[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeff Jirsa updated CASSANDRA-14088:
---
Resolution: Fixed
Status: Resolved (was: Ready to Commit)
works for me. Committed as {{f9de26a79de02e61624994e67e64f2c93fb5a35b}} and
merged up to 3.11/trunk.
> Forward slash in role name breaks CassandraAuthorizer
> -
>
> Key: CASSANDRA-14088
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
> ({{HEAD}} of {{trunk}}).
>Reporter: Jesse Haber-Kucharsky
>Assignee: Kurt Greaves
>Priority: Minor
> Fix For: 3.0.16, 3.11.2, 4.0
>
>
> The standard system authorizer
> ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
> granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as
> {{"data/my_keyspace/items"}} (note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as
> {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which
> confuses the authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
> role | super | login | options
> ---+---+---+-
> cassandra | True | True |{}
>emperor | False | False |{}
> ki/ng | False | False |{}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
> role | resource | permissions
> ---+---+
>emperor | roles/ki/ng | {'ALTER'}
> cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
> cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
> role resource name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
> QueryMessage.java:129 - Unexpected error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
> name
> at
> org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
> ~[main/:na]
> at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
> ~[main/:na]
> at
> org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
> ~[main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
> [main/:na]
> at
> io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353)
>
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeremiah Jordan updated CASSANDRA-14088:
Reviewer: Jeremiah Jordan
> Forward slash in role name breaks CassandraAuthorizer
> -
>
> Key: CASSANDRA-14088
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
> ({{HEAD}} of {{trunk}}).
>Reporter: Jesse Haber-Kucharsky
>Assignee: Kurt Greaves
>Priority: Minor
> Fix For: 3.0.16, 3.11.2, 4.0
>
>
> The standard system authorizer
> ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
> granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as
> {{"data/my_keyspace/items"}} (note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as
> {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which
> confuses the authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
> role | super | login | options
> ---+---+---+-
> cassandra | True | True |{}
>emperor | False | False |{}
> ki/ng | False | False |{}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
> role | resource | permissions
> ---+---+
>emperor | roles/ki/ng | {'ALTER'}
> cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
> cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
> role resource name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
> QueryMessage.java:129 - Unexpected error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
> name
> at
> org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
> ~[main/:na]
> at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
> ~[main/:na]
> at
> org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
> ~[main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
> [main/:na]
> at
> io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> [na:1.8.0_151]
> at
>
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeremiah Jordan updated CASSANDRA-14088:
Status: Ready to Commit (was: Patch Available)
> Forward slash in role name breaks CassandraAuthorizer
> -
>
> Key: CASSANDRA-14088
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
> ({{HEAD}} of {{trunk}}).
>Reporter: Jesse Haber-Kucharsky
>Assignee: Kurt Greaves
>Priority: Minor
> Fix For: 3.0.16, 3.11.2, 4.0
>
>
> The standard system authorizer
> ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
> granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as
> {{"data/my_keyspace/items"}} (note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as
> {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which
> confuses the authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
> role | super | login | options
> ---+---+---+-
> cassandra | True | True |{}
>emperor | False | False |{}
> ki/ng | False | False |{}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
> role | resource | permissions
> ---+---+
>emperor | roles/ki/ng | {'ALTER'}
> cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
> cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
> role resource name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
> QueryMessage.java:129 - Unexpected error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
> name
> at
> org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
> ~[main/:na]
> at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
> ~[main/:na]
> at
> org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
> ~[main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
> [main/:na]
> at
> io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> [na:1.8.0_151]
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kurt Greaves updated CASSANDRA-14088:
-
Fix Version/s: 4.0
3.11.2
3.0.16
Status: Patch Available (was: In Progress)
[trunk|https://github.com/apache/cassandra/compare/trunk...kgreav:14088-3.0]
No reason for us to split in {{RoleResource::fromName}} more than once, so just
specified a max and added some tests to make sure we accept forward slashes and
some other names correctly.
Patch is the same for trunk and 3.11. Should merge cleanly.
> Forward slash in role name breaks CassandraAuthorizer
> -
>
> Key: CASSANDRA-14088
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
> ({{HEAD}} of {{trunk}}).
>Reporter: Jesse Haber-Kucharsky
>Assignee: Kurt Greaves
>Priority: Minor
> Fix For: 3.0.16, 3.11.2, 4.0
>
>
> The standard system authorizer
> ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
> granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as
> {{"data/my_keyspace/items"}} (note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as
> {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which
> confuses the authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
> role | super | login | options
> ---+---+---+-
> cassandra | True | True |{}
>emperor | False | False |{}
> ki/ng | False | False |{}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
> role | resource | permissions
> ---+---+
>emperor | roles/ki/ng | {'ALTER'}
> cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
> cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
> role resource name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
> QueryMessage.java:129 - Unexpected error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
> name
> at
> org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
> ~[main/:na]
> at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
> ~[main/:na]
> at
> org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
> ~[main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
> [main/:na]
> at
> io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
>
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jesse Haber-Kucharsky updated CASSANDRA-14088:
--
Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d ({{HEAD}}
of {{trunk}}). (was: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
(`HEAD` of `trunk`).)
> Forward slash in role name breaks CassandraAuthorizer
> -
>
> Key: CASSANDRA-14088
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d
> ({{HEAD}} of {{trunk}}).
>Reporter: Jesse Haber-Kucharsky
>Priority: Minor
>
> The standard system authorizer
> ({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
> granted to each user for a given resource in {{system_auth.role_permissions}}.
