adelapena commented on a change in pull request #1263:
URL: https://github.com/apache/cassandra/pull/1263#discussion_r727090709
##########
File path: test/unit/org/apache/cassandra/cql3/CQLTester.java
##########
@@ -177,6 +192,24 @@ protected boolean usePrepared()
return usePrepared;
}
+ /**
+ * Use the specified user for executing the queries over the network.
+ * @param username the user name
+ * @param password the user password
+ */
+ public void useUser(String username, String password)
Review comment:
It's great that we have this available! :)
##########
File path: src/java/org/apache/cassandra/service/ClientState.java
##########
@@ -366,6 +366,11 @@ public void ensureKeyspacePermission(String keyspace,
Permission perm)
ensurePermission(keyspace, perm, DataResource.keyspace(keyspace));
}
+ public void ensureAllTablePermission(String keyspace, Permission perm)
Review comment:
I guess it should be `ensureAllTablesPermission`
##########
File path: test/unit/org/apache/cassandra/auth/GrantAndRevokeTest.java
##########
@@ -0,0 +1,222 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.cassandra.auth;
+
+import org.junit.After;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import org.apache.cassandra.config.DatabaseDescriptor;
+import org.apache.cassandra.cql3.CQLTester;
+
+public class GrantAndRevokeTest extends CQLTester
+{
+ private static final String user = "user";
+ private static final String pass = "12345";
+
+ @BeforeClass
+ public static void setUpClass()
+ {
+ DatabaseDescriptor.setPermissionsValidity(-1);
+ CQLTester.setUpClass();
+ requireAuthentication();
+ requireNetwork();
+ }
+
+ @After
+ public void tearDown() throws Throwable
+ {
+ useSuperUser();
+ executeNet("DROP ROLE " + user);
+ }
+
+ @Test
+ public void testGrantedKeyspace() throws Throwable
+ {
+ useSuperUser();
+
+ executeNet(String.format("CREATE ROLE %s WITH LOGIN = TRUE AND
password='%s'", user, pass));
+ executeNet("GRANT CREATE ON KEYSPACE " + KEYSPACE_PER_TEST + " TO " +
user);
+ String table = KEYSPACE_PER_TEST + "." +
createTable(KEYSPACE_PER_TEST, "CREATE TABLE %s (pk int, ck int, val int,
PRIMARY KEY (pk, ck))");
+ String type = KEYSPACE_PER_TEST + "." + createType(KEYSPACE_PER_TEST,
"CREATE TYPE %s (a int, b text)");
+
+ useUser(user, pass);
+
+ // ALTER and DROP tables created by somebody else
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "INSERT INTO %s
(pk, ck, val) VALUES (1, 1, 1)"));
+ assertUnauthorizedQuery("User user has no SELECT permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM
%s WHERE pk = 1 AND ck = 1"));
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE
%s"));
+ assertUnauthorizedQuery("User user has no ALTER permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s
ADD val_2 int"));
+ assertUnauthorizedQuery("User user has no DROP permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "DROP TABLE
%s"));
+ assertUnauthorizedQuery("User user has no ALTER permission on <all
tables in " + KEYSPACE_PER_TEST + "> or any of its parents",
+ "ALTER TYPE " + type + " ADD c bigint");
+ assertUnauthorizedQuery("User user has no DROP permission on <all
tables in " + KEYSPACE_PER_TEST + "> or any of its parents",
+ "DROP TYPE " + type);
+
+ useSuperUser();
+
+ executeNet("GRANT ALTER ON KEYSPACE " + KEYSPACE_PER_TEST + " TO " +
user);
+ executeNet("GRANT DROP ON KEYSPACE " + KEYSPACE_PER_TEST + " TO " +
user);
+ executeNet("GRANT SELECT ON KEYSPACE " + KEYSPACE_PER_TEST + " TO " +
user);
+ executeNet("GRANT MODIFY ON KEYSPACE " + KEYSPACE_PER_TEST + " TO " +
user);
+
+ useUser(user, pass);
+
+ executeNet("ALTER KEYSPACE " + KEYSPACE_PER_TEST + " WITH replication
= {'class': 'SimpleStrategy', 'replication_factor': '1'}");
+
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "INSERT INTO %s (pk, ck,
val) VALUES (1, 1, 1)"));
+ assertRowsNet(executeNet(formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM
%s WHERE pk = 1 AND ck = 1")), row(1, 1, 1));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE %s"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s ADD val_2
