Fix GRANT/REVOKE when keyspace isn't specified patch by Aleksey Yeschenko; reviewed by Sam Tunnicliffe for CASSANDRA-13053
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/e4be2d06 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/e4be2d06 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/e4be2d06 Branch: refs/heads/cassandra-3.0 Commit: e4be2d06b756106d7ad31b36b3cc46bc97088064 Parents: 44fefef Author: Aleksey Yeschenko <alek...@apache.org> Authored: Tue Feb 28 18:23:00 2017 +0000 Committer: Aleksey Yeschenko <alek...@apache.org> Committed: Wed Mar 8 00:16:10 2017 +0000 ---------------------------------------------------------------------- CHANGES.txt | 2 ++ .../cql3/statements/PermissionsManagementStatement.java | 5 +++++ 2 files changed, 7 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/e4be2d06/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index ca1aa27..0982de9 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 2.2.10 + * Fix GRANT/REVOKE when keyspace isn't specified (CASSANDRA-13053) * Avoid race on receiver by starting streaming sender thread after sending init message (CASSANDRA-12886) * Fix "multiple versions of ant detected..." when running ant test (CASSANDRA-13232) * Coalescing strategy sleeps too much (CASSANDRA-13090) @@ -11,6 +12,7 @@ Merged from 2.1: * Remove unused repositories (CASSANDRA-13278) * Log stacktrace of uncaught exceptions (CASSANDRA-13108) + 2.2.9 * Fix negative mean latency metric (CASSANDRA-12876) * Use only one file pointer when creating commitlog segments (CASSANDRA-12539) http://git-wip-us.apache.org/repos/asf/cassandra/blob/e4be2d06/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java b/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java index b22e400..56a2f26 100644 --- a/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java +++ b/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java @@ -50,6 +50,7 @@ public abstract class PermissionsManagementStatement extends AuthorizationStatem throw new InvalidRequestException(String.format("Role %s doesn't exist", grantee.getRoleName())); // if a keyspace is omitted when GRANT/REVOKE ON TABLE <table>, we need to correct the resource. + // called both here and in checkAccess(), as in some cases we do not call the latter. resource = maybeCorrectResource(resource, state); // altering permissions on builtin functions is not supported @@ -65,8 +66,12 @@ public abstract class PermissionsManagementStatement extends AuthorizationStatem public void checkAccess(ClientState state) throws UnauthorizedException { + // if a keyspace is omitted when GRANT/REVOKE ON TABLE <table>, we need to correct the resource. + resource = maybeCorrectResource(resource, state); + // check that the user has AUTHORIZE permission on the resource or its parents, otherwise reject GRANT/REVOKE. state.ensureHasPermission(Permission.AUTHORIZE, resource); + // check that the user has [a single permission or all in case of ALL] on the resource or its parents. for (Permission p : permissions) state.ensureHasPermission(p, resource);