT role2 TO mike") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE role1") + self.superuser.execute("CREATE ROLE role2") + self.superuser.execute("GRANT role1 TO role2") + self.superuser.execute("GRANT role2 TO mike") + mike = self.role('mike') + role1 = self.role('role1', login=False) + role2 = self.role('role2', login=False) - assert_all(cassandra, "LIST ROLES OF role2", [list(role1_role), list(role2_role)]) - assert_all(cassandra, "LIST ROLES OF mike", [list(mike_role), list(role1_role), list(role2_role)]) - assert_all(cassandra, "LIST ROLES OF mike NORECURSIVE", [list(mike_role), list(role2_role)]) + assert_all(self.superuser, "LIST ROLES OF role2", [list(role1), list(role2)]) + assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(role1), list(role2)]) + assert_all(self.superuser, "LIST ROLES OF mike NORECURSIVE", [list(mike), list(role2)]) - cassandra.execute("REVOKE role2 FROM mike") - assert_one(cassandra, "LIST ROLES OF mike", list(mike_role)) + self.superuser.execute("REVOKE role2 FROM mike") + assert_one(self.superuser, "LIST ROLES OF mike", list(mike)) - cassandra.execute("REVOKE role1 FROM role2") - assert_one(cassandra, "LIST ROLES OF role2", list(role2_role)) + self.superuser.execute("REVOKE role1 FROM role2") + assert_one(self.superuser, "LIST ROLES OF role2", list(role2)) def test_grant_revoke_role_validation(self): """ @@ -1488,36 +1525,34 @@ class TestAuthRoles(Tester): * Create ROLE john * Verify mike cannot grant/revoke roles to/from john without the AUTHORIZE permission """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - mike = self.get_session(user='mike', password='12345') + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + as_mike = self.get_session(user='mike', password='12345') - assert_invalid(cassandra, "GRANT role1 TO mike", "role1 doesn't exist") - cassandra.execute("CREATE ROLE role1") + assert_invalid(self.superuser, "GRANT role1 TO mike", "role1 doesn't exist") + self.superuser.execute("CREATE ROLE role1") - assert_invalid(cassandra, "GRANT role1 TO john", "john doesn't exist") - assert_invalid(cassandra, "GRANT role2 TO john", "role2 doesn't exist") + assert_invalid(self.superuser, "GRANT role1 TO john", "john doesn't exist") + assert_invalid(self.superuser, "GRANT role2 TO john", "role2 doesn't exist") - cassandra.execute("CREATE ROLE john WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("CREATE ROLE role2") + self.superuser.execute("CREATE ROLE john WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE role2") - assert_unauthorized(mike, + assert_unauthorized(as_mike, "GRANT role2 TO john", "User mike does not have sufficient privileges to perform the requested operation") # superusers can always grant roles - cassandra.execute("GRANT role1 TO john") + self.superuser.execute("GRANT role1 TO john") # but regular users need AUTHORIZE permission on the granted role - cassandra.execute("GRANT AUTHORIZE ON ROLE role2 TO mike") - mike.execute("GRANT role2 TO john") + self.superuser.execute("GRANT AUTHORIZE ON ROLE role2 TO mike") + as_mike.execute("GRANT role2 TO john") # same applies to REVOKEing roles - assert_unauthorized(mike, + assert_unauthorized(as_mike, "REVOKE role1 FROM john", "User mike does not have sufficient privileges to perform the requested operation") - cassandra.execute("REVOKE role1 FROM john") - mike.execute("REVOKE role2 from john") + self.superuser.execute("REVOKE role1 FROM john") + as_mike.execute("REVOKE role2 from john") def test_list_roles(self): """ @@ -1527,36 +1562,37 @@ class TestAuthRoles(Tester): * Verify LIST ROLES for each role is correct * Verify a role cannot LIST ROLES for another ROLE without being a superuser, or having the DESCRIBE permission """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("CREATE ROLE role1") - cassandra.execute("CREATE ROLE role2") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE role1") + self.superuser.execute("CREATE ROLE role2") + mike = self.role('mike') + role1 = self.role('role1', login=False) + role2 = self.role('role2', login=False) - assert_all(cassandra, "LIST ROLES", [list(cassandra_role), list(mike_role), list(role1_role), list(role2_role)]) + assert_all(self.superuser, "LIST ROLES", [list(self.cassandra_role), list(mike), list(role1), list(role2)]) - cassandra.execute("GRANT role1 TO role2") - cassandra.execute("GRANT role2 TO mike") + self.superuser.execute("GRANT role1 TO role2") + self.superuser.execute("GRANT role2 TO mike") - assert_all(cassandra, "LIST ROLES OF role2", [list(role1_role), list(role2_role)]) - assert_all(cassandra, "LIST ROLES OF mike", [list(mike_role), list(role1_role), list(role2_role)]) - assert_all(cassandra, "LIST ROLES OF mike NORECURSIVE", [list(mike_role), list(role2_role)]) + assert_all(self.superuser, "LIST ROLES OF role2", [list(role1), list(role2)]) + assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(role1), list(role2)]) + assert_all(self.superuser, "LIST ROLES OF mike NORECURSIVE", [list(mike), list(role2)]) - mike = self.get_session(user='mike', password='12345') - assert_unauthorized(mike, + as_mike = self.get_session(user='mike', password='12345') + assert_unauthorized(as_mike, "LIST ROLES OF cassandra", "You are not authorized to view roles granted to cassandra") - assert_all(mike, "LIST ROLES", [list(mike_role), list(role1_role), list(role2_role)]) - assert_all(mike, "LIST ROLES OF