Repository: cassandra Updated Branches: refs/heads/trunk e5d997374 -> 87e886789
minor network authz improvements Patch by Blake Eggleston; Reviewed by Ariel Weisberg for CASSANDRA-14413 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/87e88678 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/87e88678 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/87e88678 Branch: refs/heads/trunk Commit: 87e886789a6d4fe1f1ea9a232a2763a16b39c001 Parents: e5d9973 Author: Blake Eggleston <bdeggles...@gmail.com> Authored: Mon Apr 23 14:47:46 2018 -0700 Committer: Blake Eggleston <bdeggles...@gmail.com> Committed: Wed May 9 14:55:14 2018 -0700 ---------------------------------------------------------------------- CHANGES.txt | 1 + src/java/org/apache/cassandra/auth/DCPermissions.java | 10 ++++++++-- .../cassandra/cql3/statements/CreateRoleStatement.java | 2 +- src/java/org/apache/cassandra/service/ClientState.java | 3 ++- .../cassandra/auth/CassandraNetworkAuthorizerTest.java | 2 +- 5 files changed, 13 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 50a17ab..051e20a 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 4.0 + * minor network authz improvements (Cassandra-14413) * Automatic sstable upgrades (CASSANDRA-14197) * Replace deprecated junit.framework.Assert usages with org.junit.Assert (CASSANDRA-14431) * cassandra-stress throws NPE if insert section isn't specified in user profile (CASSSANDRA-14426) http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/src/java/org/apache/cassandra/auth/DCPermissions.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/DCPermissions.java b/src/java/org/apache/cassandra/auth/DCPermissions.java index 46cdad9..d04242d 100644 --- a/src/java/org/apache/cassandra/auth/DCPermissions.java +++ b/src/java/org/apache/cassandra/auth/DCPermissions.java @@ -31,7 +31,15 @@ import org.apache.cassandra.exceptions.InvalidRequestException; public abstract class DCPermissions { + /** + * returns true if the user can access the given dc + */ public abstract boolean canAccess(String dc); + + /** + * Indicates whether the permissions object explicitly allow access to + * some dcs (true) or if it implicitly allows access to all dcs (false) + */ public abstract boolean restrictsAccess(); public abstract Set<String> allowedDCs(); public abstract void validate(); @@ -85,8 +93,6 @@ public abstract class DCPermissions public void validate() { - Datacenters.getValidDatacenters(); - Set<String> unknownDcs = Sets.difference(subset, Datacenters.getValidDatacenters()); if (!unknownDcs.isEmpty()) { http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java b/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java index bd9a5a4..0e0afec 100644 --- a/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java +++ b/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java @@ -77,7 +77,7 @@ public class CreateRoleStatement extends AuthenticationStatement return null; DatabaseDescriptor.getRoleManager().createRole(state.getUser(), role, opts); - if (dcPermissions.restrictsAccess()) + if (DatabaseDescriptor.getNetworkAuthorizer().requireAuthorization()) { DatabaseDescriptor.getNetworkAuthorizer().setRoleDatacenters(role, dcPermissions); } http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/src/java/org/apache/cassandra/service/ClientState.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java index 045cc8c..c854737 100644 --- a/src/java/org/apache/cassandra/service/ClientState.java +++ b/src/java/org/apache/cassandra/service/ClientState.java @@ -38,6 +38,7 @@ import org.apache.cassandra.cql3.QueryHandler; import org.apache.cassandra.cql3.QueryProcessor; import org.apache.cassandra.cql3.functions.Function; import org.apache.cassandra.db.SystemKeyspace; +import org.apache.cassandra.dht.Datacenters; import org.apache.cassandra.exceptions.AuthenticationException; import org.apache.cassandra.exceptions.InvalidRequestException; import org.apache.cassandra.exceptions.UnauthorizedException; @@ -440,7 +441,7 @@ public class ClientState } else if (!user.hasLocalAccess()) { - throw new UnauthorizedException("You do not have access to this datacenter"); + throw new UnauthorizedException(String.format("You do not have access to this datacenter (%s)", Datacenters.thisDatacenter())); } } http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java ---------------------------------------------------------------------- diff --git a/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java b/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java index 6948203..f0eed8c 100644 --- a/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java +++ b/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java @@ -206,7 +206,7 @@ public class CassandraNetworkAuthorizerTest // user should implicitly have access to all datacenters auth("CREATE ROLE %s WITH password = 'password' AND LOGIN = true", username); Assert.assertEquals(DCPermissions.all(), dcPerms(username)); - assertNoDcPermRow(username); + assertDcPermRow(username); // unless explicitly restricted auth("ALTER ROLE %s WITH ACCESS TO DATACENTERS {'dc1', 'dc2'}", username); --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org