cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From alek...@apache.org
Subject [1/2] cassandra git commit: Add new Role management permissions
Date Fri, 06 Feb 2015 00:41:20 GMT
Repository: cassandra
Updated Branches:
  refs/heads/trunk 91e64231e -> 217721ae9


http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/GrantPermissionsStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/GrantPermissionsStatement.java
b/src/java/org/apache/cassandra/cql3/statements/GrantPermissionsStatement.java
new file mode 100644
index 0000000..06a53e2
--- /dev/null
+++ b/src/java/org/apache/cassandra/cql3/statements/GrantPermissionsStatement.java
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.cassandra.cql3.statements;
+
+import java.util.Set;
+
+import org.apache.cassandra.auth.IResource;
+import org.apache.cassandra.auth.Permission;
+import org.apache.cassandra.config.DatabaseDescriptor;
+import org.apache.cassandra.cql3.RoleName;
+import org.apache.cassandra.exceptions.RequestExecutionException;
+import org.apache.cassandra.exceptions.RequestValidationException;
+import org.apache.cassandra.service.ClientState;
+import org.apache.cassandra.transport.messages.ResultMessage;
+
+public class GrantPermissionsStatement extends PermissionsManagementStatement
+{
+    public GrantPermissionsStatement(Set<Permission> permissions, IResource resource,
RoleName grantee)
+    {
+        super(permissions, resource, grantee);
+    }
+
+    public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException
+    {
+        DatabaseDescriptor.getAuthorizer().grant(state.getUser(), permissions, resource,
grantee);
+        return null;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/GrantStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/GrantStatement.java b/src/java/org/apache/cassandra/cql3/statements/GrantStatement.java
deleted file mode 100644
index 561fee6..0000000
--- a/src/java/org/apache/cassandra/cql3/statements/GrantStatement.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.cassandra.cql3.statements;
-
-import java.util.Set;
-
-import org.apache.cassandra.auth.DataResource;
-import org.apache.cassandra.auth.Permission;
-import org.apache.cassandra.config.DatabaseDescriptor;
-import org.apache.cassandra.cql3.RoleName;
-import org.apache.cassandra.exceptions.RequestExecutionException;
-import org.apache.cassandra.exceptions.RequestValidationException;
-import org.apache.cassandra.service.ClientState;
-import org.apache.cassandra.transport.messages.ResultMessage;
-
-public class GrantStatement extends PermissionAlteringStatement
-{
-    public GrantStatement(Set<Permission> permissions, DataResource resource, RoleName
grantee)
-    {
-        super(permissions, resource, grantee);
-    }
-
-    public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException
-    {
-        DatabaseDescriptor.getAuthorizer().grant(state.getUser(), permissions, resource,
grantee);
-        return null;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/ListPermissionsStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/ListPermissionsStatement.java b/src/java/org/apache/cassandra/cql3/statements/ListPermissionsStatement.java
index d5b7e13..375d160 100644
--- a/src/java/org/apache/cassandra/cql3/statements/ListPermissionsStatement.java
+++ b/src/java/org/apache/cassandra/cql3/statements/ListPermissionsStatement.java
@@ -47,16 +47,16 @@ public class ListPermissionsStatement extends AuthorizationStatement
     }
 
     protected final Set<Permission> permissions;
-    protected DataResource resource;
+    protected IResource resource;
     protected final boolean recursive;
-    private final String grantee;
+    private final RoleResource grantee;
 
-    public ListPermissionsStatement(Set<Permission> permissions, DataResource resource,
RoleName grantee, boolean recursive)
+    public ListPermissionsStatement(Set<Permission> permissions, IResource resource,
RoleName grantee, boolean recursive)
     {
         this.permissions = permissions;
         this.resource = resource;
         this.recursive = recursive;
-        this.grantee = grantee.getName();
+        this.grantee = grantee.hasName()? RoleResource.role(grantee.getName()) : null;
     }
 
     public void validate(ClientState state) throws RequestValidationException

http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/ListRolesStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/ListRolesStatement.java b/src/java/org/apache/cassandra/cql3/statements/ListRolesStatement.java
index 4ca9aeb..24071b0 100644
--- a/src/java/org/apache/cassandra/cql3/statements/ListRolesStatement.java
+++ b/src/java/org/apache/cassandra/cql3/statements/ListRolesStatement.java
@@ -24,8 +24,7 @@ import java.util.Set;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Lists;
 