mike", [list(mike_role), list(role1_role), list(role2_role)]) - assert_all(mike, "LIST ROLES OF mike NORECURSIVE", [list(mike_role), list(role2_role)]) - assert_all(mike, "LIST ROLES OF role2", [list(role1_role), list(role2_role)]) + assert_all(as_mike, "LIST ROLES", [list(mike), list(role1), list(role2)]) + assert_all(as_mike, "LIST ROLES OF mike", [list(mike), list(role1), list(role2)]) + assert_all(as_mike, "LIST ROLES OF mike NORECURSIVE", [list(mike), list(role2)]) + assert_all(as_mike, "LIST ROLES OF role2", [list(role1), list(role2)]) # without SELECT permission on the root level roles resource, LIST ROLES with no OF # returns only the roles granted to the user. With it, it includes all roles. - assert_all(mike, "LIST ROLES", [list(mike_role), list(role1_role), list(role2_role)]) - cassandra.execute("GRANT DESCRIBE ON ALL ROLES TO mike") - assert_all(mike, "LIST ROLES", [list(cassandra_role), list(mike_role), list(role1_role), list(role2_role)]) + assert_all(as_mike, "LIST ROLES", [list(mike), list(role1), list(role2)]) + self.superuser.execute("GRANT DESCRIBE ON ALL ROLES TO mike") + assert_all(as_mike, "LIST ROLES", [list(self.cassandra_role), list(mike), list(role1), list(role2)]) def test_grant_revoke_permissions(self): """ @@ -1570,29 +1606,27 @@ class TestAuthRoles(Tester): * Restore role1 to mike, but revoke role1's permissions * Verify mike can no longer use ks.cf """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") - cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("CREATE ROLE role1") - cassandra.execute("GRANT ALL ON table ks.cf TO role1") - cassandra.execute("GRANT role1 TO mike") + self.superuser.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") + self.superuser.execute("CREATE TABLE ks.cf (id int primary key, val int)") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE role1") + self.superuser.execute("GRANT ALL ON table ks.cf TO role1") + self.superuser.execute("GRANT role1 TO mike") - mike = self.get_session(user='mike', password='12345') - mike.execute("INSERT INTO ks.cf (id, val) VALUES (0, 0)") + as_mike = self.get_session(user='mike', password='12345') + as_mike.execute("INSERT INTO ks.cf (id, val) VALUES (0, 0)") - assert_one(mike, "SELECT * FROM ks.cf", [0, 0]) + assert_one(as_mike, "SELECT * FROM ks.cf", [0, 0]) - cassandra.execute("REVOKE role1 FROM mike") - assert_unauthorized(mike, + self.superuser.execute("REVOKE role1 FROM mike") + assert_unauthorized(as_mike, "INSERT INTO ks.cf (id, val) VALUES (0, 0)", "mike has no MODIFY permission on <table ks.cf> or any of its parents") - cassandra.execute("GRANT role1 TO mike") - cassandra.execute("REVOKE ALL ON ks.cf FROM role1") + self.superuser.execute("GRANT role1 TO mike") + self.superuser.execute("REVOKE ALL ON ks.cf FROM role1") - assert_unauthorized(mike, + assert_unauthorized(as_mike, "INSERT INTO ks.cf (id, val) VALUES (0, 0)", "mike has no MODIFY permission on <table ks.cf> or any of its parents") @@ -1605,112 +1639,110 @@ class TestAuthRoles(Tester): * Grant ALL permissions to mike for each resource. Verify they show up in LIST ALL PERMISSIONS * Verify you can't selectively grant invalid permissions for a given resource. ex: CREATE on an existing table """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") - cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("CREATE ROLE role1 WITH SUPERUSER = false AND LOGIN = false") - cassandra.execute("CREATE FUNCTION ks.state_func(a int, b int) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'a+b'") - cassandra.execute("CREATE AGGREGATE ks.agg_func(int) SFUNC state_func STYPE int") + self.superuser.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") + self.superuser.execute("CREATE TABLE ks.cf (id int primary key, val int)") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE role1 WITH SUPERUSER = false AND LOGIN = false") + self.superuser.execute("CREATE FUNCTION ks.state_func(a int, b int) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'a+b'") + self.superuser.execute("CREATE AGGREGATE ks.agg_func(int) SFUNC state_func STYPE int") # GRANT ALL ON ALL KEYSPACES grants Permission.ALL_DATA # GRANT ALL ON KEYSPACE grants Permission.ALL_DATA - cassandra.execute("GRANT ALL ON KEYSPACE ks TO mike") + self.superuser.execute("GRANT ALL ON KEYSPACE ks TO mike") self.assert_permissions_listed([("mike", "<keyspace ks>", "CREATE"), ("mike", "<keyspace ks>", "ALTER"), ("mike", "<keyspace ks>", "DROP"), ("mike", "<keyspace ks>", "SELECT"), ("mike", "<keyspace ks>", "MODIFY"), ("mike", "<keyspace ks>", "AUTHORIZE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE ALL ON KEYSPACE ks FROM mike") + self.superuser.execute("REVOKE ALL ON KEYSPACE ks FROM mike") # GRANT ALL ON TABLE does not include CREATE (because the table must already be created before the GRANT) - cassandra.execute("GRANT ALL ON ks.cf TO MIKE") + self.superuser.execute("GRANT ALL ON ks.cf TO MIKE") self.assert_permissions_listed([("mike", "<table ks.cf>", "ALTER"), ("mike", "<table ks.cf>", "DROP"), ("mike", "<table ks.cf>", "SELECT"), ("mike", "<table ks.cf>", "MODIFY"), ("mike", "<table ks.cf>", "AUTHORIZE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE ALL ON ks.cf FROM mike") - assert_invalid(cassandra, + self.superuser.execute("REVOKE ALL ON ks.cf FROM mike") + assert_invalid(self.superuser, "GRANT CREATE ON ks.cf TO MIKE", "Resource type DataResource