Repository: cassandra Updated Branches: refs/heads/trunk d0e203645 -> f54eab71d
Add requireAuthorization method to IAuthorizer Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/f54eab71 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/f54eab71 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/f54eab71 Branch: refs/heads/trunk Commit: f54eab71d299429e17f315734484fb176f542167 Parents: d0e2036 Author: Mike Adamson <[email protected]> Authored: Sat Dec 12 15:37:40 2015 +0000 Committer: Sam Tunnicliffe <[email protected]> Committed: Mon Jan 4 17:57:07 2016 +0000 ---------------------------------------------------------------------- CHANGES.txt | 1 + src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java | 6 ++++++ src/java/org/apache/cassandra/auth/IAuthorizer.java | 9 +++++++++ src/java/org/apache/cassandra/auth/PermissionsCache.java | 2 +- .../org/apache/cassandra/config/DatabaseDescriptor.java | 4 ++-- src/java/org/apache/cassandra/service/ClientState.java | 4 ++-- 6 files changed, 21 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index cbd109e..e6b22b3 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 3.2 + * Add requireAuthorization method to IAuthorizer (CASSANDRA-10852) * Fix CassandraVersion to accept x.y version string (CASSANDRA-10931) * Add forceUserDefinedCleanup to allow more flexible cleanup (CASSANDRA-10708) * (cqlsh) allow setting TTL with COPY (CASSANDRA-9494) http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java b/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java index bc6fee4..3b40979 100644 --- a/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java +++ b/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java @@ -22,6 +22,12 @@ import java.util.Set; public class AllowAllAuthorizer implements IAuthorizer { + @Override + public boolean requireAuthorization() + { + return false; + } + public Set<Permission> authorize(AuthenticatedUser user, IResource resource) { return resource.applicablePermissions(); http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/auth/IAuthorizer.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/IAuthorizer.java b/src/java/org/apache/cassandra/auth/IAuthorizer.java index 01c05af..a023e3e 100644 --- a/src/java/org/apache/cassandra/auth/IAuthorizer.java +++ b/src/java/org/apache/cassandra/auth/IAuthorizer.java @@ -29,6 +29,15 @@ import org.apache.cassandra.exceptions.RequestValidationException; public interface IAuthorizer { /** + * Whether or not the authorizer will attempt authorization. + * If false the authorizer will not be called for authorization of resources. + */ + default boolean requireAuthorization() + { + return true; + } + + /** * Returns a set of permissions of a user on a resource. * Since Roles were introduced in version 2.2, Cassandra does not distinguish in any * meaningful way between users and roles. A role may or may not have login privileges http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/auth/PermissionsCache.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/auth/PermissionsCache.java b/src/java/org/apache/cassandra/auth/PermissionsCache.java index 8746b36..95aa398 100644 --- a/src/java/org/apache/cassandra/auth/PermissionsCache.java +++ b/src/java/org/apache/cassandra/auth/PermissionsCache.java @@ -107,7 +107,7 @@ public class PermissionsCache implements PermissionsCacheMBean private LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> initCache( LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> existing) { - if (authorizer instanceof AllowAllAuthorizer) + if (!authorizer.requireAuthorization()) return null; if (DatabaseDescriptor.getPermissionsValidity() <= 0) http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/config/DatabaseDescriptor.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java index e2dea93..edcbcf5 100644 --- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java +++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java @@ -324,8 +324,8 @@ public class DatabaseDescriptor if (conf.authorizer != null) authorizer = FBUtilities.newAuthorizer(conf.authorizer); - if (authenticator instanceof AllowAllAuthenticator && !(authorizer instanceof AllowAllAuthorizer)) - throw new ConfigurationException("AllowAllAuthenticator can't be used with " + conf.authorizer, false); + if (!authenticator.requireAuthentication() && authorizer.requireAuthorization()) + throw new ConfigurationException(conf.authenticator + " can't be used with " + conf.authorizer, false); if (conf.role_manager != null) roleManager = FBUtilities.newRoleManager(conf.role_manager); http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/service/ClientState.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java index d576ac3..78bcf8a 100644 --- a/src/java/org/apache/cassandra/service/ClientState.java +++ b/src/java/org/apache/cassandra/service/ClientState.java @@ -274,7 +274,7 @@ public class ClientState public void ensureHasPermission(Permission perm, IResource resource) throws UnauthorizedException { - if (DatabaseDescriptor.getAuthorizer() instanceof AllowAllAuthorizer) + if (!DatabaseDescriptor.getAuthorizer().requireAuthorization()) return; // Access to built in functions is unrestricted @@ -290,7 +290,7 @@ public class ClientState public void ensureHasPermission(Permission permission, Function function) { // Save creating a FunctionResource is we don't need to - if (DatabaseDescriptor.getAuthorizer() instanceof AllowAllAuthorizer) + if (!DatabaseDescriptor.getAuthorizer().requireAuthorization()) return; // built in functions are always available to all
