[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16282744#comment-16282744 ] Kurt Greaves commented on CASSANDRA-14088: -- For the record, unit tests passed for me (I just didn't bother checking because I'd recently been flooded by build failures from CircleCI). [unit|https://circleci.com/gh/kgreav/cassandra/45] Seems that it failed on [3.11|https://circleci.com/gh/kgreav/cassandra/44] but on an unrelated error. > Forward slash in role name breaks CassandraAuthorizer > - > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). >Reporter: Jesse Haber-Kucharsky >Assignee: Kurt Greaves >Priority: Minor > Fix For: 3.0.16, 3.11.2, 4.0 > > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > ---+---+---+- > cassandra | True | True |{} >emperor | False | False |{} > ki/ng | False | False |{} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > ---+---+ >emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [nett
[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16282536#comment-16282536 ] Jeremiah Jordan commented on CASSANDRA-14088: - I ran the unit test locally that extensively tests the change. Feel free to remove the ready to commit if you want a full dtest run for it, but given we don't have any dtests which uses "/" in a name I did not feel it was needed. > Forward slash in role name breaks CassandraAuthorizer > - > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). >Reporter: Jesse Haber-Kucharsky >Assignee: Kurt Greaves >Priority: Minor > Fix For: 3.0.16, 3.11.2, 4.0 > > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > ---+---+---+- > cassandra | True | True |{} >emperor | False | False |{} > ki/ng | False | False |{} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > ---+---+ >emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.ne
[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16282517#comment-16282517 ] Jeff Jirsa commented on CASSANDRA-14088: This is marked ready to commit, but there's no mention of utest/dtests at all - if they're clean I'll commit, but could someone confirm that they're clean? > Forward slash in role name breaks CassandraAuthorizer > - > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). >Reporter: Jesse Haber-Kucharsky >Assignee: Kurt Greaves >Priority: Minor > Fix For: 3.0.16, 3.11.2, 4.0 > > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > ---+---+---+- > cassandra | True | True |{} >emperor | False | False |{} > ki/ng | False | False |{} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > ---+---+ >emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:35
[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16281250#comment-16281250 ] Jeremiah Jordan commented on CASSANDRA-14088: - Agreed, we should just limit to only splitting the first "/". Patch LGTM +1. > Forward slash in role name breaks CassandraAuthorizer > - > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). >Reporter: Jesse Haber-Kucharsky >Assignee: Kurt Greaves >Priority: Minor > Fix For: 3.0.16, 3.11.2, 4.0 > > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > ---+---+---+- > cassandra | True | True |{} >emperor | False | False |{} > ki/ng | False | False |{} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > ---+---+ >emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > java.u
[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1628#comment-1628 ] Kurt Greaves commented on CASSANDRA-14088: -- Wild guess but I'd say it's probably because they have complicated role/permission domains and break them up by slashes in their environment, and would find it easiest to continue to use the same roles in C*, rather than having to change their delimiter. I've seen similar cases before w.r.t PKI/CN's/DN's. Seeing as fromName is defined per resource I don't see why we can't have specific implementations for each {{Resource}}. In fact, in {{DataResource}} and {{FunctionResource}} we already handle each name differently as we require 3 {{/}} separators (+different sep's for {{FunctionResource}}. At the moment any character is allowed in a role name except for slash, because of this issue. We only really care about the first slash, if we ever cared about more than that we'd be creating a new {{Resource}} anyway. > Forward slash in role name breaks CassandraAuthorizer > - > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). >Reporter: Jesse Haber-Kucharsky >Assignee: Kurt Greaves >Priority: Minor > Fix For: 3.0.16, 3.11.2, 4.0 > > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > ---+---+---+- > cassandra | True | True |{} >emperor | False | False |{} > ki/ng | False | False |{} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > ---+---+ >emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.ap
[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16276491#comment-16276491 ] Robert Stupp commented on CASSANDRA-14088: -- Before we continue with this one - what's the reason for the forward slash(es) in the role name? The delimiter {{/}} was chosen to split components - handling that differently across different resource types would be inconsistent. I'd be much more in favor of validating the role name in {{CreateRoleStatement}} and restrict role names to a defined set of characters, like we do for keyspaces and tables. > Forward slash in role name breaks CassandraAuthorizer > - > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). >Reporter: Jesse Haber-Kucharsky >Assignee: Kurt Greaves >Priority: Minor > Fix For: 3.0.16, 3.11.2, 4.0 > > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > ---+---+---+- > cassandra | True | True |{} >emperor | False | False |{} > ki/ng | False | False |{} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > ---+---+ >emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] >