does not support any of the requested permissions", SyntaxException) # GRANT ALL ON ALL ROLES includes SELECT & CREATE on the root level roles resource - cassandra.execute("GRANT ALL ON ALL ROLES TO mike") + self.superuser.execute("GRANT ALL ON ALL ROLES TO mike") self.assert_permissions_listed([("mike", "<all roles>", "CREATE"), ("mike", "<all roles>", "ALTER"), ("mike", "<all roles>", "DROP"), ("mike", "<all roles>", "DESCRIBE"), ("mike", "<all roles>", "AUTHORIZE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE ALL ON ALL ROLES FROM mike") - assert_invalid(cassandra, + self.superuser.execute("REVOKE ALL ON ALL ROLES FROM mike") + assert_invalid(self.superuser, "GRANT SELECT ON ALL ROLES TO MIKE", "Resource type RoleResource does not support any of the requested permissions", SyntaxException) # GRANT ALL ON ROLE does not include CREATE (because the role must already be created before the GRANT) - cassandra.execute("GRANT ALL ON ROLE role1 TO mike") + self.superuser.execute("GRANT ALL ON ROLE role1 TO mike") self.assert_permissions_listed([("mike", "<role role1>", "ALTER"), ("mike", "<role role1>", "DROP"), ("mike", "<role role1>", "AUTHORIZE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - assert_invalid(cassandra, + assert_invalid(self.superuser, "GRANT CREATE ON ROLE role1 TO MIKE", "Resource type RoleResource does not support any of the requested permissions", SyntaxException) - cassandra.execute("REVOKE ALL ON ROLE role1 FROM mike") + self.superuser.execute("REVOKE ALL ON ROLE role1 FROM mike") # GRANT ALL ON ALL FUNCTIONS or on all functions for a single keyspace includes AUTHORIZE, EXECUTE and USAGE - cassandra.execute("GRANT ALL ON ALL FUNCTIONS TO mike") + self.superuser.execute("GRANT ALL ON ALL FUNCTIONS TO mike") self.assert_permissions_listed([("mike", "<all functions>", "CREATE"), ("mike", "<all functions>", "ALTER"), ("mike", "<all functions>", "DROP"), ("mike", "<all functions>", "AUTHORIZE"), ("mike", "<all functions>", "EXECUTE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE ALL ON ALL FUNCTIONS FROM mike") + self.superuser.execute("REVOKE ALL ON ALL FUNCTIONS FROM mike") - cassandra.execute("GRANT ALL ON ALL FUNCTIONS IN KEYSPACE ks TO mike") + self.superuser.execute("GRANT ALL ON ALL FUNCTIONS IN KEYSPACE ks TO mike") self.assert_permissions_listed([("mike", "<all functions in ks>", "CREATE"), ("mike", "<all functions in ks>", "ALTER"), ("mike", "<all functions in ks>", "DROP"), ("mike", "<all functions in ks>", "AUTHORIZE"), ("mike", "<all functions in ks>", "EXECUTE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE ALL ON ALL FUNCTIONS IN KEYSPACE ks FROM mike") + self.superuser.execute("REVOKE ALL ON ALL FUNCTIONS IN KEYSPACE ks FROM mike") # GRANT ALL ON FUNCTION includes AUTHORIZE, EXECUTE and USAGE for scalar functions and # AUTHORIZE and EXECUTE for aggregates - cassandra.execute("GRANT ALL ON FUNCTION ks.state_func(int, int) TO mike") + self.superuser.execute("GRANT ALL ON FUNCTION ks.state_func(int, int) TO mike") self.assert_permissions_listed([("mike", "<function ks.state_func(int, int)>", "ALTER"), ("mike", "<function ks.state_func(int, int)>", "DROP"), ("mike", "<function ks.state_func(int, int)>", "AUTHORIZE"), ("mike", "<function ks.state_func(int, int)>", "EXECUTE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE ALL ON FUNCTION ks.state_func(int, int) FROM mike") + self.superuser.execute("REVOKE ALL ON FUNCTION ks.state_func(int, int) FROM mike") - cassandra.execute("GRANT ALL ON FUNCTION ks.agg_func(int) TO mike") + self.superuser.execute("GRANT ALL ON FUNCTION ks.agg_func(int) TO mike") self.assert_permissions_listed([("mike", "<function ks.agg_func(int)>", "ALTER"), ("mike", "<function ks.agg_func(int)>", "DROP"), ("mike", "<function ks.agg_func(int)>", "AUTHORIZE"), ("mike", "<function ks.agg_func(int)>", "EXECUTE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE ALL ON FUNCTION ks.agg_func(int) FROM mike") + self.superuser.execute("REVOKE ALL ON FUNCTION ks.agg_func(int) FROM mike") def test_list_permissions(self): """ @@ -1721,19 +1753,17 @@ class TestAuthRoles(Tester): * Grant various permissions to roles * Verify they propagate appropriately. """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") - cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("CREATE ROLE role1") - cassandra.execute("CREATE ROLE role2") - cassandra.execute("GRANT SELECT ON table ks.cf TO role1") - cassandra.execute("GRANT ALTER ON table ks.cf TO role2") - cassandra.execute("GRANT MODIFY ON table ks.cf TO mike") - cassandra.execute("GRANT ALTER ON ROLE role1 TO role2") - cassandra.execute("GRANT role1 TO role2") - cassandra.execute("GRANT role2 TO mike") + self.superuser.