[
https://issues.apache.org/jira/browse/CASSANDRA-20171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17930444#comment-17930444
]
Francisco Guerrero commented on CASSANDRA-20171:
------------------------------------------------
Seeing a similar error in trunk:
```
Expected error message to contain 'User user has no SELECT permission on or any
of its parents', but got 'You do not have access to this datacenter
(datacenter1)'-junit.framework.AssertionFailedError: Expected error message to
contain 'User user has no SELECT permission on
or any of its parents', but got 'You do not have access to this datacenter
(datacenter1)' at
org.apache.cassandra.cql3.CQLTester.assertMessageContains(CQLTester.java:2452)
at
org.apache.cassandra.cql3.CQLTester.assertInvalidThrowMessage(CQLTester.java:2391)
at
org.apache.cassandra.cql3.CQLTester.assertUnauthorizedQuery(CQLTester.java:2464)
at
org.apache.cassandra.auth.GrantAndRevokeTest.testGrantOnVirtualKeyspaces(GrantAndRevokeTest.java:574)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
```
> Grant permission on keyspaces system_views and system_virtual_schema not
> possible
> ---------------------------------------------------------------------------------
>
> Key: CASSANDRA-20171
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20171
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Feature/Virtual Tables
> Reporter: Tibor Repasi
> Assignee: Tibor Repasi
> Priority: Normal
> Fix For: 4.0.x, 4.1.x, 5.0.x, 5.x
>
> Attachments: ci_summary-1.html, ci_summary-2.html, ci_summary-3.html,
> ci_summary.html
>
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> Trying to grant select permission on keyspace system_views or
> system_virtual_schema fails with an error message stating that these
> resources wouldn't exist.
> {code}
> cassandra@cqlsh> CREATE ROLE test WITH PASSWORD = 'test' AND LOGIN = true AND
> SUPERUSER = false ;
> cassandra@cqlsh> LIST USERS ;
> name | super | datacenters
> -----------+-------+-------------
> cassandra | True | ALL
> test | False | ALL
> (2 rows)
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system TO test;
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_schema TO test;
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_views TO test;
> InvalidRequest: Error from server: code=2200 [Invalid query]
> message="Resource <keyspace system_views> doesn't exist"
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_ TO test;
> system_auth system_distributed system_schema
> system_traces system_views system_virtual_schema
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_virtual_schema TO
> test;
> InvalidRequest: Error from server: code=2200 [Invalid query]
> message="Resource <keyspace system_virtual_schema> doesn't exist"
> {code}
> However, the above permission can be added by updating role_permissions
> directly
> {code}
> cassandra@cqlsh> UPDATE system_auth.role_permissions SET permissions =
> permissions + {'SELECT'} WHERE role = 'test' AND resource =
> 'data/system_views';
> cassandra@cqlsh> LIST ALL PERMISSIONS OF test;
> role | username | resource | permission
> ------+----------+--------------------------+------------
> test | test | <keyspace system> | SELECT
> test | test | <keyspace system_schema> | SELECT
> test | test | <keyspace system_views> | SELECT
> (3 rows)
> {code}
> Reading the code unveiled, that {{system_schema.keyspaces}} doesn't list
> those two keyspace, which causes the grant permission command to fail.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
