cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bdeggles...@apache.org
Subject cassandra git commit: minor network authz improvements
Date Wed, 09 May 2018 21:57:33 GMT
Repository: cassandra
Updated Branches:
  refs/heads/trunk e5d997374 -> 87e886789


minor network authz improvements

Patch by Blake Eggleston; Reviewed by Ariel Weisberg for CASSANDRA-14413


Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/87e88678
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/87e88678
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/87e88678

Branch: refs/heads/trunk
Commit: 87e886789a6d4fe1f1ea9a232a2763a16b39c001
Parents: e5d9973
Author: Blake Eggleston <bdeggleston@gmail.com>
Authored: Mon Apr 23 14:47:46 2018 -0700
Committer: Blake Eggleston <bdeggleston@gmail.com>
Committed: Wed May 9 14:55:14 2018 -0700

----------------------------------------------------------------------
 CHANGES.txt                                               |  1 +
 src/java/org/apache/cassandra/auth/DCPermissions.java     | 10 ++++++++--
 .../cassandra/cql3/statements/CreateRoleStatement.java    |  2 +-
 src/java/org/apache/cassandra/service/ClientState.java    |  3 ++-
 .../cassandra/auth/CassandraNetworkAuthorizerTest.java    |  2 +-
 5 files changed, 13 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index 50a17ab..051e20a 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
 4.0
+ * minor network authz improvements (Cassandra-14413)
  * Automatic sstable upgrades (CASSANDRA-14197)
  * Replace deprecated junit.framework.Assert usages with org.junit.Assert (CASSANDRA-14431)
  * cassandra-stress throws NPE if insert section isn't specified in user profile (CASSSANDRA-14426)

http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/src/java/org/apache/cassandra/auth/DCPermissions.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/auth/DCPermissions.java b/src/java/org/apache/cassandra/auth/DCPermissions.java
index 46cdad9..d04242d 100644
--- a/src/java/org/apache/cassandra/auth/DCPermissions.java
+++ b/src/java/org/apache/cassandra/auth/DCPermissions.java
@@ -31,7 +31,15 @@ import org.apache.cassandra.exceptions.InvalidRequestException;
 
 public abstract class DCPermissions
 {
+    /**
+     * returns true if the user can access the given dc
+     */
     public abstract boolean canAccess(String dc);
+
+    /**
+     * Indicates whether the permissions object explicitly allow access to
+     * some dcs (true) or if it implicitly allows access to all dcs (false)
+     */
     public abstract boolean restrictsAccess();
     public abstract Set<String> allowedDCs();
     public abstract void validate();
@@ -85,8 +93,6 @@ public abstract class DCPermissions
 
         public void validate()
         {
-            Datacenters.getValidDatacenters();
-
             Set<String> unknownDcs = Sets.difference(subset, Datacenters.getValidDatacenters());
             if (!unknownDcs.isEmpty())
             {

http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java b/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java
index bd9a5a4..0e0afec 100644
--- a/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java
+++ b/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java
@@ -77,7 +77,7 @@ public class CreateRoleStatement extends AuthenticationStatement
             return null;
 
         DatabaseDescriptor.getRoleManager().createRole(state.getUser(), role, opts);
-        if (dcPermissions.restrictsAccess())
+        if (DatabaseDescriptor.getNetworkAuthorizer().requireAuthorization())
         {
             DatabaseDescriptor.getNetworkAuthorizer().setRoleDatacenters(role, dcPermissions);
         }

http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/src/java/org/apache/cassandra/service/ClientState.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java
index 045cc8c..c854737 100644
--- a/src/java/org/apache/cassandra/service/ClientState.java
+++ b/src/java/org/apache/cassandra/service/ClientState.java
@@ -38,6 +38,7 @@ import org.apache.cassandra.cql3.QueryHandler;
 import org.apache.cassandra.cql3.QueryProcessor;
 import org.apache.cassandra.cql3.functions.Function;
 import org.apache.cassandra.db.SystemKeyspace;
+import org.apache.cassandra.dht.Datacenters;
 import org.apache.cassandra.exceptions.AuthenticationException;
 import org.apache.cassandra.exceptions.InvalidRequestException;
 import org.apache.cassandra.exceptions.UnauthorizedException;
@@ -440,7 +441,7 @@ public class ClientState
         }
         else if (!user.hasLocalAccess())
         {
-            throw new UnauthorizedException("You do not have access to this datacenter");
+            throw new UnauthorizedException(String.format("You do not have access to this
datacenter (%s)", Datacenters.thisDatacenter()));
         }
     }
 

http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java b/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java
index 6948203..f0eed8c 100644
--- a/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java
+++ b/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java
@@ -206,7 +206,7 @@ public class CassandraNetworkAuthorizerTest
         // user should implicitly have access to all datacenters
         auth("CREATE ROLE %s WITH password = 'password' AND LOGIN = true", username);
         Assert.assertEquals(DCPermissions.all(), dcPerms(username));
-        assertNoDcPermRow(username);
+        assertDcPermRow(username);
 
         // unless explicitly restricted
         auth("ALTER ROLE %s WITH ACCESS TO DATACENTERS {'dc1', 'dc2'}", username);


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message