-import org.apache.cassandra.auth.AuthKeyspace;
-import org.apache.cassandra.auth.IRoleManager;
+import org.apache.cassandra.auth.*;
 import org.apache.cassandra.config.DatabaseDescriptor;
 import org.apache.cassandra.cql3.*;
 import org.apache.cassandra.db.marshal.BooleanType;
@@ -45,7 +44,7 @@ public class ListRolesStatement extends AuthorizationStatement
                         new ColumnSpecification(KS, CF, new ColumnIdentifier("super", true),
BooleanType.instance),
                         new ColumnSpecification(KS, CF, new ColumnIdentifier("login", true),
BooleanType.instance));
 
-    private final String grantee;
+    private final RoleResource grantee;
     private final boolean recursive;
 
     public ListRolesStatement()
@@ -55,7 +54,7 @@ public class ListRolesStatement extends AuthorizationStatement
 
     public ListRolesStatement(RoleName grantee, boolean recursive)
     {
-        this.grantee = grantee.getName();
+        this.grantee = grantee.hasName() ? RoleResource.role(grantee.getName()) : null;
         this.recursive = recursive;
     }
 
@@ -73,7 +72,11 @@ public class ListRolesStatement extends AuthorizationStatement
 
     public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException
     {
-        if (state.getUser().isSuper())
+        // If the executing user has DESCRIBE permission on the root roles resource, let
them list any and all roles
+        boolean hasRootLevelSelect = DatabaseDescriptor.getAuthorizer()
+                                                       .authorize(state.getUser(), RoleResource.root())
+                                                       .contains(Permission.DESCRIBE);
+        if (hasRootLevelSelect)
         {
             if (grantee == null)
                 return resultMessage(DatabaseDescriptor.getRoleManager().getAllRoles());
@@ -82,34 +85,35 @@ public class ListRolesStatement extends AuthorizationStatement
         }
         else
         {
+            RoleResource currentUser = RoleResource.role(state.getUser().getName());
             if (grantee == null)
-                return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(state.getUser().getName(),
recursive));
-            if (DatabaseDescriptor.getRoleManager().getRoles(state.getUser().getName(), true).contains(grantee))
+                return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(currentUser,
recursive));
+            if (DatabaseDescriptor.getRoleManager().getRoles(currentUser, true).contains(grantee))
                 return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(grantee,
recursive));
             else
-                throw new UnauthorizedException(String.format("You are not authorized to
view roles granted to %s ", grantee));
+                throw new UnauthorizedException(String.format("You are not authorized to
view roles granted to %s ", grantee.getRoleName()));
         }
     }
 
-    private ResultMessage resultMessage(Set<String> roles)
+    private ResultMessage resultMessage(Set<RoleResource> roles)
     {
         if (roles.isEmpty())
             return new ResultMessage.Void();
 
-        List<String> sorted = Lists.newArrayList(roles);
+        List<RoleResource> sorted = Lists.newArrayList(roles);
         Collections.sort(sorted);
         return formatResults(sorted);
     }
 
     // overridden in ListUsersStatement to include legacy metadata
-    protected ResultMessage formatResults(List<String> sortedRoles)
+    protected ResultMessage formatResults(List<RoleResource> sortedRoles)
     {
         ResultSet result = new ResultSet(metadata);
 
         IRoleManager roleManager = DatabaseDescriptor.getRoleManager();
-        for (String role : sortedRoles)
+        for (RoleResource role : sortedRoles)
         {
-            result.addColumnValue(UTF8Type.instance.decompose(role));
+            result.addColumnValue(UTF8Type.instance.decompose(role.getRoleName()));
             result.addColumnValue(BooleanType.instance.decompose(roleManager.isSuper(role)));
             result.addColumnValue(BooleanType.instance.decompose(roleManager.canLogin(role)));
         }

http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/ListUsersStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/ListUsersStatement.java b/src/java/org/apache/cassandra/cql3/statements/ListUsersStatement.java
index 0854166..3edf3a4 100644
--- a/src/java/org/apache/cassandra/cql3/statements/ListUsersStatement.java
+++ b/src/java/org/apache/cassandra/cql3/statements/ListUsersStatement.java
@@ -23,6 +23,7 @@ import com.google.common.collect.ImmutableList;
 