int"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "DROP TABLE %s"));
+ executeNet("ALTER TYPE " + type + " ADD c bigint");
+ executeNet("DROP TYPE " + type);
+
+ createTableName();
+ String type2 = KEYSPACE_PER_TEST + "." + createTypeName();
+ executeNet("CREATE TYPE " + type2 + " (a int, b text)");
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "CREATE TABLE %s (pk int, ck
int, val int, PRIMARY KEY (pk, ck))"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "INSERT INTO %s (pk, ck,
val) VALUES (1, 1, 1)"));
+ assertRowsNet(executeNet(formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM
%s WHERE pk = 1 AND ck = 1")), row(1, 1, 1));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE %s"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s ADD val_2
int"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "DROP TABLE %s"));
+ executeNet("ALTER TYPE " + type2 + " ADD c bigint");
+ executeNet("DROP TYPE " + type2);
+
+ useSuperUser();
+
+ executeNet("REVOKE ALTER ON KEYSPACE " + KEYSPACE_PER_TEST + " FROM "
+ user);
+ executeNet("REVOKE DROP ON KEYSPACE " + KEYSPACE_PER_TEST + " FROM " +
user);
+ executeNet("REVOKE SELECT ON KEYSPACE " + KEYSPACE_PER_TEST + " FROM "
+ user);
+ executeNet("REVOKE MODIFY ON KEYSPACE " + KEYSPACE_PER_TEST + " FROM "
+ user);
+
+ table = KEYSPACE_PER_TEST + "." + createTable(KEYSPACE_PER_TEST,
"CREATE TABLE %s (pk int, ck int, val int, PRIMARY KEY (pk, ck))");
+ type = KEYSPACE_PER_TEST + "." + createType(KEYSPACE_PER_TEST, "CREATE
TYPE %s (a int, b text)");
+
+ useUser(user, pass);
+
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ "INSERT INTO " + table + " (pk, ck, val)
VALUES (1, 1, 1)");
+ assertUnauthorizedQuery("User user has no SELECT permission on <table
" + table + "> or any of its parents",
+ "SELECT * FROM " + table + " WHERE pk = 1 AND
ck = 1");
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ "TRUNCATE TABLE " + table);
+ assertUnauthorizedQuery("User user has no ALTER permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE "
+ table + " ADD val_2 int"));
+ assertUnauthorizedQuery("User user has no DROP permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "DROP TABLE " +
table));
+ assertUnauthorizedQuery("User user has no ALTER permission on <all
tables in " + KEYSPACE_PER_TEST + "> or any of its parents",
+ "ALTER TYPE " + type + " ADD c bigint");
+ assertUnauthorizedQuery("User user has no DROP permission on <all
tables in " + KEYSPACE_PER_TEST + "> or any of its parents",
+ "DROP TYPE " + type);
+ }
+
+ @Test
+ public void testGrantedAllTables() throws Throwable
+ {
+ useSuperUser();
+
+ executeNet(String.format("CREATE ROLE %s WITH LOGIN = TRUE AND
password='%s'", user, pass));
+ executeNet("GRANT CREATE ON ALL TABLES IN KEYSPACE " +
KEYSPACE_PER_TEST + " TO " + user);
+ String table = KEYSPACE_PER_TEST + "." +
createTable(KEYSPACE_PER_TEST, "CREATE TABLE %s (pk int, ck int, val int,
PRIMARY KEY (pk, ck))");
+ String type = KEYSPACE_PER_TEST + "." + createType(KEYSPACE_PER_TEST,
"CREATE TYPE %s (a int, b text)");
+
+ useUser(user, pass);
+
+ // ALTER and DROP tables created by somebody else
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "INSERT INTO %s
(pk, ck, val) VALUES (1, 1, 1)"));
+ assertUnauthorizedQuery("User user has no SELECT permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM
%s WHERE pk = 1 AND ck = 1"));
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE
%s"));
+ assertUnauthorizedQuery("User user has no ALTER permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s
ADD val_2 int"));
+ assertUnauthorizedQuery("User user has no DROP permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "DROP TABLE
%s"));
+ assertUnauthorizedQuery("User user has no ALTER permission on <all
tables in " + KEYSPACE_PER_TEST + "> or any of its parents",
+ "ALTER TYPE " + type + " ADD c bigint");
+ assertUnauthorizedQuery("User user has no DROP permission on <all
tables in " + KEYSPACE_PER_TEST + "> or any of its parents",
