[cassandra-dtest] branch trunk updated: Update tests for UNMASK and SELECT_MASKED permissions

adelapena Fri, 24 Mar 2023 07:08:53 -0700

This is an automated email from the ASF dual-hosted git repository.

adelapena pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-dtest.git



The following commit(s) were added to refs/heads/trunk by this push:
     new 8bf1432b Update tests for UNMASK and SELECT_MASKED permissions
8bf1432b is described below

commit 8bf1432bf3bae1294f140237054423a6ad582104
Author: Andrés de la Peña <[email protected]>
AuthorDate: Tue Jan 31 15:44:32 2023 +0000

    Update tests for UNMASK and SELECT_MASKED permissions
    
    patch by Andrés de la Peña; reviewed by Benjamin Lerer and Berenguer Blasi 
for CASSANDRA-17940
---
 auth_test.py              | 91 +++++++++++++++++++++++++++--------------------
 cqlsh_tests/test_cqlsh.py | 16 ++++++++-
 2 files changed, 68 insertions(+), 39 deletions(-)

diff --git a/auth_test.py b/auth_test.py
index 3d1aa10c..ea1ad31a 100644
--- a/auth_test.py
+++ b/auth_test.py
@@ -34,6 +34,32 @@ class AbstractTestAuth(Tester):
             permissions = ('ALTER', 'DROP', 'DESCRIBE')
         return [(creator, role, perm) for perm in permissions]
 
+    def cluster_version_has_masking_permissions(self):
+        return self.cluster.version() >= LooseVersion('5.0')
+
+    def data_resource_creator_permissions(self, creator, resource):
+        """
+        Assemble a list of all permissions needed to create data on a given 
resource
+        @param creator User who needs permissions
+        @param resource The resource to grant permissions on
+        @return A list of permissions for creator on resource
+        """
+        permissions = []
+        for perm in 'SELECT', 'MODIFY', 'ALTER', 'DROP', 'AUTHORIZE':
+            permissions.append((creator, resource, perm))
+
+        if self.cluster_version_has_masking_permissions():
+            permissions.append((creator, resource, 'UNMASK'))
+            permissions.append((creator, resource, 'SELECT_MASKED'))
+
+        if resource.startswith("<keyspace "):
+            permissions.append((creator, resource, 'CREATE'))
+            keyspace = resource[10:-1]
+            # also grant the creator of a ks perms on functions in that ks
+            for perm in 'CREATE', 'ALTER', 'DROP', 'AUTHORIZE', 'EXECUTE':
+                permissions.append((creator, '<all functions in %s>' % 
keyspace, perm))
+        return permissions
+
 
 class TestAuth(AbstractTestAuth):
 
@@ -947,9 +973,9 @@ class TestAuth(AbstractTestAuth):
 
         # CASSANDRA-7216 automatically grants permissions on a role to its 
creator
         if self.cluster.cassandra_version() >= '2.2.0':
-            
all_permissions.extend(data_resource_creator_permissions('cassandra', 
'<keyspace ks>'))
-            
all_permissions.extend(data_resource_creator_permissions('cassandra', '<table 
ks.cf>'))
-            
all_permissions.extend(data_resource_creator_permissions('cassandra', '<table 
ks.cf2>'))
+            
all_permissions.extend(self.data_resource_creator_permissions('cassandra', 
'<keyspace ks>'))
+            
all_permissions.extend(self.data_resource_creator_permissions('cassandra', 
'<table ks.cf>'))
+            
all_permissions.extend(self.data_resource_creator_permissions('cassandra', 
'<table ks.cf2>'))
             all_permissions.extend(self.role_creator_permissions('cassandra', 
'<role bob>'))
             all_permissions.extend(self.role_creator_permissions('cassandra', 
'<role cathy>'))
 
