[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Jirsa updated CASSANDRA-14088: --- Resolution: Fixed Status: Resolved (was: Ready to Commit) works for me. Committed as {{f9de26a79de02e61624994e67e64f2c93fb5a35b}} and merged up to 3.11/trunk. > Forward slash in role name breaks CassandraAuthorizer > - > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). >Reporter: Jesse Haber-Kucharsky >Assignee: Kurt Greaves >Priority: Minor > Fix For: 3.0.16, 3.11.2, 4.0 > > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > ---+---+---+- > cassandra | True | True |{} >emperor | False | False |{} > ki/ng | False | False |{} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > ---+---+ >emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) >
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeremiah Jordan updated CASSANDRA-14088: Reviewer: Jeremiah Jordan > Forward slash in role name breaks CassandraAuthorizer > - > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). >Reporter: Jesse Haber-Kucharsky >Assignee: Kurt Greaves >Priority: Minor > Fix For: 3.0.16, 3.11.2, 4.0 > > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > ---+---+---+- > cassandra | True | True |{} >emperor | False | False |{} > ki/ng | False | False |{} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > ---+---+ >emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > [na:1.8.0_151] > at >
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeremiah Jordan updated CASSANDRA-14088: Status: Ready to Commit (was: Patch Available) > Forward slash in role name breaks CassandraAuthorizer > - > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). >Reporter: Jesse Haber-Kucharsky >Assignee: Kurt Greaves >Priority: Minor > Fix For: 3.0.16, 3.11.2, 4.0 > > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > ---+---+---+- > cassandra | True | True |{} >emperor | False | False |{} > ki/ng | False | False |{} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > ---+---+ >emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > [na:1.8.0_151]
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kurt Greaves updated CASSANDRA-14088: - Fix Version/s: 4.0 3.11.2 3.0.16 Status: Patch Available (was: In Progress) [trunk|https://github.com/apache/cassandra/compare/trunk...kgreav:14088-3.0] No reason for us to split in {{RoleResource::fromName}} more than once, so just specified a max and added some tests to make sure we accept forward slashes and some other names correctly. Patch is the same for trunk and 3.11. Should merge cleanly. > Forward slash in role name breaks CassandraAuthorizer > - > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). >Reporter: Jesse Haber-Kucharsky >Assignee: Kurt Greaves >Priority: Minor > Fix For: 3.0.16, 3.11.2, 4.0 > > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > ---+---+---+- > cassandra | True | True |{} >emperor | False | False |{} > ki/ng | False | False |{} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > ---+---+ >emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at >
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jesse Haber-Kucharsky updated CASSANDRA-14088: -- Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d ({{HEAD}} of {{trunk}}). (was: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d (`HEAD` of `trunk`).) > Forward slash in role name breaks CassandraAuthorizer > - > > Key: CASSANDRA-14088 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14088 > Project: Cassandra > Issue Type: Bug > Components: Auth > Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d > ({{HEAD}} of {{trunk}}). >Reporter: Jesse Haber-Kucharsky >Priority: Minor > > The standard system authorizer > ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions > granted to each user for a given resource in {{system_auth.role_permissions}}. > A resource like the {{my_keyspace.items}} table is stored as > {{"data/my_keyspace/items"}} (note the {{/}} delimiter). > Similarly, role resources (like the {{joe}} role) are stored as > {{"roles/joe"}}. > The problem is that roles can be created with {{/}} in their names, which > confuses the authorizer when the table is queried. > For example, > {code} > $ bin/cqlsh -u cassandra -p cassandra > Connected to Test Cluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> CREATE ROLE emperor; > cassandra@cqlsh> CREATE ROLE "ki/ng"; > cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; > cassandra@cqlsh> LIST ROLES; > role | super | login | options > ---+---+---+- > cassandra | True | True |{} >emperor | False | False |{} > ki/ng | False | False |{} > (3 rows) > cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; > role | resource | permissions > ---+---+ >emperor | roles/ki/ng | {'ALTER'} > cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} > cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} > (3 rows) > cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; > ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid > role resource name > {code} > Here's the backtrace from the server process: > {code} > ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 > QueryMessage.java:129 - Unexpected error during query > java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource > name > at > org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) > ~[main/:na] > at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) > ~[main/:na] > at > org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) > ~[main/:na] > at > org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) > ~[main/:na] > at > org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) > ~[main/:na] > at > org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) > ~[main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at > io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) > [netty-all-4.1.14.Final.jar:4.1.14.Final] > at >
