You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Jesse Haber-Kucharsky (JIRA)" <ji...@apache.org> on 2017/12/01 16:10:00 UTC
[jira] [Created] (CASSANDRA-14088) Forward slash in role name
breaks CassandraAuthorizer
Jesse Haber-Kucharsky created CASSANDRA-14088:
-------------------------------------------------
Summary: Forward slash in role name breaks CassandraAuthorizer
Key: CASSANDRA-14088
URL: https://issues.apache.org/jira/browse/CASSANDRA-14088
Project: Cassandra
Issue Type: Bug
Components: Auth
Environment: Git commit: 4c80eeece37d79f434078224a0504400ae10a20d (`HEAD` of `trunk`).
Reporter: Jesse Haber-Kucharsky
Priority: Minor
The standard system authorizer (`org.apache.cassandra.auth.CassandraAuthorizer`) stores the permissions granted to each user for a given resource in `system_auth.role_permissions`.
A resource like the `my_keyspace.items` table is stored as `"data/my_keyspace/items"` (note the `/` delimiter).
Similarly, role resources (like the `joe` role) are formatted as `"roles/joe"`.
The problem is that roles can be created with `/` in their names, which confuses the authorizer when the table is queried.
For example,
```
$ bin/cqlsh -u cassandra -p cassandra
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh> CREATE ROLE emperor;
cassandra@cqlsh> CREATE ROLE "ki/ng";
cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
cassandra@cqlsh> LIST ROLES;
role | super | login | options
-----------+-------+-------+---------
cassandra | True | True | {}
emperor | False | False | {}
ki/ng | False | False | {}
(3 rows)
cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
role | resource | permissions
-----------+---------------+--------------------------------
emperor | roles/ki/ng | {'ALTER'}
cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
cassandra | roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
(3 rows)
cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name
```
Here's the backtrace from the server process:
```
ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 QueryMessage.java:129 - Unexpected error during query
java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name
at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na]
at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na]
at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) ~[main/:na]
at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) ~[main/:na]
at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) ~[main/:na]
at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) ~[main/:na]
at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) ~[main/:na]
at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) ~[main/:na]
at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) ~[main/:na]
at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) ~[main/:na]
at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) ~[main/:na]
at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) [main/:na]
at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.1.14.Final.jar:4.1.14.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-all-4.1.14.Final.jar:4.1.14.Final]
at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) [netty-all-4.1.14.Final.jar:4.1.14.Final]
at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) [netty-all-4.1.14.Final.jar:4.1.14.Final]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151]
at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na]
at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151]
ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,812 ErrorMessage.java:389 - Unexpected exception during request
java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name
at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na]
at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na]
at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) ~[main/:na]
at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) ~[main/:na]
at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) ~[main/:na]
at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) ~[main/:na]
at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) ~[main/:na]
at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) ~[main/:na]
at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) ~[main/:na]
at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) ~[main/:na]
at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) ~[main/:na]
at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) [main/:na]
at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.1.14.Final.jar:4.1.14.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-all-4.1.14.Final.jar:4.1.14.Final]
at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) [netty-all-4.1.14.Final.jar:4.1.14.Final]
at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) [netty-all-4.1.14.Final.jar:4.1.14.Final]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151]
at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na]
at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151]
```
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org