@@ -962,7 +988,7 @@ class TestAuth(AbstractTestAuth):
 
         expected_permissions = [('cathy', '<table ks.cf>', 'MODIFY'), ('bob', 
'<table ks.cf>', 'DROP')]
         if self.cluster.cassandra_version() >= '2.2.0':
-            
expected_permissions.extend(data_resource_creator_permissions('cassandra', 
'<table ks.cf>'))
+            
expected_permissions.extend(self.data_resource_creator_permissions('cassandra', 
'<table ks.cf>'))
         self.assertPermissionsListed(expected_permissions, cassandra, "LIST 
ALL PERMISSIONS ON ks.cf NORECURSIVE")
 
         expected_permissions = [('cathy', '<table ks.cf2>', 'SELECT')]
@@ -1136,25 +1162,6 @@ class TestAuth(AbstractTestAuth):
         assert sorted(expected) == sorted(perms)
 
 
-def data_resource_creator_permissions(creator, resource):
-    """
-    Assemble a list of all permissions needed to create data on a given 
resource
-    @param creator User who needs permissions
-    @param resource The resource to grant permissions on
-    @return A list of permissions for creator on resource
-    """
-    permissions = []
-    for perm in 'SELECT', 'MODIFY', 'ALTER', 'DROP', 'AUTHORIZE':
-        permissions.append((creator, resource, perm))
-    if resource.startswith("<keyspace "):
-        permissions.append((creator, resource, 'CREATE'))
-        keyspace = resource[10:-1]
-        # also grant the creator of a ks perms on functions in that ks
-        for perm in 'CREATE', 'ALTER', 'DROP', 'AUTHORIZE', 'EXECUTE':
-            permissions.append((creator, '<all functions in %s>' % keyspace, 
perm))
-    return permissions
-
-
 @since('2.2')
 class TestAuthRoles(AbstractTestAuth):
 
@@ -1385,8 +1392,8 @@ class TestAuthRoles(AbstractTestAuth):
         mike_permissions = [('mike', '<all roles>', 'CREATE'),
                             ('mike', '<all keyspaces>', 'CREATE')]
         mike_permissions.extend(self.role_creator_permissions('mike', '<role 
role1>'))
-        mike_permissions.extend(data_resource_creator_permissions('mike', 
'<keyspace ks>'))
-        mike_permissions.extend(data_resource_creator_permissions('mike', 
'<table ks.cf>'))
+        mike_permissions.extend(self.data_resource_creator_permissions('mike', 
'<keyspace ks>'))
+        mike_permissions.extend(self.data_resource_creator_permissions('mike', 
'<table ks.cf>'))
         mike_permissions.extend(function_resource_creator_permissions('mike', 
'<function ks.state_function_1(int, int)>'))
         mike_permissions.extend(function_resource_creator_permissions('mike', 
'<function ks.simple_aggregate_1(int)>'))
 
@@ -1671,23 +1678,31 @@ class TestAuthRoles(AbstractTestAuth):
 
         # GRANT ALL ON KEYSPACE grants Permission.ALL_DATA
         self.superuser.execute("GRANT ALL ON KEYSPACE ks TO mike")
-        self.assert_permissions_listed([("mike", "<keyspace ks>", "CREATE"),
-                                        ("mike", "<keyspace ks>", "ALTER"),
-                                        ("mike", "<keyspace ks>", "DROP"),
-                                        ("mike", "<keyspace ks>", "SELECT"),
-                                        ("mike", "<keyspace ks>", "MODIFY"),
-                                        ("mike", "<keyspace ks>", 
"AUTHORIZE")],
+        permissions = [("mike", "<keyspace ks>", "CREATE"),
+                       ("mike", "<keyspace ks>", "ALTER"),
+                       ("mike", "<keyspace ks>", "DROP"),
+                       ("mike", "<keyspace ks>", "SELECT"),
+                       ("mike", "<keyspace ks>", "MODIFY"),
+                       ("mike", "<keyspace ks>", "AUTHORIZE")]
+        if self.cluster_version_has_masking_permissions():
+            permissions.append(("mike", "<keyspace ks>", "UNMASK"))
+            permissions.append(("mike", "<keyspace ks>", "SELECT_MASKED"))
+        self.assert_permissions_listed(permissions,
                                        self.superuser,
                                        "LIST ALL PERMISSIONS OF mike")
         self.superuser.execute("REVOKE ALL ON KEYSPACE ks FROM mike")
 