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jesse Haber-Kucharsky updated CASSANDRA-14088: -- Description: The standard system authorizer ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions granted to each user for a given resource in {{system_auth.role_permissions}}. A resource like the {{my_keyspace.items}} table is stored as {{"data/my_keyspace/items"}} (note the {{/}} delimiter). Similarly, role resources (like the {{joe}} role) are stored as {{"roles/joe"}}. The problem is that roles can be created with {{/}} in their names, which confuses the authorizer when the table is queried. For example, {code} $ bin/cqlsh -u cassandra -p cassandra Connected to Test Cluster at 127.0.0.1:9042. [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] Use HELP for help. cassandra@cqlsh> CREATE ROLE emperor; cassandra@cqlsh> CREATE ROLE "ki/ng"; cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; cassandra@cqlsh> LIST ROLES; role | super | login | options ---+---+---+- cassandra | True | True |{} emperor | False | False |{} ki/ng | False | False |{} (3 rows) cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; role | resource | permissions ---+---+ emperor | roles/ki/ng | {'ALTER'} cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} (3 rows) cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name {code} Here's the backtrace from the server process: {code} ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 QueryMessage.java:129 - Unexpected error during query java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na] at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) ~[main/:na] at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) ~[main/:na] at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) ~[main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) [main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na] at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) [netty-all-4.1.14.Final.jar:4.1.14.Final] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151] at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na] at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,812 ErrorMessage.java:389 - Unexpected exception during request java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na] at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na] at
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[ https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jesse Haber-Kucharsky updated CASSANDRA-14088: -- Description: The standard system authorizer ({org.apache.cassandra.auth.CassandraAuthorizer}) stores the permissions granted to each user for a given resource in {system_auth.role_permissions}. A resource like the {my_keyspace.items} table is stored as {"data/my_keyspace/items"} (note the {/} delimiter). Similarly, role resources (like the {joe} role) are formatted as {"roles/joe"}. The problem is that roles can be created with {/} in their names, which confuses the authorizer when the table is queried. For example, {code} $ bin/cqlsh -u cassandra -p cassandra Connected to Test Cluster at 127.0.0.1:9042. [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4] Use HELP for help. cassandra@cqlsh> CREATE ROLE emperor; cassandra@cqlsh> CREATE ROLE "ki/ng"; cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor; cassandra@cqlsh> LIST ROLES; role | super | login | options ---+---+---+- cassandra | True | True |{} emperor | False | False |{} ki/ng | False | False |{} (3 rows) cassandra@cqlsh> SELECT * FROM system_auth.role_permissions; role | resource | permissions ---+---+ emperor | roles/ki/ng | {'ALTER'} cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'} cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'} (3 rows) cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor; ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name {code} Here's the backtrace from the server process: {code} ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 QueryMessage.java:129 - Unexpected error during query java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na] at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) ~[main/:na] at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) ~[main/:na] at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) ~[main/:na] at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) ~[main/:na] at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) ~[main/:na] at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) ~[main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) [main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na] at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) [netty-all-4.1.14.Final.jar:4.1.14.Final] at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) [netty-all-4.1.14.Final.jar:4.1.14.Final] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151] at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na] at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,812 ErrorMessage.java:389 - Unexpected exception during request java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na] at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na] at