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") + self.superuser.execute("CREATE TABLE ks.cf (id int primary key, val int)") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE role1") + self.superuser.execute("CREATE ROLE role2") + self.superuser.execute("GRANT SELECT ON table ks.cf TO role1") + self.superuser.execute("GRANT ALTER ON table ks.cf TO role2") + self.superuser.execute("GRANT MODIFY ON table ks.cf TO mike") + self.superuser.execute("GRANT ALTER ON ROLE role1 TO role2") + self.superuser.execute("GRANT role1 TO role2") + self.superuser.execute("GRANT role2 TO mike") expected_permissions = [("mike", "<table ks.cf>", "MODIFY"), ("role1", "<table ks.cf>", "SELECT"), @@ -1745,48 +1775,48 @@ class TestAuthRoles(Tester): expected_permissions.extend(role_creator_permissions('cassandra', '<role role1>')) expected_permissions.extend(role_creator_permissions('cassandra', '<role role2>')) - self.assert_permissions_listed(expected_permissions, cassandra, "LIST ALL PERMISSIONS") + self.assert_permissions_listed(expected_permissions, self.superuser, "LIST ALL PERMISSIONS") self.assert_permissions_listed([("role1", "<table ks.cf>", "SELECT")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF role1") self.assert_permissions_listed([("role1", "<table ks.cf>", "SELECT"), ("role2", "<table ks.cf>", "ALTER"), ("role2", "<role role1>", "ALTER")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF role2") self.assert_permissions_listed([("cassandra", "<role role1>", "ALTER"), ("cassandra", "<role role1>", "DROP"), ("cassandra", "<role role1>", "AUTHORIZE"), ("role2", "<role role1>", "ALTER")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS ON ROLE role1") # we didn't specifically grant DROP on role1, so only it's creator should have it self.assert_permissions_listed([("cassandra", "<role role1>", "DROP")], - cassandra, + self.superuser, "LIST DROP PERMISSION ON ROLE role1") # but we did specifically grant ALTER role1 to role2 # so that should be listed whether we include an OF clause or not self.assert_permissions_listed([("cassandra", "<role role1>", "ALTER"), ("role2", "<role role1>", "ALTER")], - cassandra, + self.superuser, "LIST ALTER PERMISSION ON ROLE role1") self.assert_permissions_listed([("role2", "<role role1>", "ALTER")], - cassandra, + self.superuser, "LIST ALTER PERMISSION ON ROLE role1 OF role2") # make sure ALTER on role2 is excluded properly when OF is for another role - cassandra.execute("CREATE ROLE role3 WITH SUPERUSER = false AND LOGIN = false") - assert list(cassandra.execute("LIST ALTER PERMISSION ON ROLE role1 OF role3")) == [] + self.superuser.execute("CREATE ROLE role3 WITH SUPERUSER = false AND LOGIN = false") + assert list(self.superuser.execute("LIST ALTER PERMISSION ON ROLE role1 OF role3")) == [] # now check users can list their own permissions - mike = self.get_session(user='mike', password='12345') + as_mike = self.get_session(user='mike', password='12345') self.assert_permissions_listed([("mike", "<table ks.cf>", "MODIFY"), ("role1", "<table ks.cf>", "SELECT"), ("role2", "<table ks.cf>", "ALTER"), ("role2", "<role role1>", "ALTER")], - mike, + as_mike, "LIST ALL PERMISSIONS OF mike") def test_list_permissions_validation(self): @@ -1798,38 +1828,35 @@ class TestAuthRoles(Tester): * Verify mike can see the permissions of his role, and the roles granted to him * Verify mike cannot see all permissions, or those of roles not granted to him """ - self.prepare() + self.superuser.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") + self.superuser.execute("CREATE TABLE ks.cf (id int primary key, val int)") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE john WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE role1") + self.superuser.execute("CREATE ROLE role2") - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") - cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("CREATE ROLE john WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("CREATE ROLE role1") - cassandra.execute("CREATE ROLE role2") + self.superuser.execute("GRANT SELECT ON table ks.cf TO role1") + self.superuser.execute("GRANT ALTER ON table ks.cf TO role2") + self.superuser.execute("GRANT MODIFY ON table ks.cf TO john") - cassandra.execute("GRANT SELECT ON table ks.cf TO role1") - cassandra.execute("GRANT ALTER ON table ks.cf TO role2") - cassandra.execute("GRANT MODIFY ON table ks.cf TO john") + self.superuser.execute("GRANT role1 TO role2") + self.superuser.execute("GRANT role2 TO mike") - cassandra.execute("GRANT role1 TO role2") - cassandra.execute("GRANT role2 TO mike") - - mike = self.get_session(user='mike', password='12345') + as_mike = self.get_session(user='mike', password='12345') self.assert_permissions_listed([("role1", "<table ks.cf>", "SELECT"), ("role2", "<table ks.cf>", "ALTER")], - mike, + as_mike, "LIST ALL PERMISSIONS OF role2") self.assert_permissions_listed([("role1", "<table ks.cf>", "SELECT")], - mike, + as_mike, "LIST ALL PERMISSIONS OF role1") - assert_unauthorized(mike, + assert_unauthorized(as_mike, "LIST ALL PERMISSIONS", "You are not authorized to view everyone's permissions") - assert_unauthorized(mike, + assert_unauthorized(as_mike, "LIST ALL PERMISSIONS OF john", "You are not authorized to view john's permissions") @@ -1845,27 +1872,33 @@ class TestAuthRoles(Tester): * Revoke role1, and thus read permissions, from mike. * Try reading as mike, and verify that eventually the cache expires and it fails. """ - self.prepare(roles_expiry=2000) - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") - cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("CREATE ROLE role1") - cassandra.execute("GRANT ALL ON table ks.cf TO role1") - cassandra.execute("GRANT role1 TO mike") + # on older versions the cache is not initialized until used, + # we need the MBean registered so let's use it + if self.dtest_config.cassandra_version_from_build < '4.0': + self.superuser.execute("LIST ROLES") - mike = self.get_session(user='mike', password='12345') - mike.execute("INSERT INTO ks.cf (id, val) VALUES (0, 0)") + mbean = make_mbean('auth', type='RolesCache') + with JolokiaAgent(self.cluster.nodelist()[0]) as jmx: + jmx.write_attribute(mbean, 'Validity', 2000) + + self.setup_table() + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE role1") + self.superuser.execute("GRANT ALL ON table ks.t1 TO role1") + self.superuser.execute("GRANT role1 TO mike") - assert_one(mike, "SELECT * FROM ks.cf", [0, 0]) + as_mike = self.get_session(user='mike', password='12345') + as_mike.execute("INSERT INTO ks.t1 (k, v) VALUES (0, 0)") - cassandra.execute("REVOKE role1 FROM mike") + assert_one(as_mike, "SELECT * FROM ks.t1", [0, 0]) + + self.superuser.execute("REVOKE role1 FROM mike") # mike should retain permissions until the cache expires unauthorized = None cnt = 0 while not unauthorized and cnt < 20: try: - mike.execute("SELECT * FROM ks.cf") + as_mike.execute("SELECT * FROM ks.t1") cnt += 1 time.sleep(.5) except Unauthorized as e: @@ -1873,7 +1906,7 @@ class TestAuthRoles(Tester): assert unauthorized is not None - def drop_non_existent_role_should_not_update_cache(self): + def test_drop_non_existent_role_should_not_update_cache(self): """ This test checks that dropping a nonexistent role doesn't create an entry in the auth cache. @@ -1884,22 +1917,30 @@ class TestAuthRoles(Tester): * Connect as the new role, and ensure it can issue reads. @jira_ticket CASSANDRA-9189 """ + + # on older versions the cache is not initialized until used, + # we need the MBean registered so let's use it + if self.dtest_config.cassandra_version_from_build < '4.0': + self.superuser.execute("LIST ROLES") + # The su status check during DROP ROLE IF EXISTS <role> # should not cause a non-existent role to be cached (CASSANDRA-9189) - self.prepare(roles_expiry=10000) - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}") - cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)") + mbean = make_mbean('auth', type='RolesCache') + with JolokiaAgent(self.cluster.nodelist()[0]) as jmx: + jmx.write_attribute(mbean, 'Validity', 10000) + + self.setup_table() + # Dropping a role which doesn't exist should be a no-op. If we cache the fact # that the role doesn't exist though, subsequent authz attempts which should # succeed will fail due to the erroneous cache entry - cassandra.execute("DROP ROLE IF EXISTS mike") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true") - cassandra.execute("GRANT ALL ON ks.cf TO mike") + self.superuser.execute("DROP ROLE IF EXISTS mike") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true") + self.superuser.execute("GRANT ALL ON ks.t1 TO mike") - mike = self.get_session(user='mike', password='12345') - mike.execute("SELECT * FROM ks.cf") + as_mike = self.get_session(user='mike', password='12345') + as_mike.execute("SELECT * FROM ks.t1") def test_prevent_circular_grants(self): """ @@ -1908,18 +1949,16 @@ class TestAuthRoles(Tester): * Create several roles * Verify we cannot grant roles in circular chain """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE mike") - cassandra.execute("CREATE ROLE role1") - cassandra.execute("CREATE ROLE role2") - cassandra.execute("GRANT role2 to role1") - cassandra.execute("GRANT role1 TO mike") - assert_invalid(cassandra, + self.superuser.execute("CREATE ROLE mike") + self.superuser.execute("CREATE ROLE role1") + self.superuser.execute("CREATE ROLE role2") + self.superuser.execute("GRANT role2 to role1") + self.superuser.execute("GRANT role1 TO mike") + assert_invalid(self.superuser, "GRANT mike TO role1", "mike is a member of role1", InvalidRequest) - assert_invalid(cassandra, + assert_invalid(self.superuser, "GRANT mike TO role2", "mike is a member of role2", InvalidRequest) @@ -1930,13 +1969,11 @@ class TestAuthRoles(Tester): * Connect as the default superuser * Attempt to create roles using "CREATE USER". Verify still works """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE USER mike WITH PASSWORD '12345' NOSUPERUSER") - assert_one(cassandra, "LIST ROLES OF mike", list(mike_role)) + self.superuser.execute("CREATE USER mike WITH PASSWORD '12345' NOSUPERUSER") + assert_one(self.superuser, "LIST ROLES OF mike", list(self.role('mike'))) - cassandra.execute("CREATE USER super_user WITH PASSWORD '12345' SUPERUSER") - assert_one(cassandra, "LIST ROLES OF super_user", ["super_user", True, True, {}] + all_dcs) + self.superuser.execute("CREATE USER super_user WITH PASSWORD '12345' SUPERUSER") + assert_one(self.superuser, "LIST ROLES OF super_user", list(self.role('super_user', superuser=True))) def test_role_name(self): """ @@ -1948,32 +1985,30 @@ class TestAuthRoles(Tester): * Verify that CREATE USER is always case sensitive @jira_ticket CASSANDRA-10394 """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') # unquoted identifiers and unreserved keyword do not preserve case # count - cassandra.execute("CREATE ROLE ROLE1 WITH PASSWORD = '12345' AND LOGIN = true") + self.superuser.execute("CREATE ROLE ROLE1 WITH PASSWORD = '12345' AND LOGIN = true") self.assert_unauthenticated('ROLE1', '12345') - cassandra.execute("CREATE ROLE COUNT WITH PASSWORD = '12345' AND LOGIN = true") + self.superuser.execute("CREATE ROLE COUNT WITH PASSWORD = '12345' AND LOGIN = true") self.assert_unauthenticated('COUNT', '12345') self.get_session(user='count', password='12345') # string literals and quoted names do preserve case - cassandra.execute("CREATE ROLE 'ROLE2' WITH