Author: eevans
Date: Mon Aug 30 21:14:29 2010
New Revision: 990944
URL: http://svn.apache.org/viewvc?rev=990944&view=rev
Log:
Convert AccessLevel to Set<Permission>
Patch by Stu Hood; reviewed by eevans for CASSANDRA-1320
Added:
cassandra/trunk/src/java/org/apache/cassandra/auth/Permission.java
- copied, changed from r990943,
cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
Modified:
cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
cassandra/trunk/src/java/org/apache/cassandra/auth/IAuthority.java
cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java
cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java
Modified:
cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java?rev=990944&r1=990943&r2=990944&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
Mon Aug 30 21:14:29 2010
@@ -20,18 +20,18 @@ package org.apache.cassandra.auth;
*
*/
+import java.util.EnumSet;
import java.util.Map;
import org.apache.cassandra.config.ConfigurationException;
-import org.apache.cassandra.thrift.AccessLevel;
import org.apache.cassandra.thrift.AuthorizationException;
public class AllowAllAuthority implements IAuthority
{
@Override
- public AccessLevel authorize(AuthenticatedUser user, String keyspace)
+ public EnumSet<Permission> authorize(AuthenticatedUser user, String
keyspace)
{
- return AccessLevel.FULL;
+ return Permission.ALL;
}
@Override
Modified: cassandra/trunk/src/java/org/apache/cassandra/auth/IAuthority.java
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/auth/IAuthority.java?rev=990944&r1=990943&r2=990944&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/auth/IAuthority.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/auth/IAuthority.java Mon Aug
30 21:14:29 2010
@@ -21,8 +21,9 @@
package org.apache.cassandra.auth;
+import java.util.EnumSet;
+
import org.apache.cassandra.config.ConfigurationException;
-import org.apache.cassandra.thrift.AccessLevel;
public interface IAuthority
{
@@ -31,7 +32,7 @@ public interface IAuthority
* @param keyspace The resource to calculate permissions for.
* @return An AccessLevel representing the permissions for the user and
resource: should never return null.
*/
- public AccessLevel authorize(AuthenticatedUser user, String keyspace);
+ public EnumSet<Permission> authorize(AuthenticatedUser user, String
keyspace);
public void validateConfiguration() throws ConfigurationException;
}
Copied: cassandra/trunk/src/java/org/apache/cassandra/auth/Permission.java
(from r990943,
cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java)
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/auth/Permission.java?p2=cassandra/trunk/src/java/org/apache/cassandra/auth/Permission.java&p1=cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java&r1=990943&r2=990944&rev=990944&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/auth/Permission.java Mon Aug
30 21:14:29 2010
@@ -1,4 +1,3 @@
-package org.apache.cassandra.auth;
/*
*
* Licensed to the Apache Software Foundation (ASF) under one
@@ -20,23 +19,26 @@ package org.apache.cassandra.auth;
*
*/
-import java.util.Map;
+package org.apache.cassandra.auth;
-import org.apache.cassandra.config.ConfigurationException;
-import org.apache.cassandra.thrift.AccessLevel;
-import org.apache.cassandra.thrift.AuthorizationException;
+import java.util.EnumSet;
-public class AllowAllAuthority implements IAuthority
+/**
+ * An enum encapsulating the set of possible permissions that an authenticated
user can have for a resource.
+ *
+ * IAuthority implementations may encode permissions using ordinals, so the
Enum order must never change.
+ */
+public enum Permission
{
- @Override
- public AccessLevel authorize(AuthenticatedUser user, String keyspace)
- {
- return AccessLevel.FULL;
- }
+ // view the direct children of this resource
+ READ,
+ // modify the direct children of this resource
+ WRITE,
+ // view data in all ancestors of this resource
+ READ_VALUE,
+ // modify data in all ancestors of this resource
+ WRITE_VALUE;
- @Override
- public void validateConfiguration() throws ConfigurationException
- {
- // pass
- }
+ public static final EnumSet<Permission> ALL =
EnumSet.allOf(Permission.class);
+ public static final EnumSet<Permission> NONE =
EnumSet.noneOf(Permission.class);
}
Modified:
cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java?rev=990944&r1=990943&r2=990944&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java Mon
Aug 30 21:14:29 2010
@@ -22,21 +22,20 @@ package org.apache.cassandra.auth;
import java.io.*;
+import java.util.EnumSet;
import java.util.Properties;
-import java.util.Map;
import org.apache.cassandra.config.ConfigurationException;
-import org.apache.cassandra.thrift.AccessLevel;
public class SimpleAuthority implements IAuthority
{
public final static String ACCESS_FILENAME_PROPERTY = "access.properties";
@Override
- public AccessLevel authorize(AuthenticatedUser user, String keyspace)
+ public EnumSet<Permission> authorize(AuthenticatedUser user, String
keyspace)
{
String afilename = System.getProperty(ACCESS_FILENAME_PROPERTY);
- AccessLevel authorized = AccessLevel.NONE;
+ EnumSet<Permission> authorized = Permission.NONE;
try
{
FileInputStream in = new FileInputStream(afilename);
@@ -51,11 +50,11 @@ public class SimpleAuthority implements
// note we keep the message here and for other authorization
problems exactly the same to prevent attackers
// from guessing what keyspaces are valid
if (null == props.getProperty(keyspace))
- return AccessLevel.NONE;
+ return authorized;
for (String allow : props.getProperty(keyspace).split(","))
if (allow.equals(user.username))
- authorized = AccessLevel.FULL;
+ authorized = Permission.ALL;
}
catch (IOException e)
{
Modified: cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java?rev=990944&r1=990943&r2=990944&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java Mon
Aug 30 21:14:29 2010
@@ -19,14 +19,15 @@
package org.apache.cassandra.service;
import java.util.Map;
+import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.cassandra.auth.AuthenticatedUser;
+import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.config.Config.RequestSchedulerId;
import org.apache.cassandra.config.DatabaseDescriptor;
-import org.apache.cassandra.thrift.AccessLevel;
import org.apache.cassandra.thrift.AuthenticationException;
import org.apache.cassandra.thrift.InvalidRequestException;
@@ -51,9 +52,9 @@ public class ClientState
}
};
- // Keyspace and keyspace AccessLevels associated with the session
+ // Keyspace and keyspace Permissions associated with the session
private final ThreadLocal<String> keyspace = new ThreadLocal<String>();
- private final ThreadLocal<AccessLevel> keyspaceAccess = new
ThreadLocal<AccessLevel>();
+ private final ThreadLocal<Set<Permission>> keyspaceAccess = new
ThreadLocal<Set<Permission>>();
/**
* Called when the keyspace or user have changed.
@@ -108,15 +109,15 @@ public class ClientState
}
/**
- * Confirms that the client thread has the given AccessLevel in the
context of the current Keyspace.
+ * Confirms that the client thread has the given Permission in the context
of the current Keyspace.
*/
- public void hasKeyspaceAccess(AccessLevel level) throws
InvalidRequestException
+ public void hasKeyspaceAccess(Permission perm) throws
InvalidRequestException
{
if (user.get() == null)
throw new InvalidRequestException("You have not logged in");
if (keyspaceAccess.get() == null)
throw new InvalidRequestException("You have not set a keyspace for
this session");
- if (keyspaceAccess.get().ordinal() < level.ordinal())
- throw new InvalidRequestException(String.format("Your user (%s)
does not have permission to perform %s operations", user, level));
+ if (!keyspaceAccess.get().contains(perm))
+ throw new InvalidRequestException(String.format("You (%s) do not
have permission %s for %s", user, perm, keyspace.get()));
}
}
