From commits-return-210038-archive-asf-public=cust-asf.ponee.io@cassandra.apache.org Wed May 9 23:57:35 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 04B45180649 for ; Wed, 9 May 2018 23:57:34 +0200 (CEST) Received: (qmail 10932 invoked by uid 500); 9 May 2018 21:57:34 -0000 Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cassandra.apache.org Delivered-To: mailing list commits@cassandra.apache.org Received: (qmail 10921 invoked by uid 99); 9 May 2018 21:57:34 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 May 2018 21:57:34 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id E218CF6CAA; Wed, 9 May 2018 21:57:33 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: bdeggleston@apache.org To: commits@cassandra.apache.org Message-Id: <7e3de143ce834682bfa9921b9879305a@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cassandra git commit: minor network authz improvements Date: Wed, 9 May 2018 21:57:33 +0000 (UTC) Repository: cassandra Updated Branches: refs/heads/trunk e5d997374 -> 87e886789 minor network authz improvements Patch by Blake Eggleston; Reviewed by Ariel Weisberg for CASSANDRA-14413 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/87e88678 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/87e88678 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/87e88678 Branch: refs/heads/trunk Commit: 87e886789a6d4fe1f1ea9a232a2763a16b39c001 Parents: e5d9973 Author: Blake Eggleston Authored: Mon Apr 23 14:47:46 2018 -0700 Committer: Blake Eggleston Committed: Wed May 9 14:55:14 2018 -0700 ---------------------------------------------------------------------- CHANGES.txt | 1 + src/java/org/apache/cassandra/auth/DCPermissions.java | 10 ++++++++-- .../cassandra/cql3/statements/CreateRoleStatement.java | 2 +- src/java/org/apache/cassandra/service/ClientState.java | 3 ++- .../cassandra/auth/CassandraNetworkAuthorizerTest.java | 2 +- 5 files changed, 13 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 50a17ab..051e20a 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 4.0 + * minor network authz improvements (Cassandra-14413) * Automatic sstable upgrades (CASSANDRA-14197) * Replace deprecated junit.framework.Assert usages with org.junit.Assert (CASSANDRA-14431) * cassandra-stress throws NPE if insert section isn't specified in user profile (CASSSANDRA-14426) http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/src/java/org/apache/cassandra/auth/DCPermissions.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/DCPermissions.java b/src/java/org/apache/cassandra/auth/DCPermissions.java index 46cdad9..d04242d 100644 --- a/src/java/org/apache/cassandra/auth/DCPermissions.java +++ b/src/java/org/apache/cassandra/auth/DCPermissions.java @@ -31,7 +31,15 @@ import org.apache.cassandra.exceptions.InvalidRequestException; public abstract class DCPermissions { + /** + * returns true if the user can access the given dc + */ public abstract boolean canAccess(String dc); + + /** + * Indicates whether the permissions object explicitly allow access to + * some dcs (true) or if it implicitly allows access to all dcs (false) + */ public abstract boolean restrictsAccess(); public abstract Set allowedDCs(); public abstract void validate(); @@ -85,8 +93,6 @@ public abstract class DCPermissions public void validate() { - Datacenters.getValidDatacenters(); - Set unknownDcs = Sets.difference(subset, Datacenters.getValidDatacenters()); if (!unknownDcs.isEmpty()) { http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java b/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java index bd9a5a4..0e0afec 100644 --- a/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java +++ b/src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java @@ -77,7 +77,7 @@ public class CreateRoleStatement extends AuthenticationStatement return null; DatabaseDescriptor.getRoleManager().createRole(state.getUser(), role, opts); - if (dcPermissions.restrictsAccess()) + if (DatabaseDescriptor.getNetworkAuthorizer().requireAuthorization()) { DatabaseDescriptor.getNetworkAuthorizer().setRoleDatacenters(role, dcPermissions); } http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/src/java/org/apache/cassandra/service/ClientState.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java index 045cc8c..c854737 100644 --- a/src/java/org/apache/cassandra/service/ClientState.java +++ b/src/java/org/apache/cassandra/service/ClientState.java @@ -38,6 +38,7 @@ import org.apache.cassandra.cql3.QueryHandler; import org.apache.cassandra.cql3.QueryProcessor; import org.apache.cassandra.cql3.functions.Function; import org.apache.cassandra.db.SystemKeyspace; +import org.apache.cassandra.dht.Datacenters; import org.apache.cassandra.exceptions.AuthenticationException; import org.apache.cassandra.exceptions.InvalidRequestException; import org.apache.cassandra.exceptions.UnauthorizedException; @@ -440,7 +441,7 @@ public class ClientState } else if (!user.hasLocalAccess()) { - throw new UnauthorizedException("You do not have access to this datacenter"); + throw new UnauthorizedException(String.format("You do not have access to this datacenter (%s)", Datacenters.thisDatacenter())); } } http://git-wip-us.apache.org/repos/asf/cassandra/blob/87e88678/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java ---------------------------------------------------------------------- diff --git a/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java b/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java index 6948203..f0eed8c 100644 --- a/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java +++ b/test/unit/org/apache/cassandra/auth/CassandraNetworkAuthorizerTest.java @@ -206,7 +206,7 @@ public class CassandraNetworkAuthorizerTest // user should implicitly have access to all datacenters auth("CREATE ROLE %s WITH password = 'password' AND LOGIN = true", username); Assert.assertEquals(DCPermissions.all(), dcPerms(username)); - assertNoDcPermRow(username); + assertDcPermRow(username); // unless explicitly restricted auth("ALTER ROLE %s WITH ACCESS TO DATACENTERS {'dc1', 'dc2'}", username); --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org For additional commands, e-mail: commits-help@cassandra.apache.org