+ "DROP TYPE " + type);
+
+ useSuperUser();
+
+ executeNet("GRANT ALTER ON ALL TABLES IN KEYSPACE " +
KEYSPACE_PER_TEST + " TO " + user);
+ executeNet("GRANT DROP ON ALL TABLES IN KEYSPACE " + KEYSPACE_PER_TEST
+ " TO " + user);
+ executeNet("GRANT SELECT ON ALL TABLES IN KEYSPACE " +
KEYSPACE_PER_TEST + " TO " + user);
+ executeNet("GRANT MODIFY ON ALL TABLES IN KEYSPACE " +
KEYSPACE_PER_TEST + " TO " + user);
+
+ useUser(user, pass);
+
+ assertUnauthorizedQuery("User user has no ALTER permission on
<keyspace " + KEYSPACE_PER_TEST + "> or any of its parents",
+ "ALTER KEYSPACE " + KEYSPACE_PER_TEST + " WITH
replication = {'class': 'SimpleStrategy', 'replication_factor': '1'}");
+
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "INSERT INTO %s (pk, ck,
val) VALUES (1, 1, 1)"));
+ assertRowsNet(executeNet(formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM
%s WHERE pk = 1 AND ck = 1")), row(1, 1, 1));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE %s"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s ADD val_2
int"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "DROP TABLE %s"));
+ executeNet("ALTER TYPE " + type + " ADD c bigint");
+ executeNet("DROP TYPE " + type);
+
+ createTableName();
Review comment:
I understand that this is here to generate a new `currentTable()` for
the calls to `formatQuery` below, although it seems incidentally no-op here, is
this right? Could we add a brief inline comment like `create a new table name
for the next calls to formatQuery`?
##########
File path: test/unit/org/apache/cassandra/auth/RoleOptionsTest.java
##########
@@ -21,6 +21,7 @@
import java.util.*;
import com.google.common.collect.ImmutableSet;
+
Review comment:
Do we need the changes in this file?
##########
File path: test/unit/org/apache/cassandra/auth/GrantAndRevokeTest.java
##########
@@ -0,0 +1,222 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.cassandra.auth;
+
+import org.junit.After;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import org.apache.cassandra.config.DatabaseDescriptor;
+import org.apache.cassandra.cql3.CQLTester;
+
+public class GrantAndRevokeTest extends CQLTester
+{
+ private static final String user = "user";
+ private static final String pass = "12345";
+
+ @BeforeClass
+ public static void setUpClass()
+ {
+ DatabaseDescriptor.setPermissionsValidity(-1);
+ CQLTester.setUpClass();
+ requireAuthentication();
+ requireNetwork();
+ }
+
+ @After
+ public void tearDown() throws Throwable
+ {
+ useSuperUser();
+ executeNet("DROP ROLE " + user);
+ }
+
+ @Test
+ public void testGrantedKeyspace() throws Throwable
+ {
+ useSuperUser();
+
+ executeNet(String.format("CREATE ROLE %s WITH LOGIN = TRUE AND
password='%s'", user, pass));
+ executeNet("GRANT CREATE ON KEYSPACE " + KEYSPACE_PER_TEST + " TO " +
user);
+ String table = KEYSPACE_PER_TEST + "." +
createTable(KEYSPACE_PER_TEST, "CREATE TABLE %s (pk int, ck int, val int,
PRIMARY KEY (pk, ck))");
+ String type = KEYSPACE_PER_TEST + "." + createType(KEYSPACE_PER_TEST,
"CREATE TYPE %s (a int, b text)");
+
+ useUser(user, pass);
+
+ // ALTER and DROP tables created by somebody else
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "INSERT INTO %s
(pk, ck, val) VALUES (1, 1, 1)"));
+ assertUnauthorizedQuery("User user has no SELECT permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM
%s WHERE pk = 1 AND ck = 1"));
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE
%s"));
+ assertUnauthorizedQuery("User user has no ALTER permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s
ADD val_2 int"));
+ assertUnauthorizedQuery("User user has no DROP permission on <table "
+ table + "> or any of its parents",
Review comment:
Nit: there are a few double spaces around here
```suggestion
assertUnauthorizedQuery("User user has no SELECT permission on
<table " + table + "> or any of its parents",
formatQuery(KEYSPACE_PER_TEST, "SELECT *
FROM %s WHERE pk = 1 AND ck = 1"));
assertUnauthorizedQuery("User user has no MODIFY permission on
<table " + table + "> or any of its parents",
