cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kurt Greaves (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
Date Thu, 07 Dec 2017 23:53:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16282744#comment-16282744
] 

Kurt Greaves commented on CASSANDRA-14088:
------------------------------------------

For the record, unit tests passed for me (I just didn't bother checking because I'd recently
been flooded by build failures from CircleCI). [unit|https://circleci.com/gh/kgreav/cassandra/45]

Seems that it failed on [3.11|https://circleci.com/gh/kgreav/cassandra/44] but on an unrelated
error.

> Forward slash in role name breaks CassandraAuthorizer
> -----------------------------------------------------
>
>                 Key: CASSANDRA-14088
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Auth
>         Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d ({{HEAD}} of
{{trunk}}).
>            Reporter: Jesse Haber-Kucharsky
>            Assignee: Kurt Greaves
>            Priority: Minor
>             Fix For: 3.0.16, 3.11.2, 4.0
>
>
> The standard system authorizer ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores
the permissions granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as {{"data/my_keyspace/items"}}
(note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which confuses the
authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
>  role      | super | login | options
> -----------+-------+-------+---------
>  cassandra |  True |  True |        {}
>    emperor | False | False |        {}
>      ki/ng | False | False |        {}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
>  role      | resource      | permissions
> -----------+---------------+--------------------------------
>    emperor |   roles/ki/ng |                      {'ALTER'}
>  cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
>  cassandra |   roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 QueryMessage.java:129 - Unexpected
error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name
>         at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na]
>         at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na]
>         at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
~[main/:na]
>         at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
~[main/:na]
>         at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
~[main/:na]
>         at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
~[main/:na]
>         at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
~[main/:na]
>         at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
~[main/:na]
>         at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
~[main/:na]
>         at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
~[main/:na]
>         at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
~[main/:na]
>         at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
[main/:na]
>         at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
[main/:na]
>         at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
>         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
>         at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
>         at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
>         at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151]
>         at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162)
[main/:na]
>         at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na]
>         at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151]
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,812 ErrorMessage.java:389 - Unexpected
exception during request
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name
>         at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na]
>         at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na]
>         at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
~[main/:na]
>         at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
~[main/:na]
>         at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
~[main/:na]
>         at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
~[main/:na]
>         at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
~[main/:na]
>         at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
~[main/:na]
>         at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
~[main/:na]
>         at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
~[main/:na]
>         at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
~[main/:na]
>         at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
[main/:na]
>         at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
[main/:na]
>         at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
>         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
>         at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
>         at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
>         at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151]
>         at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162)
[main/:na]
>         at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na]
>         at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151]
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message