access.properties

eevans Wed, 06 Oct 2010 08:19:32 -0700

Author: eevans
Date: Wed Oct  6 15:19:07 2010
New Revision: 1005079

URL: http://svn.apache.org/viewvc?rev=1005079&view=rev
Log:
refactor SimpleAuthority for CF resources


Patch by eevans; reviewed by Stu Hood for CASSANDRA-1554

Modified:
    cassandra/trunk/conf/access.properties
    cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java
    cassandra/trunk/test/conf/access.properties

Modified: cassandra/trunk/conf/access.properties
URL: 
http://svn.apache.org/viewvc/cassandra/trunk/conf/access.properties?rev=1005079&r1=1005078&r2=1005079&view=diff
==============================================================================
--- cassandra/trunk/conf/access.properties (original)
+++ cassandra/trunk/conf/access.properties Wed Oct  6 15:19:07 2010
@@ -23,4 +23,10 @@
 # The magical '<modify-keyspaces>' property lists users who can modify the
 # list of keyspaces: all users will be able to view the list of keyspaces.
 <modify-keyspaces>=jsmith
-Keyspace1=jsmith,Elvis Presley,dilbert
+
+# Access to Keyspace1 (add/remove column families, etc).
+Keyspace1.<ro>=jsmith,Elvis Presley
+Keyspace1.<rw>=dilbert
+
+# Access to Standard1 (keyspace Keyspace1)
+Keyspace1.Standard1.<rw>=jsmith,Elvis Presley,dilbert

Modified: 
cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java
URL: 
http://svn.apache.org/viewvc/cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java?rev=1005079&r1=1005078&r2=1005079&view=diff
==============================================================================
--- cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java 
(original)
+++ cassandra/trunk/src/java/org/apache/cassandra/auth/SimpleAuthority.java Wed 
Oct  6 15:19:07 2010
@@ -33,52 +33,110 @@ public class SimpleAuthority implements 
     public final static String ACCESS_FILENAME_PROPERTY = "access.properties";
     // magical property for WRITE permissions to the keyspaces list
     public final static String KEYSPACES_WRITE_PROPERTY = "<modify-keyspaces>";
+    private Properties accessProperties = null;
 
     @Override
     public EnumSet<Permission> authorize(AuthenticatedUser user, List<Object> 
resource)
     {
         if (resource.size() < 2 || !Resources.ROOT.equals(resource.get(0)) || 
!Resources.KEYSPACES.equals(resource.get(1)))
-            // we only know how to handle keyspace authorization
             return Permission.NONE;
-
-        String keyspace;
-        EnumSet<Permission> authorized;
-        if (resource.size() < 3)
+        
+        String keyspace, columnFamily = null;
+        EnumSet<Permission> authorized = Permission.NONE;
+        
+        // /cassandra/keyspaces
+        if (resource.size() == 2)
         {
-            // authorize the user for the keyspace list using the 'magical' 
keyspace,
-            // but give them read access by default
             keyspace = KEYSPACES_WRITE_PROPERTY;
             authorized = EnumSet.of(Permission.READ);
         }
-        else
+        // /cassandra/keyspaces/<keyspace name>
+        else if (resource.size() == 3)
         {
-            // otherwise, authorize them for the actual keyspace
             keyspace = (String)resource.get(2);
-            authorized = Permission.NONE;
         }
-
-        String afilename = System.getProperty(ACCESS_FILENAME_PROPERTY);
+        // /cassandra/keyspaces/<keyspace name>/<cf name>
+        else if (resource.size() == 4)
+        {
+            keyspace = (String)resource.get(2);
+            columnFamily = (String)resource.get(3);
+        }
+        else
+        {
+            // We don't currently descend any lower in the hierarchy.
+            throw new UnsupportedOperationException();
+        }
+        
+        String accessFilename = System.getProperty(ACCESS_FILENAME_PROPERTY);
         try
         {
-            FileInputStream in = new FileInputStream(afilename);
-            Properties props = new Properties();
-            props.load(in);
-            in.close();
-
-            // structure:
-            // given keyspace X, users A B and C can be authorized like this 
(separate their names with spaces):
-            // X = A B C
-            
-            if (null == props.getProperty(keyspace))
-                // no one is authorized
-                return authorized;
-            for (String allow : props.getProperty(keyspace).split(","))
-                if (allow.equals(user.username))
-                    authorized = Permission.ALL;
+            // TODO: auto-reload when the file has been updated
+            if (accessProperties == null)   // Don't hit the disk on every 
invocation
+            {
+                FileInputStream in = new FileInputStream(accessFilename);
+                accessProperties = new Properties();
+                accessProperties.load(in);
+                in.close();
+            }
+            
+            // Special case access to the keyspace list
+            if (keyspace == KEYSPACES_WRITE_PROPERTY)
+            {
+                String kspAdmins = 
accessProperties.getProperty(KEYSPACES_WRITE_PROPERTY);
+                for (String admin : kspAdmins.split(","))
+                    if (admin.equals(user.username))
+                        return Permission.ALL;
+            }
+            
+            boolean canRead = false, canWrite = false;
+            String readers = null, writers = null;
+            
+            if (columnFamily == null)
+            {    
+                readers = accessProperties.getProperty(keyspace + ".<ro>");
+                writers = accessProperties.getProperty(keyspace + ".<rw>");
+            }
+            else
+            {
+                readers = accessProperties.getProperty(keyspace + "." + 
columnFamily + ".<ro>");
+                writers = accessProperties.getProperty(keyspace + "." + 
columnFamily + ".<rw>");
+            }
+            
+            if (readers != null)
+            {
+                for (String reader : readers.split(","))
+                {
+                    if (reader.equals(user.username))
+                    {
+                        canRead = true;
+                        break;
+                    }
+                }
+            }
+            
+            if (writers != null)
+            {
+                for (String writer : writers.split(","))
+                {
+                    if (writer.equals(user.username))
+                    {
+                        canWrite = true;
+                        break;
+                    }
+                }
+            }
+            
+            if (canWrite)
+                authorized = Permission.ALL;
+            else if (canRead)
+                authorized = EnumSet.of(Permission.READ);
+                
         }
         catch (IOException e)
         {
-            throw new RuntimeException(String.format("Authorization table file 
'%s' could not be opened: %s", afilename, e.getMessage()));
+            throw new RuntimeException(String.format("Authorization table file 
'%s' could not be opened: %s",
+                                                     accessFilename,
+                                                     e.getMessage()));
         }
 
         return authorized;

Modified: cassandra/trunk/test/conf/access.properties
URL: 
http://svn.apache.org/viewvc/cassandra/trunk/test/conf/access.properties?rev=1005079&r1=1005078&r2=1005079&view=diff
==============================================================================
--- cassandra/trunk/test/conf/access.properties (original)
+++ cassandra/trunk/test/conf/access.properties Wed Oct  6 15:19:07 2010
@@ -23,4 +23,6 @@
 # The magical '<modify-keyspaces>' property lists users who can modify the
 # list of keyspaces: all users will be able to view the list of keyspaces.
 <modify-keyspaces>=user1
-Keyspace1=user1,user2
+
+Keyspace1.<read>=user1,user2
+Keyspace1.<write>=user1,user2

svn commit: r1005079 - in /cassandra/trunk: conf/access.properties src/java/org/apache/cassandra/auth/SimpleAuthority.java test/conf/access.properties

Reply via email to