 import org.apache.cassandra.auth.AuthKeyspace;
 import org.apache.cassandra.auth.IRoleManager;
+import org.apache.cassandra.auth.RoleResource;
 import org.apache.cassandra.config.DatabaseDescriptor;
 import org.apache.cassandra.cql3.ColumnIdentifier;
 import org.apache.cassandra.cql3.ColumnSpecification;
@@ -42,16 +43,16 @@ public class ListUsersStatement extends ListRolesStatement
                          new ColumnSpecification(KS, CF, new ColumnIdentifier("super", true),
BooleanType.instance));
 
     @Override
-    protected ResultMessage formatResults(List<String> sortedRoles)
+    protected ResultMessage formatResults(List<RoleResource> sortedRoles)
     {
         ResultSet result = new ResultSet(metadata);
 
         IRoleManager roleManager = DatabaseDescriptor.getRoleManager();
-        for (String role : sortedRoles)
+        for (RoleResource role : sortedRoles)
         {
             if (!roleManager.canLogin(role))
                 continue;
-            result.addColumnValue(UTF8Type.instance.decompose(role));
+            result.addColumnValue(UTF8Type.instance.decompose(role.getRoleName()));
             result.addColumnValue(BooleanType.instance.decompose(roleManager.isSuper(role)));
         }
         return new ResultMessage.Rows(result);

http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/PermissionAlteringStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/PermissionAlteringStatement.java
b/src/java/org/apache/cassandra/cql3/statements/PermissionAlteringStatement.java
deleted file mode 100644
index 44c9ea1..0000000
--- a/src/java/org/apache/cassandra/cql3/statements/PermissionAlteringStatement.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.cassandra.cql3.statements;
-
-import java.util.Set;
-
-import org.apache.cassandra.auth.DataResource;
-import org.apache.cassandra.auth.Permission;
-import org.apache.cassandra.config.DatabaseDescriptor;
-import org.apache.cassandra.cql3.RoleName;
-import org.apache.cassandra.exceptions.InvalidRequestException;
-import org.apache.cassandra.exceptions.RequestValidationException;
-import org.apache.cassandra.exceptions.UnauthorizedException;
-import org.apache.cassandra.service.ClientState;
-
-public abstract class PermissionAlteringStatement extends AuthorizationStatement
-{
-    protected final Set<Permission> permissions;
-    protected DataResource resource;
-    protected final String grantee;
-
-    protected PermissionAlteringStatement(Set<Permission> permissions, DataResource
resource, RoleName grantee)
-    {
-        this.permissions = permissions;
-        this.resource = resource;
-        this.grantee = grantee.getName();
-    }
-
-    public void validate(ClientState state) throws RequestValidationException
-    {
-        // validate login here before checkAccess to avoid leaking user existence to anonymous
users.
-        state.ensureNotAnonymous();
-
-        if (!DatabaseDescriptor.getRoleManager().isExistingRole(grantee))
-            throw new InvalidRequestException(String.format("Role %s doesn't exist", grantee));
-
-        // if a keyspace is omitted when GRANT/REVOKE ON TABLE <table>, we need to
correct the resource.
-        resource = maybeCorrectResource(resource, state);
-        if (!resource.exists())
-            throw new InvalidRequestException(String.format("Resource %s doesn't exist",
resource));
-    }
-
-    public void checkAccess(ClientState state) throws UnauthorizedException
-    {
-        // check that the user has AUTHORIZE permission on the resource or its parents, otherwise
reject GRANT/REVOKE.
-        state.ensureHasPermission(Permission.AUTHORIZE, resource);
-        // check that the user has [a single permission or all in case of ALL] on the resource
or its parents.
-        for (Permission p : permissions)
-            state.ensureHasPermission(p, resource);
-    }
-}

