Author: eevans
Date: Tue Sep 28 23:00:39 2010
New Revision: 1002399
URL: http://svn.apache.org/viewvc?rev=1002399&view=rev
Log:
Convert to List<Object> resources
Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271
Added:
cassandra/trunk/src/java/org/apache/cassandra/auth/Resources.java
- copied, changed from r1002398,
cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
Modified:
cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
cassandra/trunk/src/java/org/apache/cassandra/auth/IAuthority.java
cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java
cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java
Modified:
cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java?rev=1002399&r1=1002398&r2=1002399&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
Tue Sep 28 23:00:39 2010
@@ -21,6 +21,7 @@ package org.apache.cassandra.auth;
*/
import java.util.EnumSet;
+import java.util.List;
import java.util.Map;
import org.apache.cassandra.config.ConfigurationException;
@@ -29,7 +30,7 @@ import org.apache.cassandra.thrift.Autho
public class AllowAllAuthority implements IAuthority
{
@Override
- public EnumSet<Permission> authorize(AuthenticatedUser user, String
keyspace)
+ public EnumSet<Permission> authorize(AuthenticatedUser user, List<Object>
resource)
{
return Permission.ALL;
}
Modified: cassandra/trunk/src/java/org/apache/cassandra/auth/IAuthority.java
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/auth/IAuthority.java?rev=1002399&r1=1002398&r2=1002399&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/auth/IAuthority.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/auth/IAuthority.java Tue Sep
28 23:00:39 2010
@@ -22,17 +22,46 @@
package org.apache.cassandra.auth;
import java.util.EnumSet;
+import java.util.List;
import org.apache.cassandra.config.ConfigurationException;
+/**
+ * Cassandra's resource hierarchy looks something like:
+ * {{/cassandra/keyspaces/$ks_name/...}}
+ *
+ * In table form:
+ * /cassandra/
+ * - no checked permissions
+ * - String
+ * * Separates Cassandra-internal resources from resources that might be
provided by plugins.
+ * keyspaces/
+ * - READ, WRITE
+ * - String
+ * * The list of keyspaces: READ/WRITE for this resource mean the ability
to view/modify the list of keyspaces.
+ * $ks_name/
+ * - READ, WRITE, READ_VALUE, WRITE_VALUE
+ * - String
+ * * An individual keyspace: READ/WRITE mean the ability to view/modify the
list of column families. Since this
+ * is the last entry in the current hierarchy, READ/WRITE_VALUE apply
recursively to ancestor _data_ of this keyspace.
+ *
+ * Over time Cassandra _may_ add additional authorize calls for resources
higher or lower in the hierarchy and
+ * IAuthority implementations should be able to handle these calls (although
many will choose to ignore them
+ * completely). As authorize calls are added for child resources like
{{<cf_name>/}}, the READ/WRITE_VALUE permissions
+ * will move to the lowest checked level, and will be deprecated at higher
levels.
+ *
+ * NB: {{/cassandra/}} will not be checked for permissions via a call to
IAuthority.authorize, so IAuthority
+ * implementations can only deny access when a user attempts to access an
ancestor resource.
+ */
public interface IAuthority
{
/**
* @param user An authenticated user from a previous call to
IAuthenticator.authenticate.
- * @param keyspace The resource to calculate permissions for.
+ * @param resource A List of Objects containing Strings and byte[]s:
represents a resource in the hierarchy
+ * described in the Javadocs.
* @return An AccessLevel representing the permissions for the user and
resource: should never return null.