> A resource like the {{my_keyspace.items}} table is stored as
> {{"data/my_keyspace/items"}} (note the {{/}} delimiter).
> Similarly, role resources (like the {{joe}} role) are stored as
> {{"roles/joe"}}.
> The problem is that roles can be created with {{/}} in their names, which
> confuses the authorizer when the table is queried.
> For example,
> {code}
> $ bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE emperor;
> cassandra@cqlsh> CREATE ROLE "ki/ng";
> cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
> cassandra@cqlsh> LIST ROLES;
> role | super | login | options
> ---+---+---+-
> cassandra | True | True |{}
>emperor | False | False |{}
> ki/ng | False | False |{}
> (3 rows)
> cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
> role | resource | permissions
> ---+---+
>emperor | roles/ki/ng | {'ALTER'}
> cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
> cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
> (3 rows)
> cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
> ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
> role resource name
> {code}
> Here's the backtrace from the server process:
> {code}
> ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
> QueryMessage.java:129 - Unexpected error during query
> java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
> name
> at
> org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
> ~[main/:na]
> at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
> ~[main/:na]
> at
> org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
> ~[main/:na]
> at
> org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
> ~[main/:na]
> at
> org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
> ~[main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
> [main/:na]
> at
> io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353)
> [netty-all-4.1.14.Final.jar:4.1.14.Final]
> at
>
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jesse Haber-Kucharsky updated CASSANDRA-14088:
--
Description:
The standard system authorizer
({{org.apache.cassandra.auth.CassandraAuthorizer}}) stores the permissions
granted to each user for a given resource in {{system_auth.role_permissions}}.
A resource like the {{my_keyspace.items}} table is stored as
{{"data/my_keyspace/items"}} (note the {{/}} delimiter).
Similarly, role resources (like the {{joe}} role) are stored as {{"roles/joe"}}.
The problem is that roles can be created with {{/}} in their names, which
confuses the authorizer when the table is queried.
For example,
{code}
$ bin/cqlsh -u cassandra -p cassandra
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh> CREATE ROLE emperor;
cassandra@cqlsh> CREATE ROLE "ki/ng";
cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
cassandra@cqlsh> LIST ROLES;
role | super | login | options
---+---+---+-
cassandra | True | True |{}
emperor | False | False |{}
ki/ng | False | False |{}
(3 rows)
cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
role | resource | permissions
---+---+
emperor | roles/ki/ng | {'ALTER'}
cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
(3 rows)
cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
role resource name
{code}
Here's the backtrace from the server process:
{code}
ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
QueryMessage.java:129 - Unexpected error during query
java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
name
at
org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
~[main/:na]
at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
~[main/:na]
at
org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
~[main/:na]
at
org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
~[main/:na]
at
org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
~[main/:na]
at
org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
~[main/:na]
at
org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
~[main/:na]
at
org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
~[main/:na]
at
org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
~[main/:na]
at
org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
~[main/:na]
at
org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
~[main/:na]
at
org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
[main/:na]
at
org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
[main/:na]
at
io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
at
io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
at
io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[na:1.8.0_151]
at
org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162)
[main/:na]
at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109)
[main/:na]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151]
ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,812
ErrorMessage.java:389 - Unexpected exception during request
java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
name
at
org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
~[main/:na]
at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
~[main/:na]
at
[jira] [Updated] (CASSANDRA-14088) Forward slash in role name breaks CassandraAuthorizer
[
https://issues.apache.org/jira/browse/CASSANDRA-14088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jesse Haber-Kucharsky updated CASSANDRA-14088:
--
Description:
The standard system authorizer
({org.apache.cassandra.auth.CassandraAuthorizer}) stores the permissions
granted to each user for a given resource in {system_auth.role_permissions}.
A resource like the {my_keyspace.items} table is stored as
{"data/my_keyspace/items"} (note the {/} delimiter).
Similarly, role resources (like the {joe} role) are formatted as {"roles/joe"}.
The problem is that roles can be created with {/} in their names, which
confuses the authorizer when the table is queried.
For example,
{code}
$ bin/cqlsh -u cassandra -p cassandra
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh> CREATE ROLE emperor;
cassandra@cqlsh> CREATE ROLE "ki/ng";
cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
cassandra@cqlsh> LIST ROLES;
role | super | login | options
---+---+---+-
cassandra | True | True |{}
emperor | False | False |{}
ki/ng | False | False |{}
(3 rows)
cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
role | resource | permissions
---+---+
emperor | roles/ki/ng | {'ALTER'}
cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
(3 rows)
cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid
role resource name
{code}
Here's the backtrace from the server process:
{code}
ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811
QueryMessage.java:129 - Unexpected error during query
java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
name
at
org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
~[main/:na]
at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
~[main/:na]
at
org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283)
~[main/:na]
at
org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263)
~[main/:na]
at
org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108)
~[main/:na]
at
org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96)
~[main/:na]
at
org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48)
~[main/:na]
at
org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207)
~[main/:na]
at
org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238)
~[main/:na]
at
org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223)
~[main/:na]
at
org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116)
~[main/:na]
at
org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517)
[main/:na]
at
org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
[main/:na]
at
io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
at
io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
at
io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353)
[netty-all-4.1.14.Final.jar:4.1.14.Final]
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[na:1.8.0_151]
at
org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162)
[main/:na]
at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109)
[main/:na]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151]
ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,812
ErrorMessage.java:389 - Unexpected exception during request
java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource
name
at
org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101)
~[main/:na]
at org.apache.cassandra.auth.Resources.fromName(Resources.java:56)
~[main/:na]
at