http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java
b/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java
new file mode 100644
index 0000000..f360743
--- /dev/null
+++ b/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.cassandra.cql3.statements;
+
+import java.util.Set;
+
+import org.apache.cassandra.auth.IResource;
+import org.apache.cassandra.auth.Permission;
+import org.apache.cassandra.auth.RoleResource;
+import org.apache.cassandra.config.DatabaseDescriptor;
+import org.apache.cassandra.cql3.RoleName;
+import org.apache.cassandra.exceptions.InvalidRequestException;
+import org.apache.cassandra.exceptions.RequestValidationException;
+import org.apache.cassandra.exceptions.UnauthorizedException;
+import org.apache.cassandra.service.ClientState;
+
+public abstract class PermissionsManagementStatement extends AuthorizationStatement
+{
+    protected final Set<Permission> permissions;
+    protected IResource resource;
+    protected final RoleResource grantee;
+
+    protected PermissionsManagementStatement(Set<Permission> permissions, IResource
resource, RoleName grantee)
+    {
+        this.permissions = permissions;
+        this.resource = resource;
+        this.grantee = RoleResource.role(grantee.getName());
+    }
+
+    public void validate(ClientState state) throws RequestValidationException
+    {
+        // validate login here before checkAccess to avoid leaking user existence to anonymous
users.
+        state.ensureNotAnonymous();
+
+        if (!DatabaseDescriptor.getRoleManager().isExistingRole(grantee))
+            throw new InvalidRequestException(String.format("Role %s doesn't exist", grantee.getRoleName()));
+
+        // if a keyspace is omitted when GRANT/REVOKE ON TABLE <table>, we need to
correct the resource.
+        resource = maybeCorrectResource(resource, state);
+        if (!resource.exists())
+            throw new InvalidRequestException(String.format("Resource %s doesn't exist",
resource));
+    }
+
+    public void checkAccess(ClientState state) throws UnauthorizedException
+    {
+        // check that the user has AUTHORIZE permission on the resource or its parents, otherwise
reject GRANT/REVOKE.
+        state.ensureHasPermission(Permission.AUTHORIZE, resource);
+        // check that the user has [a single permission or all in case of ALL] on the resource
or its parents.
+        for (Permission p : permissions)
+            state.ensureHasPermission(p, resource);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/RevokePermissionsStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/RevokePermissionsStatement.java
b/src/java/org/apache/cassandra/cql3/statements/RevokePermissionsStatement.java
new file mode 100644
index 0000000..9acc685
--- /dev/null
+++ b/src/java/org/apache/cassandra/cql3/statements/RevokePermissionsStatement.java
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.cassandra.cql3.statements;
+
+import java.util.Set;
+
+import org.apache.cassandra.auth.IResource;
+import org.apache.cassandra.auth.Permission;
+import org.apache.cassandra.config.DatabaseDescriptor;
+import org.apache.cassandra.cql3.RoleName;
+import org.apache.cassandra.exceptions.RequestExecutionException;
+import org.apache.cassandra.exceptions.RequestValidationException;
+import org.apache.cassandra.service.ClientState;
+import org.apache.cassandra.transport.messages.ResultMessage;
+
+public class RevokePermissionsStatement extends PermissionsManagementStatement
+{
+    public RevokePermissionsStatement(Set<Permission> permissions, IResource resource,
RoleName grantee)
+    {
+        super(permissions, resource, grantee);
+    }
+
+    public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException
+    {
+        DatabaseDescriptor.getAuthorizer().revoke(state.getUser(), permissions, resource,
grantee);
+        return null;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/RevokeRoleStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/RevokeRoleStatement.java b/src/java/org/apache/cassandra/cql3/statements/RevokeRoleStatement.java
index 98c2b4e..4de905f 100644
--- a/src/java/org/apache/cassandra/cql3/statements/RevokeRoleStatement.java
+++ b/src/java/org/apache/cassandra/cql3/statements/RevokeRoleStatement.java
@@ -36,5 +36,4 @@ public class RevokeRoleStatement extends RoleManagementStatement
         DatabaseDescriptor.getRoleManager().revokeRole(state.getUser(), role, grantee);
         return null;
     }
-
 }

