[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16282744#comment-16282744
]
Kurt Greaves commented on CASSANDRA-14088:
--
For the record, unit tests passed for me (I just didn't bother checking because
I'd recently been flooded by build failures from CircleCI).
[unit|https://circleci.com/gh/kgreav/cassandra/45]
Seems that it failed on [3.11|https://circleci.com/gh/kgreav/cassandra/44] but
on an unrelated error.
> Forward slash in role name breaks CassandraAuthorizer
> -
>
> Key: CASSANDRA-14088
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
> ({{HEAD}} of {{trunk}}).
>Reporter: Jesse Haber-Kucharsky
>Assignee: Kurt Greaves
>Priority: Minor
> Fix For: 3.0.16, 3.11.2, 4.0
>
>
> The standard system authorizer
> ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
> granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as
> {{"data/my_keyspace/items"}} (note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as
> {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which
> confuses the authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
> role | super | login | options
> ---+---+---+-
> cassandra | True | True |{}
>emperor | False | False |{}
> ki/ng | False | False |{}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
> role | resource | permissions
> ---+---+
>emperor | roles/ki/ng | {'ALTER'}
> cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
> cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
> role resource name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
> QueryMessage.java:129 - Unexpected error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
> name
> at
> org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
> ~[main/:na]
> at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
> ~[main/:na]
> at
> org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
> ~[main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
> [main/:na]
> at
> io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
>
[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16282536#comment-16282536
]
Jeremiah Jordan commented on CASSANDRA-14088:
-
I ran the unit test locally that extensively tests the change. Feel free to
remove the ready to commit if you want a full dtest run for it, but given we
don't have any dtests which uses "/" in a name I did not feel it was needed.
> Forward slash in role name breaks CassandraAuthorizer
> -
>
> Key: CASSANDRA-14088
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
> ({{HEAD}} of {{trunk}}).
>Reporter: Jesse Haber-Kucharsky
>Assignee: Kurt Greaves
>Priority: Minor
> Fix For: 3.0.16, 3.11.2, 4.0
>
>
> The standard system authorizer
> ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
> granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as
> {{"data/my_keyspace/items"}} (note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as
> {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which
> confuses the authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
> role | super | login | options
> ---+---+---+-
> cassandra | True | True |{}
>emperor | False | False |{}
> ki/ng | False | False |{}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
> role | resource | permissions
> ---+---+
>emperor | roles/ki/ng | {'ALTER'}
> cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
> cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
> role resource name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
> QueryMessage.java:129 - Unexpected error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
> name
> at
> org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
> ~[main/:na]
> at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
> ~[main/:na]
> at
> org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
> ~[main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
> [main/:na]
> at
> io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
>
[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16282517#comment-16282517
]
Jeff Jirsa commented on CASSANDRA-14088:
This is marked ready to commit, but there's no mention of utest/dtests at all -
if they're clean I'll commit, but could someone confirm that they're clean?
> Forward slash in role name breaks CassandraAuthorizer
> -
>
> Key: CASSANDRA-14088
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
> ({{HEAD}} of {{trunk}}).
>Reporter: Jesse Haber-Kucharsky
>Assignee: Kurt Greaves
>Priority: Minor
> Fix For: 3.0.16, 3.11.2, 4.0
>
>
> The standard system authorizer
> ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
> granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as
> {{"data/my_keyspace/items"}} (note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as
> {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which
> confuses the authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
> role | super | login | options
> ---+---+---+-
> cassandra | True | True |{}
>emperor | False | False |{}
> ki/ng | False | False |{}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
> role | resource | permissions
> ---+---+
>emperor | roles/ki/ng | {'ALTER'}
> cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
> cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
> role resource name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
> QueryMessage.java:129 - Unexpected error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
> name
> at
> org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
> ~[main/:na]
> at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
> ~[main/:na]
> at
> org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
> ~[main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
> [main/:na]
> at
> io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353)
>
[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16281250#comment-16281250
]
Jeremiah Jordan commented on CASSANDRA-14088:
-
Agreed, we should just limit to only splitting the first "/".
Patch LGTM +1.
