Updated Branches: refs/heads/cassandra-2.0 06dc4d0fd -> edc753127
Require superuser status for adding triggers patch by Aleksey Yeschenko; reviewed by Jonathan Ellis for CASSANDRA-5963 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/edc75312 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/edc75312 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/edc75312 Branch: refs/heads/cassandra-2.0 Commit: edc753127311fefa8de47fb9cc42a30cd783c24a Parents: 06dc4d0 Author: Aleksey Yeschenko <[email protected]> Authored: Wed Sep 4 21:50:45 2013 +0300 Committer: Aleksey Yeschenko <[email protected]> Committed: Wed Sep 4 21:50:45 2013 +0300 ---------------------------------------------------------------------- CHANGES.txt | 1 + .../cql3/statements/CreateTriggerStatement.java | 8 +++----- .../cql3/statements/DropTriggerStatement.java | 8 +++----- .../org/apache/cassandra/service/ClientState.java | 6 ++++++ .../apache/cassandra/thrift/CassandraServer.java | 17 +++++++++++++++-- 5 files changed, 28 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/edc75312/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index c09ba86..abbb4f9 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -12,6 +12,7 @@ * Add ability for CQL3 to list partition keys (CASSANDRA-4536) * Improve native protocol serialization (CASSANDRA-5664) * Upgrade Thrift to 0.9.1 (CASSANDRA-5923) + * Require superuser status for adding triggers (CASSANDRA-5963) Merged from 1.2: * Allow local batchlog writes for CL.ANY (CASSANDRA-5967) * Optimize name query performance in wide rows (CASSANDRA-5966) http://git-wip-us.apache.org/repos/asf/cassandra/blob/edc75312/src/java/org/apache/cassandra/cql3/statements/CreateTriggerStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/CreateTriggerStatement.java b/src/java/org/apache/cassandra/cql3/statements/CreateTriggerStatement.java index 1e2ac90..329b7bc 100644 --- a/src/java/org/apache/cassandra/cql3/statements/CreateTriggerStatement.java +++ b/src/java/org/apache/cassandra/cql3/statements/CreateTriggerStatement.java @@ -20,13 +20,11 @@ package org.apache.cassandra.cql3.statements; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.apache.cassandra.auth.Permission; import org.apache.cassandra.config.CFMetaData; import org.apache.cassandra.config.Schema; import org.apache.cassandra.config.TriggerDefinition; import org.apache.cassandra.cql3.CFName; import org.apache.cassandra.exceptions.ConfigurationException; -import org.apache.cassandra.exceptions.InvalidRequestException; import org.apache.cassandra.exceptions.RequestValidationException; import org.apache.cassandra.exceptions.UnauthorizedException; import org.apache.cassandra.service.ClientState; @@ -49,9 +47,9 @@ public class CreateTriggerStatement extends SchemaAlteringStatement this.triggerClass = clazz; } - public void checkAccess(ClientState state) throws UnauthorizedException, InvalidRequestException + public void checkAccess(ClientState state) throws UnauthorizedException { - state.hasColumnFamilyAccess(keyspace(), columnFamily(), Permission.ALTER); + state.ensureIsSuper("Only superusers are allowed to perfrom CREATE TRIGGER queries"); } public void validate(ClientState state) throws RequestValidationException @@ -67,7 +65,7 @@ public class CreateTriggerStatement extends SchemaAlteringStatement } } - public void announceMigration() throws InvalidRequestException, ConfigurationException + public void announceMigration() throws ConfigurationException { CFMetaData cfm = Schema.instance.getCFMetaData(keyspace(), columnFamily()).clone(); cfm.addTriggerDefinition(TriggerDefinition.create(triggerName, triggerClass)); http://git-wip-us.apache.org/repos/asf/cassandra/blob/edc75312/src/java/org/apache/cassandra/cql3/statements/DropTriggerStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/DropTriggerStatement.java b/src/java/org/apache/cassandra/cql3/statements/DropTriggerStatement.java index 884aaa0..ce17047 100644 --- a/src/java/org/apache/cassandra/cql3/statements/DropTriggerStatement.java +++ b/src/java/org/apache/cassandra/cql3/statements/DropTriggerStatement.java @@ -20,12 +20,10 @@ package org.apache.cassandra.cql3.statements; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.apache.cassandra.auth.Permission; import org.apache.cassandra.config.CFMetaData; import org.apache.cassandra.config.Schema; import org.apache.cassandra.cql3.CFName; import org.apache.cassandra.exceptions.ConfigurationException; -import