formatQuery(KEYSPACE_PER_TEST, "TRUNCATE
TABLE %s"));
assertUnauthorizedQuery("User user has no ALTER permission on <table
" + table + "> or any of its parents",
formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE
%s ADD val_2 int"));
assertUnauthorizedQuery("User user has no DROP permission on <table
" + table + "> or any of its parents",
```
##########
File path: test/unit/org/apache/cassandra/auth/GrantAndRevokeTest.java
##########
@@ -0,0 +1,222 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.cassandra.auth;
+
+import org.junit.After;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import org.apache.cassandra.config.DatabaseDescriptor;
+import org.apache.cassandra.cql3.CQLTester;
+
+public class GrantAndRevokeTest extends CQLTester
+{
+ private static final String user = "user";
+ private static final String pass = "12345";
+
+ @BeforeClass
+ public static void setUpClass()
+ {
+ DatabaseDescriptor.setPermissionsValidity(-1);
+ CQLTester.setUpClass();
+ requireAuthentication();
+ requireNetwork();
+ }
+
+ @After
+ public void tearDown() throws Throwable
+ {
+ useSuperUser();
+ executeNet("DROP ROLE " + user);
+ }
+
+ @Test
+ public void testGrantedKeyspace() throws Throwable
+ {
+ useSuperUser();
+
+ executeNet(String.format("CREATE ROLE %s WITH LOGIN = TRUE AND
password='%s'", user, pass));
+ executeNet("GRANT CREATE ON KEYSPACE " + KEYSPACE_PER_TEST + " TO " +
user);
+ String table = KEYSPACE_PER_TEST + "." +
createTable(KEYSPACE_PER_TEST, "CREATE TABLE %s (pk int, ck int, val int,
PRIMARY KEY (pk, ck))");
+ String type = KEYSPACE_PER_TEST + "." + createType(KEYSPACE_PER_TEST,
"CREATE TYPE %s (a int, b text)");
+
+ useUser(user, pass);
+
+ // ALTER and DROP tables created by somebody else
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "INSERT INTO %s
(pk, ck, val) VALUES (1, 1, 1)"));
+ assertUnauthorizedQuery("User user has no SELECT permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM
%s WHERE pk = 1 AND ck = 1"));
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE
%s"));
+ assertUnauthorizedQuery("User user has no ALTER permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s
ADD val_2 int"));
+ assertUnauthorizedQuery("User user has no DROP permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "DROP TABLE
%s"));
+ assertUnauthorizedQuery("User user has no ALTER permission on <all
tables in " + KEYSPACE_PER_TEST + "> or any of its parents",
+ "ALTER TYPE " + type + " ADD c bigint");
+ assertUnauthorizedQuery("User user has no DROP permission on <all
tables in " + KEYSPACE_PER_TEST + "> or any of its parents",
+ "DROP TYPE " + type);
+
+ useSuperUser();
+
+ executeNet("GRANT ALTER ON KEYSPACE " + KEYSPACE_PER_TEST + " TO " +
user);
+ executeNet("GRANT DROP ON KEYSPACE " + KEYSPACE_PER_TEST + " TO " +
user);
+ executeNet("GRANT SELECT ON KEYSPACE " + KEYSPACE_PER_TEST + " TO " +
user);
+ executeNet("GRANT MODIFY ON KEYSPACE " + KEYSPACE_PER_TEST + " TO " +
user);
+
+ useUser(user, pass);
+
+ executeNet("ALTER KEYSPACE " + KEYSPACE_PER_TEST + " WITH replication
= {'class': 'SimpleStrategy', 'replication_factor': '1'}");
+
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "INSERT INTO %s (pk, ck,
val) VALUES (1, 1, 1)"));
+ assertRowsNet(executeNet(formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM
%s WHERE pk = 1 AND ck = 1")), row(1, 1, 1));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE %s"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s ADD val_2
int"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "DROP TABLE %s"));
+ executeNet("ALTER TYPE " + type + " ADD c bigint");
+ executeNet("DROP TYPE " + type);
+
+ createTableName();
+ String type2 = KEYSPACE_PER_TEST + "." + createTypeName();
+ executeNet("CREATE TYPE " + type2 + " (a int, b text)");
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "CREATE TABLE %s (pk int, ck
int, val int, PRIMARY KEY (pk, ck))"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "INSERT INTO %s (pk, ck,
val) VALUES (1, 1, 1)"));