> Forward slash in role name breaks CassandraAuthorizer
> -
>
> Key: CASSANDRA-14088
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
> ({{HEAD}} of {{trunk}}).
>Reporter: Jesse Haber-Kucharsky
>Assignee: Kurt Greaves
>Priority: Minor
> Fix For: 3.0.16, 3.11.2, 4.0
>
>
> The standard system authorizer
> ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
> granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as
> {{"data/my_keyspace/items"}} (note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as
> {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which
> confuses the authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
> role | super | login | options
> ---+---+---+-
> cassandra | True | True |{}
>emperor | False | False |{}
> ki/ng | False | False |{}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
> role | resource | permissions
> ---+---+
>emperor | roles/ki/ng | {'ALTER'}
> cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
> cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
> role resource name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
> QueryMessage.java:129 - Unexpected error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
> name
> at
> org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
> ~[main/:na]
> at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
> ~[main/:na]
> at
> org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
> ~[main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
> [main/:na]
> at
> io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
>
[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1628#comment-1628
]
Kurt Greaves commented on CASSANDRA-14088:
--
Wild guess but I'd say it's probably because they have complicated
role/permission domains and break them up by slashes in their environment, and
would find it easiest to continue to use the same roles in C*, rather than
having to change their delimiter. I've seen similar cases before w.r.t
PKI/CN's/DN's.
Seeing as fromName is defined per resource I don't see why we can't have
specific implementations for each {{Resource}}. In fact, in {{DataResource}}
and {{FunctionResource}} we already handle each name differently as we require
3 {{/}} separators (+different sep's for {{FunctionResource}}.
At the moment any character is allowed in a role name except for slash, because
of this issue. We only really care about the first slash, if we ever cared
about more than that we'd be creating a new {{Resource}} anyway.
> Forward slash in role name breaks CassandraAuthorizer
> -
>
> Key: CASSANDRA-14088
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
> ({{HEAD}} of {{trunk}}).
>Reporter: Jesse Haber-Kucharsky
>Assignee: Kurt Greaves
>Priority: Minor
> Fix For: 3.0.16, 3.11.2, 4.0
>
>
> The standard system authorizer
> ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
> granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as
> {{"data/my_keyspace/items"}} (note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as
> {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which
> confuses the authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
> role | super | login | options
> ---+---+---+-
> cassandra | True | True |{}
>emperor | False | False |{}
> ki/ng | False | False |{}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
> role | resource | permissions
> ---+---+
>emperor | roles/ki/ng | {'ALTER'}
> cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
> cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
> role resource name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
> QueryMessage.java:129 - Unexpected error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
> name
> at
> org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
> ~[main/:na]
> at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
> ~[main/:na]
> at
> org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
> ~[main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
> [main/:na]
> at
>
[jira] [Commented] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16276491#comment-16276491
]
Robert Stupp commented on CASSANDRA-14088:
--
Before we continue with this one - what's the reason for the forward slash(es)
in the role name?
The delimiter {{/}} was chosen to split components - handling that differently
across different resource types would be inconsistent.
I'd be much more in favor of validating the role name in
{{CreateRoleStatement}} and restrict role names to a defined set of characters,
like we do for keyspaces and tables.
> Forward slash in role name breaks CassandraAuthorizer
> -
>
> Key: CASSANDRA-14088
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
> ({{HEAD}} of {{trunk}}).
>Reporter: Jesse Haber-Kucharsky
>Assignee: Kurt Greaves
>Priority: Minor
> Fix For: 3.0.16, 3.11.2, 4.0
>
>
> The standard system authorizer
> ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
> granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as
> {{"data/my_keyspace/items"}} (note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as
> {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which
> confuses the authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
> role | super | login | options
> ---+---+---+-
> cassandra | True | True |{}
>emperor | False | False |{}
> ki/ng | False | False |{}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
> role | resource | permissions
> ---+---+
>emperor | roles/ki/ng | {'ALTER'}
> cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
> cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
> role resource name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
> QueryMessage.java:129 - Unexpected error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
> name
> at
> org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
> ~[main/:na]
> at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
> ~[main/:na]
> at
> org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
> ~[main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
> [main/:na]
> at
> io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
>