http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/RevokeStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/RevokeStatement.java b/src/java/org/apache/cassandra/cql3/statements/RevokeStatement.java
deleted file mode 100644
index 7ce5259..0000000
--- a/src/java/org/apache/cassandra/cql3/statements/RevokeStatement.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.cassandra.cql3.statements;
-
-import java.util.Set;
-
-import org.apache.cassandra.auth.DataResource;
-import org.apache.cassandra.auth.Permission;
-import org.apache.cassandra.config.DatabaseDescriptor;
-import org.apache.cassandra.cql3.RoleName;
-import org.apache.cassandra.exceptions.RequestExecutionException;
-import org.apache.cassandra.exceptions.RequestValidationException;
-import org.apache.cassandra.service.ClientState;
-import org.apache.cassandra.transport.messages.ResultMessage;
-
-public class RevokeStatement extends PermissionAlteringStatement
-{
-    public RevokeStatement(Set<Permission> permissions, DataResource resource, RoleName
grantee)
-    {
-        super(permissions, resource, grantee);
-    }
-
-    public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException
-    {
-        DatabaseDescriptor.getAuthorizer().revoke(state.getUser(), permissions, resource,
grantee);
-        return null;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/cql3/statements/RoleManagementStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/RoleManagementStatement.java b/src/java/org/apache/cassandra/cql3/statements/RoleManagementStatement.java
index d67b42c..e12b626 100644
--- a/src/java/org/apache/cassandra/cql3/statements/RoleManagementStatement.java
+++ b/src/java/org/apache/cassandra/cql3/statements/RoleManagementStatement.java
@@ -17,6 +17,8 @@
  */
 package org.apache.cassandra.cql3.statements;
 
+import org.apache.cassandra.auth.Permission;
+import org.apache.cassandra.auth.RoleResource;
 import org.apache.cassandra.config.DatabaseDescriptor;
 import org.apache.cassandra.cql3.RoleName;
 import org.apache.cassandra.exceptions.InvalidRequestException;
@@ -24,21 +26,20 @@ import org.apache.cassandra.exceptions.RequestValidationException;
 import org.apache.cassandra.exceptions.UnauthorizedException;
 import org.apache.cassandra.service.ClientState;
 
-public abstract class RoleManagementStatement extends AuthorizationStatement
+public abstract class RoleManagementStatement extends AuthenticationStatement
 {
-    protected final String role;
-    protected final String grantee;
+    protected final RoleResource role;
+    protected final RoleResource grantee;
 
     public RoleManagementStatement(RoleName name, RoleName grantee)
     {
-        this.role = name.getName();
-        this.grantee = grantee.getName();
+        this.role = RoleResource.role(name.getName());
+        this.grantee = RoleResource.role(grantee.getName());
     }
 
-    public void checkAccess(ClientState state) throws UnauthorizedException, InvalidRequestException
+    public void checkAccess(ClientState state) throws UnauthorizedException
     {
-        if (!state.getUser().isSuper())
-            throw new UnauthorizedException("Only superusers are allowed to perform role
management queries");
+        super.checkPermission(state, Permission.AUTHORIZE, role);
     }
 
     public void validate(ClientState state) throws RequestValidationException
@@ -46,9 +47,9 @@ public abstract class RoleManagementStatement extends AuthorizationStatement
         state.ensureNotAnonymous();
 
         if (!DatabaseDescriptor.getRoleManager().isExistingRole(role))
-            throw new InvalidRequestException(String.format("%s doesn't exist", role));
+            throw new InvalidRequestException(String.format("%s doesn't exist", role.getRoleName()));
 
         if (!DatabaseDescriptor.getRoleManager().isExistingRole(grantee))
-            throw new InvalidRequestException(String.format("%s doesn't exist", grantee));
+            throw new InvalidRequestException(String.format("%s doesn't exist", grantee.getRoleName()));
     }
 }

http://git-wip-us.apache.org/repos/asf/cassandra/blob/217721ae/src/java/org/apache/cassandra/service/ClientState.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java
index 21d10f9..57a57e4 100644
--- a/src/java/org/apache/cassandra/service/ClientState.java
+++ b/src/java/org/apache/cassandra/service/ClientState.java
@@ -215,7 +215,7 @@ public class ClientState
         // Login privilege is not inherited via granted roles, so just
         // verify that the role with the credentials that were actually
         // supplied has it
-        if (user.isAnonymous() || DatabaseDescriptor.getRoleManager().canLogin(user.getName()))
+        if (user.isAnonymous() || DatabaseDescriptor.getRoleManager().canLogin(user.getPrimaryRole()))
             this.user = user;
         else
             throw new AuthenticationException(String.format("%s is not permitted to log in",
user.getName()));


Mime
View raw message