Example 1 with IResource
use of org.apache.cassandra.auth.IResource in project cassandra by apache.
the class PermissionsCacheKeysTable method applyPartitionDeletion.
@Override
protected void applyPartitionDeletion(ColumnValues partitionKey) {
AuthenticatedUser user = new AuthenticatedUser(partitionKey.value(0));
IResource resource = resourceFromNameIfExists(partitionKey.value(1));
// no need to delete invalid resource
if (resource == null)
return;
AuthenticatedUser.permissionsCache.invalidate(Pair.create(user, resource));
}
Also used :
AuthenticatedUser(org.apache.cassandra.auth.AuthenticatedUser)
IResource(org.apache.cassandra.auth.IResource)
Example 2 with IResource
use of org.apache.cassandra.auth.IResource in project cassandra by apache.
the class ClientStateTest method permissionsCheckStartsAtHeadOfResourceChain.
@Test
public void permissionsCheckStartsAtHeadOfResourceChain() {
// verify that when performing a permissions check, we start from the
// root IResource in the applicable hierarchy and proceed to the more
// granular resources until we find the required permission (or until
// we reach the end of the resource chain). This is because our typical
// usage is to grant blanket permissions on the root resources to users
// and so we save lookups, cache misses and cache space by traversing in
// this order. e.g. for DataResources, we typically grant perms on the
// 'data' resource, so when looking up a users perms on a specific table
// it makes sense to follow: data -> keyspace -> table
final AtomicInteger getPermissionsRequestCount = new AtomicInteger(0);
final IResource rootResource = DataResource.root();
final IResource tableResource = DataResource.table("test_ks", "test_table");
final AuthenticatedUser testUser = new AuthenticatedUser("test_user") {
public Set<Permission> getPermissions(IResource resource) {
getPermissionsRequestCount.incrementAndGet();
if (resource.equals(rootResource))
return Permission.ALL;
fail(String.format("Permissions requested for unexpected resource %s", resource));
// need a return to make the compiler happy
return null;
}
public boolean canLogin() {
return true;
}
};
Roles.cache.invalidate();
// finally, need to configure CassandraAuthorizer so we don't shortcircuit out of the authz process
DatabaseDescriptor.setAuthorizer(new AuthTestUtils.LocalCassandraAuthorizer());
// check permissions on the table, which should check for the root resource first
// & return successfully without needing to proceed further
ClientState state = ClientState.forInternalCalls();
state.login(testUser);
state.ensurePermission(Permission.SELECT, tableResource);
assertEquals(1, getPermissionsRequestCount.get());
}
Also used :
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
Permission(org.apache.cassandra.auth.Permission)
AuthenticatedUser(org.apache.cassandra.auth.AuthenticatedUser)
AuthTestUtils(org.apache.cassandra.auth.AuthTestUtils)
IResource(org.apache.cassandra.auth.IResource)
Test(org.junit.Test)
Example 3 with IResource
use of org.apache.cassandra.auth.IResource in project cassandra by apache.
the class JmxPermissionsCacheKeysTableTest method setup.
// this method is intentionally not called "setUpClass" to let it throw exception brought by startJMXServer method
@BeforeClass
public static void setup() throws Exception {
// high value is used for convenient debugging
DatabaseDescriptor.setPermissionsValidity(20_000);
CQLTester.setUpClass();
CQLTester.requireAuthentication();
IRoleManager roleManager = DatabaseDescriptor.getRoleManager();
roleManager.createRole(AuthenticatedUser.SYSTEM_USER, ROLE_A, AuthTestUtils.getLoginRoleOptions());
roleManager.createRole(AuthenticatedUser.SYSTEM_USER, ROLE_B, AuthTestUtils.getLoginRoleOptions());
List<IResource> resources = Arrays.asList(JMXResource.root(), JMXResource.mbean("org.apache.cassandra.db:type=Tables,*"));
IAuthorizer authorizer = DatabaseDescriptor.getAuthorizer();
for (IResource resource : resources) {
Set<Permission> permissions = resource.applicablePermissions();
authorizer.grant(AuthenticatedUser.SYSTEM_USER, permissions, resource, ROLE_A);
authorizer.grant(AuthenticatedUser.SYSTEM_USER, permissions, resource, ROLE_B);
}
startJMXServer();
}
Also used :
IRoleManager(org.apache.cassandra.auth.IRoleManager)
IAuthorizer(org.apache.cassandra.auth.IAuthorizer)
Permission(org.apache.cassandra.auth.Permission)
IResource(org.apache.cassandra.auth.IResource)
BeforeClass(org.junit.BeforeClass)
Example 4 with IResource
use of org.apache.cassandra.auth.IResource in project cassandra by apache.
the class PermissionsCacheKeysTableTest method setUpClass.