+ assertRowsNet(executeNet(formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM
%s WHERE pk = 1 AND ck = 1")), row(1, 1, 1));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE %s"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s ADD val_2
int"));
+ executeNet(formatQuery(KEYSPACE_PER_TEST, "DROP TABLE %s"));
+ executeNet("ALTER TYPE " + type2 + " ADD c bigint");
+ executeNet("DROP TYPE " + type2);
+
+ useSuperUser();
+
+ executeNet("REVOKE ALTER ON KEYSPACE " + KEYSPACE_PER_TEST + " FROM "
+ user);
+ executeNet("REVOKE DROP ON KEYSPACE " + KEYSPACE_PER_TEST + " FROM " +
user);
+ executeNet("REVOKE SELECT ON KEYSPACE " + KEYSPACE_PER_TEST + " FROM "
+ user);
+ executeNet("REVOKE MODIFY ON KEYSPACE " + KEYSPACE_PER_TEST + " FROM "
+ user);
+
+ table = KEYSPACE_PER_TEST + "." + createTable(KEYSPACE_PER_TEST,
"CREATE TABLE %s (pk int, ck int, val int, PRIMARY KEY (pk, ck))");
+ type = KEYSPACE_PER_TEST + "." + createType(KEYSPACE_PER_TEST, "CREATE
TYPE %s (a int, b text)");
+
+ useUser(user, pass);
+
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ "INSERT INTO " + table + " (pk, ck, val)
VALUES (1, 1, 1)");
+ assertUnauthorizedQuery("User user has no SELECT permission on <table
" + table + "> or any of its parents",
+ "SELECT * FROM " + table + " WHERE pk = 1 AND
ck = 1");
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ "TRUNCATE TABLE " + table);
+ assertUnauthorizedQuery("User user has no ALTER permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE "
+ table + " ADD val_2 int"));
+ assertUnauthorizedQuery("User user has no DROP permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "DROP TABLE " +
table));
+ assertUnauthorizedQuery("User user has no ALTER permission on <all
tables in " + KEYSPACE_PER_TEST + "> or any of its parents",
+ "ALTER TYPE " + type + " ADD c bigint");
+ assertUnauthorizedQuery("User user has no DROP permission on <all
tables in " + KEYSPACE_PER_TEST + "> or any of its parents",
+ "DROP TYPE " + type);
+ }
+
+ @Test
+ public void testGrantedAllTables() throws Throwable
+ {
+ useSuperUser();
+
+ executeNet(String.format("CREATE ROLE %s WITH LOGIN = TRUE AND
password='%s'", user, pass));
+ executeNet("GRANT CREATE ON ALL TABLES IN KEYSPACE " +
KEYSPACE_PER_TEST + " TO " + user);
+ String table = KEYSPACE_PER_TEST + "." +
createTable(KEYSPACE_PER_TEST, "CREATE TABLE %s (pk int, ck int, val int,
PRIMARY KEY (pk, ck))");
+ String type = KEYSPACE_PER_TEST + "." + createType(KEYSPACE_PER_TEST,
"CREATE TYPE %s (a int, b text)");
+
+ useUser(user, pass);
+
+ // ALTER and DROP tables created by somebody else
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "INSERT INTO %s
(pk, ck, val) VALUES (1, 1, 1)"));
+ assertUnauthorizedQuery("User user has no SELECT permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM
%s WHERE pk = 1 AND ck = 1"));
+ assertUnauthorizedQuery("User user has no MODIFY permission on <table
" + table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE
%s"));
+ assertUnauthorizedQuery("User user has no ALTER permission on <table "
+ table + "> or any of its parents",
+ formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s
ADD val_2 int"));
+ assertUnauthorizedQuery("User user has no DROP permission on <table "
+ table + "> or any of its parents",
Review comment:
Nit: there are a few double spaces around here
```suggestion
assertUnauthorizedQuery("User user has no SELECT permission on
<table " + table + "> or any of its parents",
formatQuery(KEYSPACE_PER_TEST, "SELECT *
FROM %s WHERE pk = 1 AND ck = 1"));
assertUnauthorizedQuery("User user has no MODIFY permission on
<table " + table + "> or any of its parents",
formatQuery(KEYSPACE_PER_TEST, "TRUNCATE
TABLE %s"));
assertUnauthorizedQuery("User user has no ALTER permission on <table
" + table + "> or any of its parents",
formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE
%s ADD val_2 int"));
assertUnauthorizedQuery("User user has no DROP permission on <table
" + table + "> or any of its parents",
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