PASSWORD = '12345' AND LOGIN = true") + self.superuser.execute("CREATE ROLE 'ROLE2' WITH PASSWORD = '12345' AND LOGIN = true") self.get_session(user='ROLE2', password='12345') self.assert_unauthenticated('Role2', '12345') - cassandra.execute("""CREATE ROLE "ROLE3" WITH PASSWORD = '12345' AND LOGIN = true""") + self.superuser.execute("""CREATE ROLE "ROLE3" WITH PASSWORD = '12345' AND LOGIN = true""") self.get_session(user='ROLE3', password='12345') self.assert_unauthenticated('Role3', '12345') # when using legacy USER syntax, both unquoted identifiers and string literals preserve case - cassandra.execute("CREATE USER USER1 WITH PASSWORD '12345'") + self.superuser.execute("CREATE USER USER1 WITH PASSWORD '12345'") self.get_session(user='USER1', password='12345') self.assert_unauthenticated('User1', '12345') - cassandra.execute("CREATE USER 'USER2' WITH PASSWORD '12345'") + self.superuser.execute("CREATE USER 'USER2' WITH PASSWORD '12345'") self.get_session(user='USER2', password='12345') self.assert_unauthenticated('User2', '12345') @@ -1986,18 +2021,16 @@ class TestAuthRoles(Tester): * Remove mike's login privilege. Verify mike cannot login * Restore mike's login privilege. Verify mike can connect again. """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - assert_one(cassandra, "LIST ROLES OF mike", list(mike_role)) + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + assert_one(self.superuser, "LIST ROLES OF mike", list(self.role('mike'))) self.get_session(user='mike', password='12345') - cassandra.execute("ALTER ROLE mike WITH LOGIN = false") - assert_one(cassandra, "LIST ROLES OF mike", ["mike", False, False, {}] + na_dcs) + self.superuser.execute("ALTER ROLE mike WITH LOGIN = false") + assert_one(self.superuser, "LIST ROLES OF mike", list(self.role('mike', login=False))) self.assert_login_not_allowed('mike', '12345') - cassandra.execute("ALTER ROLE mike WITH LOGIN = true") - assert_one(cassandra, "LIST ROLES OF mike", ["mike", False, True, {}] + all_dcs) + self.superuser.execute("ALTER ROLE mike WITH LOGIN = true") + assert_one(self.superuser, "LIST ROLES OF mike", list(self.role('mike', login=True))) self.get_session(user='mike', password='12345') def test_roles_do_not_inherit_login_privilege(self): @@ -2008,15 +2041,14 @@ class TestAuthRoles(Tester): * Grant the other user to mike. * Verify mike still cannot log in. """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = false") - cassandra.execute("CREATE ROLE with_login WITH PASSWORD = '54321' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("GRANT with_login to mike") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = false") + self.superuser.execute("CREATE ROLE with_login WITH PASSWORD = '54321' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("GRANT with_login to mike") + mike = self.role('mike', login=False) + with_login = self.role('with_login') - assert_all(cassandra, "LIST ROLES OF mike", [["mike", False, False, {}] + na_dcs, - ["with_login", False, True, {}] + all_dcs]) - assert_one(cassandra, "LIST ROLES OF with_login", ["with_login", False, True, {}] + all_dcs) + assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(with_login)]) + assert_one(self.superuser, "LIST ROLES OF with_login", list(with_login)) self.assert_login_not_allowed("mike", "12345") @@ -2029,14 +2061,9 @@ class TestAuthRoles(Tester): * Alter mike and add a password * Verify mike can now connect """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE mike WITH SUPERUSER = false AND LOGIN = true") - if self.cluster.cassandra_version() >= '3.8': - self.assert_unauthenticated('mike', None) - else: - self.assert_unauthenticated('mike', None) - cassandra.execute("ALTER ROLE mike WITH PASSWORD = '12345'") + self.superuser.execute("CREATE ROLE mike WITH SUPERUSER = false AND LOGIN = true") + self.assert_unauthenticated('mike', None) + self.superuser.execute("ALTER ROLE mike WITH PASSWORD = '12345'") self.get_session(user='mike', password='12345') def test_superuser_status_is_inherited(self): @@ -2049,22 +2076,20 @@ class TestAuthRoles(Tester): * Grant the superuser role to mike. * Verify that mike now has all permissions """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("CREATE ROLE db_admin WITH SUPERUSER = true") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("CREATE ROLE db_admin WITH SUPERUSER = true") - mike = self.get_session(user='mike', password='12345') - assert_unauthorized(mike, + as_mike = self.get_session(user='mike', password='12345') + assert_unauthorized(as_mike, "CREATE ROLE another_role WITH SUPERUSER = false AND LOGIN = false", "User mike does not have sufficient privileges to perform the requested operation") - cassandra.execute("GRANT db_admin TO mike") - mike.execute("CREATE ROLE another_role WITH SUPERUSER = false AND LOGIN = false") - assert_all(mike, "LIST ROLES", [["another_role", False, False, {}] + na_dcs, - list(cassandra_role), - ["db_admin", True, False, {}] + na_dcs, - list(mike_role)]) + self.superuser.execute("GRANT db_admin TO mike") + as_mike.execute("CREATE ROLE another_role WITH SUPERUSER = false AND LOGIN = false") + assert_all(as_mike, "LIST ROLES", [list(self.role('another_role', superuser=False, login=False)), + list(self.cassandra_role), + list(self.role('db_admin', superuser=True, login=False)), + list(self.role('mike'))]) def test_list_users_considers_inherited_superuser_status(self): """ @@ -2074,13 +2099,13 @@ class TestAuthRoles(Tester): * Grant the superuser role to mike * Verify that LIST USERS shows mike as a superuser, even though that privilege is granted indirectly """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - cassandra.execute("CREATE ROLE db_admin WITH SUPERUSER = true") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") - cassandra.execute("GRANT db_admin TO mike") - assert_all(cassandra, "LIST USERS", [['cassandra', True] + all_dcs, - ["mike", True] + all_dcs]) + self.superuser.execute("CREATE ROLE db_admin WITH SUPERUSER = true") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true") + self.superuser.execute("GRANT db_admin TO mike") + if self.dtest_config.cassandra_version_from_build >= '4.0': + assert_all(self.superuser, "LIST USERS", [['cassandra', True, 'ALL'], ['mike', True, 'ALL']]) + else: + assert_all(self.superuser, "LIST USERS", [['cassandra', True], ['mike', True]]) # UDF permissions tests # TODO move to separate fixture & refactor this + auth_test.py def test_grant_revoke_udf_permissions(self): @@ -2091,43 +2116,41 @@ class TestAuthRoles(Tester): * Create two UDFs * Selectively grant and revoke each possible UDF permission to mike, and verify those operations worked """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - self.setup_table(cassandra) - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true") - cassandra.execute("CREATE FUNCTION ks.plus_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'") - cassandra.execute("CREATE FUNCTION ks.\"plusOne\" ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'") + self.setup_table() + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true") + self.superuser.execute("CREATE FUNCTION ks.plus_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'") + self.superuser.execute("CREATE FUNCTION ks.\"plusOne\" ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'") # grant / revoke on a specific function - cassandra.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike") - cassandra.execute("GRANT EXECUTE ON FUNCTION ks.\"plusOne\"(int) TO mike") + self.superuser.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike") + self.superuser.execute("GRANT EXECUTE ON FUNCTION ks.\"plusOne\"(int) TO mike") self.assert_permissions_listed([("mike", "<function ks.plus_one(int)>", "EXECUTE"), ("mike", "<function ks.plusOne(int)>", "EXECUTE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE ALL PERMISSIONS ON FUNCTION ks.plus_one(int) FROM mike") + self.superuser.execute("REVOKE ALL PERMISSIONS ON FUNCTION ks.plus_one(int) FROM mike") self.assert_permissions_listed([("mike", "<function ks.plusOne(int)>", "EXECUTE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE EXECUTE PERMISSION ON FUNCTION ks.\"plusOne\"(int) FROM mike") - self.assert_no_permissions(cassandra, "LIST ALL PERMISSIONS OF mike") + self.superuser.execute("REVOKE EXECUTE PERMISSION ON FUNCTION ks.\"plusOne\"(int) FROM mike") + self.assert_no_permissions(self.superuser, "LIST ALL PERMISSIONS OF mike") # grant / revoke on all functions in a given keyspace - cassandra.execute("GRANT EXECUTE PERMISSION ON ALL FUNCTIONS IN KEYSPACE ks TO mike") + self.superuser.execute("GRANT EXECUTE PERMISSION ON ALL FUNCTIONS IN KEYSPACE ks TO mike") self.assert_permissions_listed([("mike", "<all functions in ks>", "EXECUTE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE EXECUTE PERMISSION ON ALL FUNCTIONS IN KEYSPACE ks FROM mike") - self.assert_no_permissions(cassandra, "LIST ALL PERMISSIONS OF mike") + self.superuser.execute("REVOKE EXECUTE PERMISSION ON ALL FUNCTIONS IN KEYSPACE ks FROM mike") + self.assert_no_permissions(self.superuser, "LIST ALL PERMISSIONS OF mike") # grant / revoke on all (non-builtin) functions - cassandra.execute("GRANT EXECUTE PERMISSION ON ALL FUNCTIONS TO mike") + self.superuser.execute("GRANT EXECUTE PERMISSION ON ALL FUNCTIONS TO mike") self.assert_permissions_listed([("mike", "<all functions>", "EXECUTE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE EXECUTE PERMISSION ON ALL FUNCTIONS FROM mike") - self.assert_no_permissions(cassandra, "LIST ALL PERMISSIONS OF mike") + self.superuser.execute("REVOKE EXECUTE PERMISSION ON ALL FUNCTIONS FROM mike") + self.assert_no_permissions(self.superuser, "LIST ALL PERMISSIONS OF mike") def test_grant_revoke_are_idempotent(self): """ @@ -2138,20 +2161,18 @@ class TestAuthRoles(Tester): * Issue multiple grants and revokes of permissions for the UDF to mike * Verify the grants/revokes are idempotent, and were successful """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - self.setup_table(cassandra) - cassandra.execute("CREATE ROLE mike") - cassandra.execute("CREATE FUNCTION ks.plus_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'") - cassandra.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike") - cassandra.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike") + self.setup_table() + self.superuser.execute("CREATE ROLE mike") + self.superuser.execute("CREATE FUNCTION ks.plus_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'") + self.superuser.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike") + self.superuser.