*/
- public EnumSet<Permission> authorize(AuthenticatedUser user, String
keyspace);
+ public EnumSet<Permission> authorize(AuthenticatedUser user, List<Object>
resource);
public void validateConfiguration() throws ConfigurationException;
}
Copied: cassandra/trunk/src/java/org/apache/cassandra/auth/Resources.java (from
r1002398,
cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java)
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/auth/Resources.java?p2=cassandra/trunk/src/java/org/apache/cassandra/auth/Resources.java&p1=cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java&r1=1002398&r2=1002399&rev=1002399&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/auth/AllowAllAuthority.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/auth/Resources.java Tue Sep
28 23:00:39 2010
@@ -1,4 +1,3 @@
-package org.apache.cassandra.auth;
/*
*
* Licensed to the Apache Software Foundation (ASF) under one
@@ -20,23 +19,33 @@ package org.apache.cassandra.auth;
*
*/
-import java.util.EnumSet;
-import java.util.Map;
+package org.apache.cassandra.auth;
+
+import java.util.List;
-import org.apache.cassandra.config.ConfigurationException;
-import org.apache.cassandra.thrift.AuthorizationException;
+import org.apache.cassandra.utils.FBUtilities;
-public class AllowAllAuthority implements IAuthority
+/**
+ * Constants related to Cassandra's resource hierarchy.
+ *
+ * A resource in Cassandra is a List containing both Strings and byte[]s.
+ */
+public final class Resources
{
- @Override
- public EnumSet<Permission> authorize(AuthenticatedUser user, String
keyspace)
- {
- return Permission.ALL;
- }
+ public final static String ROOT = "cassandra";
+ public final static String KEYSPACES = "keyspaces";
- @Override
- public void validateConfiguration() throws ConfigurationException
+ public static String toString(List<Object> resource)
{
- // pass
+ StringBuilder buff = new StringBuilder();
+ for (Object component : resource)
+ {
+ buff.append("/");
+ if (component instanceof byte[])
+ buff.append(FBUtilities.bytesToHex((byte[])component));
+ else
+ buff.append(component.toString());
+ }
+ return buff.toString();
}
}
Modified:
cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java?rev=1002399&r1=1002398&r2=1002399&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java Tue
Sep 28 23:00:39 2010
@@ -23,6 +23,7 @@ package org.apache.cassandra.auth;
import java.io.*;
import java.util.EnumSet;
+import java.util.List;
import java.util.Properties;
import org.apache.cassandra.config.ConfigurationException;
@@ -32,8 +33,14 @@ public class SimpleAuthority implements
public final static String ACCESS_FILENAME_PROPERTY = "access.properties";
@Override
- public EnumSet<Permission> authorize(AuthenticatedUser user, String
keyspace)
+ public EnumSet<Permission> authorize(AuthenticatedUser user, List<Object>
resource)
{
+ if (resource.size() < 3 || !Resources.ROOT.equals(resource.get(0)) ||
!Resources.KEYSPACES.equals(resource.get(1)))
+ // unable to handle resources in other portions of the hierarchy
+ return Permission.NONE;
+
+ String keyspace = (String)resource.get(2);
+
String afilename = System.getProperty(ACCESS_FILENAME_PROPERTY);
EnumSet<Permission> authorized = Permission.NONE;
try
Modified: cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java
URL:
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java?rev=1002399&r1=1002398&r2=1002399&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/service/ClientState.java Tue
Sep 28 23:00:39 2010
@@ -18,14 +18,14 @@
package org.apache.cassandra.service;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.Permission;
+import org.apache.cassandra.auth.Resources;
import org.apache.cassandra.config.Config.RequestSchedulerId;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.thrift.AuthenticationException;
@@ -43,6 +43,7 @@ public class ClientState
private AuthenticatedUser user;
private String keyspace;
private Set<Permission> keyspaceAccess;
+ private List<Object> resource = new ArrayList<Object>();
/**
* Construct a new, empty ClientState: can be reused after logout() or
reset().
@@ -61,8 +62,14 @@ public class ClientState
// user is not logged in or keyspace is not set
keyspaceAccess = null;
else
+ {
// authorize the user for the current keyspace
- keyspaceAccess = DatabaseDescriptor.getAuthority().authorize(user,
keyspace);
+ resource.clear();
+ resource.add(Resources.ROOT);
+ resource.add(Resources.KEYSPACES);
+ resource.add(keyspace);
+ keyspaceAccess = DatabaseDescriptor.getAuthority().authorize(user,
resource);
+ }
}
public String getKeyspace()
@@ -109,6 +116,7 @@ public class ClientState
user = DatabaseDescriptor.getAuthenticator().defaultUser();
keyspace = null;
keyspaceAccess = null;
+ resource.clear();
}
/**