org.apache.cassandra.exceptions.InvalidRequestException; import org.apache.cassandra.exceptions.RequestValidationException; import org.apache.cassandra.exceptions.UnauthorizedException; import org.apache.cassandra.service.ClientState; @@ -45,9 +43,9 @@ public class DropTriggerStatement extends SchemaAlteringStatement this.triggerName = triggerName; } - public void checkAccess(ClientState state) throws UnauthorizedException, InvalidRequestException + public void checkAccess(ClientState state) throws UnauthorizedException { - state.hasColumnFamilyAccess(keyspace(), columnFamily(), Permission.ALTER); + state.ensureIsSuper("Only superusers are allowed to perfrom DROP TRIGGER queries"); } public void validate(ClientState state) throws RequestValidationException @@ -55,7 +53,7 @@ public class DropTriggerStatement extends SchemaAlteringStatement ThriftValidation.validateColumnFamily(keyspace(), columnFamily()); } - public void announceMigration() throws InvalidRequestException, ConfigurationException + public void announceMigration() throws ConfigurationException { CFMetaData cfm = Schema.instance.getCFMetaData(keyspace(), columnFamily()).clone(); if (!cfm.removeTrigger(triggerName)) http://git-wip-us.apache.org/repos/asf/cassandra/blob/edc75312/src/java/org/apache/cassandra/service/ClientState.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java index eb75a34..32e21f4 100644 --- a/src/java/org/apache/cassandra/service/ClientState.java +++ b/src/java/org/apache/cassandra/service/ClientState.java @@ -201,6 +201,12 @@ public class ClientState throw new UnauthorizedException("You have to be logged in and not anonymous to perform this request"); } + public void ensureIsSuper(String message) throws UnauthorizedException + { + if (DatabaseDescriptor.getAuthenticator().requireAuthentication() && (user == null || !user.isSuper())) + throw new UnauthorizedException(message); + } + private static void validateKeyspace(String keyspace) throws InvalidRequestException { if (keyspace == null) http://git-wip-us.apache.org/repos/asf/cassandra/blob/edc75312/src/java/org/apache/cassandra/thrift/CassandraServer.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/thrift/CassandraServer.java b/src/java/org/apache/cassandra/thrift/CassandraServer.java index 1099834..3d77743 100644 --- a/src/java/org/apache/cassandra/thrift/CassandraServer.java +++ b/src/java/org/apache/cassandra/thrift/CassandraServer.java @@ -1489,8 +1489,11 @@ public class CassandraServer implements Cassandra.Iface cf_def.unsetId(); // explicitly ignore any id set by client (Hector likes to set zero) CFMetaData cfm = CFMetaData.fromThrift(cf_def); CFMetaData.validateCompactionOptions(cfm.compactionStrategyClass, cfm.compactionStrategyOptions); - cfm.addDefaultIndexNames(); + + if (!cfm.getTriggers().isEmpty()) + state().ensureIsSuper("Only superusers are allowed to add triggers."); + MigrationManager.announceNewColumnFamily(cfm); return Schema.instance.getVersion().toString(); } @@ -1546,6 +1549,10 @@ public class CassandraServer implements Cassandra.Iface cf_def.unsetId(); // explicitly ignore any id set by client (same as system_add_column_family) CFMetaData cfm = CFMetaData.fromThrift(cf_def); cfm.addDefaultIndexNames(); + + if (!cfm.getTriggers().isEmpty()) + state().ensureIsSuper("Only superusers are allowed to add triggers."); + cfDefs.add(cfm); } MigrationManager.announceNewKeyspace(KSMetaData.fromThrift(ks_def, cfDefs.toArray(new CFMetaData[cfDefs.size()]))); @@ -1610,16 +1617,22 @@ public class CassandraServer implements Cassandra.Iface { if (cf_def.keyspace == null || cf_def.name == null) throw new InvalidRequestException("Keyspace and CF name must be set."); + + state().hasColumnFamilyAccess(cf_def.keyspace, cf_def.name, Permission.ALTER); CFMetaData oldCfm = Schema.instance.getCFMetaData(cf_def.keyspace, cf_def.name); + if (oldCfm == null) throw new InvalidRequestException("Could not find column family definition to modify."); - state().hasColumnFamilyAccess(cf_def.keyspace, cf_def.name, Permission.ALTER); CFMetaData.applyImplicitDefaults(cf_def); CFMetaData cfm = CFMetaData.fromThrift(cf_def); CFMetaData.validateCompactionOptions(cfm.compactionStrategyClass, cfm.compactionStrategyOptions); cfm.addDefaultIndexNames(); + + if (!oldCfm.getTriggers().equals(cfm.getTriggers())) + state().ensureIsSuper("Only superusers are allowed to add or remove triggers."); + MigrationManager.announceColumnFamilyUpdate(cfm, true); return Schema.instance.getVersion().toString(); }