         # GRANT ALL ON TABLE does not include CREATE (because the table must 
already be created before the GRANT)
         self.superuser.execute("GRANT ALL ON ks.cf TO MIKE")
-        self.assert_permissions_listed([("mike", "<table ks.cf>", "ALTER"),
-                                        ("mike", "<table ks.cf>", "DROP"),
-                                        ("mike", "<table ks.cf>", "SELECT"),
-                                        ("mike", "<table ks.cf>", "MODIFY"),
-                                        ("mike", "<table ks.cf>", 
"AUTHORIZE")],
+        permissions = [("mike", "<table ks.cf>", "ALTER"),
+                       ("mike", "<table ks.cf>", "DROP"),
+                       ("mike", "<table ks.cf>", "SELECT"),
+                       ("mike", "<table ks.cf>", "MODIFY"),
+                       ("mike", "<table ks.cf>", "AUTHORIZE")]
+        if self.cluster_version_has_masking_permissions():
+            permissions.append(("mike", "<table ks.cf>", "UNMASK"))
+            permissions.append(("mike", "<table ks.cf>", "SELECT_MASKED"))
+        self.assert_permissions_listed(permissions,
                                        self.superuser,
                                        "LIST ALL PERMISSIONS OF mike")
         self.superuser.execute("REVOKE ALL ON ks.cf FROM mike")
@@ -1788,8 +1803,8 @@ class TestAuthRoles(AbstractTestAuth):
                                 ("role1", "<table ks.cf>", "SELECT"),
                                 ("role2", "<table ks.cf>", "ALTER"),
                                 ("role2", "<role role1>", "ALTER")]
-        
expected_permissions.extend(data_resource_creator_permissions('cassandra', 
'<keyspace ks>'))
-        
expected_permissions.extend(data_resource_creator_permissions('cassandra', 
'<table ks.cf>'))
+        
expected_permissions.extend(self.data_resource_creator_permissions('cassandra', 
'<keyspace ks>'))
+        
expected_permissions.extend(self.data_resource_creator_permissions('cassandra', 
'<table ks.cf>'))
         expected_permissions.extend(self.role_creator_permissions('cassandra', 
'<role mike>'))
         expected_permissions.extend(self.role_creator_permissions('cassandra', 
'<role role1>'))
         expected_permissions.extend(self.role_creator_permissions('cassandra', 
'<role role2>'))
diff --git a/cqlsh_tests/test_cqlsh.py b/cqlsh_tests/test_cqlsh.py
index 1f5c3767..dd59ee08 100644
--- a/cqlsh_tests/test_cqlsh.py
+++ b/cqlsh_tests/test_cqlsh.py
@@ -783,7 +783,21 @@ VALUES (4, blobAsInt(0x), '', blobAsBigint(0x), 0x, 
blobAsBoolean(0x), blobAsDec
 (2 rows)
 """)
 
-        if self.cluster.version() >= LooseVersion('2.2'):
+        if self.cluster.version() >= LooseVersion('5.0'):
+            self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """
+ role  | username | resource      | permission
+-------+----------+---------------+---------------
+ user1 |    user1 | <table ks.t1> |         ALTER
+ user1 |    user1 | <table ks.t1> |          DROP
+ user1 |    user1 | <table ks.t1> |        SELECT
+ user1 |    user1 | <table ks.t1> |        MODIFY
+ user1 |    user1 | <table ks.t1> |     AUTHORIZE
+ user1 |    user1 | <table ks.t1> |        UNMASK
+ user1 |    user1 | <table ks.t1> | SELECT_MASKED
+
+(7 rows)
+""")
+        elif self.cluster.version() >= LooseVersion('2.2'):
             self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """
  role  | username | resource      | permission
 -------+----------+---------------+------------


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[cassandra-dtest] branch trunk updated: Update tests for UNMASK and SELECT_MASKED permissions

Reply via email to