@BeforeClass
public static void setUpClass() {
// high value is used for convenient debugging
DatabaseDescriptor.setPermissionsValidity(20_000);
CQLTester.setUpClass();
CQLTester.requireAuthentication();
IRoleManager roleManager = DatabaseDescriptor.getRoleManager();
roleManager.createRole(AuthenticatedUser.SYSTEM_USER, ROLE_A, AuthTestUtils.getLoginRoleOptions());
roleManager.createRole(AuthenticatedUser.SYSTEM_USER, ROLE_B, AuthTestUtils.getLoginRoleOptions());
List<IResource> resources = Arrays.asList(DataResource.root(), DataResource.keyspace(KEYSPACE), DataResource.table(KEYSPACE, "t1"));
IAuthorizer authorizer = DatabaseDescriptor.getAuthorizer();
for (IResource resource : resources) {
Set<Permission> permissions = resource.applicablePermissions();
authorizer.grant(AuthenticatedUser.SYSTEM_USER, permissions, resource, ROLE_A);
authorizer.grant(AuthenticatedUser.SYSTEM_USER, permissions, resource, ROLE_B);
}
}
Also used :
IRoleManager(org.apache.cassandra.auth.IRoleManager)
IAuthorizer(org.apache.cassandra.auth.IAuthorizer)
Permission(org.apache.cassandra.auth.Permission)
IResource(org.apache.cassandra.auth.IResource)
BeforeClass(org.junit.BeforeClass)
Example 5 with IResource
use of org.apache.cassandra.auth.IResource in project cassandra by apache.
the class InvalidatePermissionsCacheTest method setup.
@BeforeClass
public static void setup() throws Exception {
CQLTester.setUpClass();
CQLTester.requireAuthentication();
IRoleManager roleManager = DatabaseDescriptor.getRoleManager();
roleManager.createRole(AuthenticatedUser.SYSTEM_USER, ROLE_A, AuthTestUtils.getLoginRoleOptions());
roleManager.createRole(AuthenticatedUser.SYSTEM_USER, ROLE_B, AuthTestUtils.getLoginRoleOptions());
AuthCacheService.initializeAndRegisterCaches();
List<IResource> resources = Arrays.asList(DataResource.root(), DataResource.keyspace(KEYSPACE), DataResource.allTables(KEYSPACE), DataResource.table(KEYSPACE, "t1"), RoleResource.root(), RoleResource.role("role_x"), FunctionResource.root(), FunctionResource.keyspace(KEYSPACE), // CQLTester.createFunction from static contex. That's why we initialize it in a separate test case.
JMXResource.root(), JMXResource.mbean("org.apache.cassandra.auth:type=*"));
IAuthorizer authorizer = DatabaseDescriptor.getAuthorizer();
for (IResource resource : resources) {
Set<Permission> permissions = resource.applicablePermissions();
authorizer.grant(AuthenticatedUser.SYSTEM_USER, permissions, resource, ROLE_A);
authorizer.grant(AuthenticatedUser.SYSTEM_USER, permissions, resource, ROLE_B);
}
startJMXServer();
}
Also used :
IRoleManager(org.apache.cassandra.auth.IRoleManager)
IAuthorizer(org.apache.cassandra.auth.IAuthorizer)
Permission(org.apache.cassandra.auth.Permission)
IResource(org.apache.cassandra.auth.IResource)
BeforeClass(org.junit.BeforeClass)
Aggregations
IResource (org.apache.cassandra.auth.IResource)5
Permission (org.apache.cassandra.auth.Permission)4
IAuthorizer (org.apache.cassandra.auth.IAuthorizer)3
IRoleManager (org.apache.cassandra.auth.IRoleManager)3
BeforeClass (org.junit.BeforeClass)3
AuthenticatedUser (org.apache.cassandra.auth.AuthenticatedUser)2
AtomicInteger (java.util.concurrent.atomic.AtomicInteger)1
AuthTestUtils (org.apache.cassandra.auth.AuthTestUtils)1
Test (org.junit.Test)1