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike") self.assert_permissions_listed([("mike", "<function ks.plus_one(int)>", "EXECUTE")], - cassandra, + self.superuser, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE EXECUTE ON FUNCTION ks.plus_one(int) FROM mike") - self.assert_no_permissions(cassandra, "LIST ALL PERMISSIONS OF mike") - cassandra.execute("REVOKE EXECUTE ON FUNCTION ks.plus_one(int) FROM mike") - self.assert_no_permissions(cassandra, "LIST ALL PERMISSIONS OF mike") + self.superuser.execute("REVOKE EXECUTE ON FUNCTION ks.plus_one(int) FROM mike") + self.assert_no_permissions(self.superuser, "LIST ALL PERMISSIONS OF mike") + self.superuser.execute("REVOKE EXECUTE ON FUNCTION ks.plus_one(int) FROM mike") + self.assert_no_permissions(self.superuser, "LIST ALL PERMISSIONS OF mike") def test_function_resource_hierarchy_permissions(self): """ @@ -2166,54 +2187,52 @@ class TestAuthRoles(Tester): * Verify that revoking EXECUTE ON ALL FUNCTIONS for mike does not affect his function specific permissions * Check that if mike has keyspace level EXECUTE, that granting/revoking function specific permissions doesn't affect the keyspace level permissions """ - self.prepare() - cassandra = self.get_session(user='cassandra', password='cassandra') - self.setup_table(cassandra) - cassandra.execute("INSERT INTO ks.t1 (k,v) values (1,1)") - cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true") - cassandra.execute("GRANT SELECT ON ks.t1 TO mike") - cassandra.execute("CREATE FUNCTION ks.func_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'") - cassandra.execute("CREATE FUNCTION ks.func_two ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'") + self.setup_table() + self.superuser.execute("INSERT INTO ks.t1 (k,v) values (1,1)") + self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true") + self.superuser.execute("GRANT SELECT ON ks.t1 TO mike") + self.superuser.execute("CREATE FUNCTION ks.func_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'") + self.superuser.execute("CREATE FUNCTION ks.func_two ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'") - mike = self.get_session(user='mike', password='12345') + as_mike = self.get_session(user='mike', password='12345') select_one = "SELECT k, v, ks.func_one(v) FROM ks.t1 WHERE k = 1" select_two = "SELECT k, v, ks.func_two(v) FROM ks.t1 WHERE k = 1" # grant EXECUTE on only one of the two functions - cassandra.execute("GRANT EXECUTE ON FUNCTION ks.func_one(int) TO mike") - mike.execute(select_one) - assert_unauthorized(mike, select_two, + self.superuser.execute("GRANT EXECUTE ON FUNCTION ks.func_one(int) TO mike") + as_mike.execute(select_one) + assert_unauthorized(as_mike, select_two, "User mike has no EXECUTE permission on <function ks.func_two\(int\)> or any of its parents") # granting EXECUTE on all of the parent keyspace's should enable mike to use both functions - cassandra.execute("GRANT EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks TO mike") - mike.execute(select_one) - mike.execute(select_two) + self.superuser.execute("GRANT EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks TO mike") + as_mike.execute(select_one) + as_mike.execute(select_two) # revoke the keyspace level privilege and verify that the function specific perms are unaffected - cassandra.execute("REVOKE EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks FROM mike") - mike.execute(select_one) - assert_unauthorized(mike, select_two, + self.superuser.execute("REVOKE EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks FROM mike") + as_mike.execute(select_one) + assert_unauthorized(as_mike, select_two, "User mike has no EXECUTE permission on <function ks.func_two\(int\)> or any of its parents") # now check that EXECUTE on ALL FUNCTIONS works in the same way - cassandra.execute("GRANT EXECUTE ON ALL FUNCTIONS TO mike") - mike.execute(select_one) - mike.execute(select_two) - cassandra.execute("REVOKE EXECUTE ON ALL FUNCTIONS FROM mike") - mike.execute(select_one) - assert_unauthorized(mike, select_two, + self.superuser.execute("GRANT EXECUTE ON ALL FUNCTIONS TO mike") + as_mike.execute(select_one) + as_mike.execute(select_two) + self.superuser.execute("REVOKE EXECUTE ON ALL FUNCTIONS FROM mike") + as_mike.execute(select_one) + assert_unauthorized(as_mike, select_two, "User mike has no EXECUTE permission on <function ks.func_two\(int\)> or any of its parents") # finally, check that revoking function level permissions doesn't affect root/keyspace level perms - cassandra.execute("GRANT EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks TO mike") - cassandra.execute("REVOKE EXECUTE ON FUNCTION ks.func_one(int) FROM mike") - mike.execute(select_one) - mike.execute(select_two) - cassandra.execute("REVOKE EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks FROM mike") - cassandra.execute("GRANT EXECUTE ON FUNCTION ks.func_one(int) TO mike") - cassandra.execute("GRANT EXECUTE ON ALL FUNCTIONS TO mike") - mike.execute(select_one) - mike.execute(select_two) - cassandra.execute("REVOKE EXECUTE ON FUNCTION ks.func_one(int) FROM mike") - mike.execute(select_one) - mike.execute(select_two) + self.superuser.execute("GRANT EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks TO mike") + self.superuser.execute("REVOKE EXECUTE ON FUNCTION ks.func_one(int) FROM mike") + as_mike.execute(select_one) + as_mike.execute(select_two) + self.superuser.execute("REVOKE EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks FROM mike") +
<TRUNCATED> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org