You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by al...@apache.org on 2013/09/04 20:52:49 UTC
[2/3] git commit: Require superuser status for adding triggers
Require superuser status for adding triggers
patch by Aleksey Yeschenko; reviewed by Jonathan Ellis for
CASSANDRA-5963
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/edc75312
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/edc75312
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/edc75312
Branch: refs/heads/trunk
Commit: edc753127311fefa8de47fb9cc42a30cd783c24a
Parents: 06dc4d0
Author: Aleksey Yeschenko <al...@apache.org>
Authored: Wed Sep 4 21:50:45 2013 +0300
Committer: Aleksey Yeschenko <al...@apache.org>
Committed: Wed Sep 4 21:50:45 2013 +0300
----------------------------------------------------------------------
CHANGES.txt | 1 +
.../cql3/statements/CreateTriggerStatement.java | 8 +++-----
.../cql3/statements/DropTriggerStatement.java | 8 +++-----
.../org/apache/cassandra/service/ClientState.java | 6 ++++++
.../apache/cassandra/thrift/CassandraServer.java | 17 +++++++++++++++--
5 files changed, 28 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cassandra/blob/edc75312/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index c09ba86..abbb4f9 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -12,6 +12,7 @@
* Add ability for CQL3 to list partition keys (CASSANDRA-4536)
* Improve native protocol serialization (CASSANDRA-5664)
* Upgrade Thrift to 0.9.1 (CASSANDRA-5923)
+ * Require superuser status for adding triggers (CASSANDRA-5963)
Merged from 1.2:
* Allow local batchlog writes for CL.ANY (CASSANDRA-5967)
* Optimize name query performance in wide rows (CASSANDRA-5966)
http://git-wip-us.apache.org/repos/asf/cassandra/blob/edc75312/src/java/org/apache/cassandra/cql3/statements/CreateTriggerStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/CreateTriggerStatement.java b/src/java/org/apache/cassandra/cql3/statements/CreateTriggerStatement.java
index 1e2ac90..329b7bc 100644
--- a/src/java/org/apache/cassandra/cql3/statements/CreateTriggerStatement.java
+++ b/src/java/org/apache/cassandra/cql3/statements/CreateTriggerStatement.java
@@ -20,13 +20,11 @@ package org.apache.cassandra.cql3.statements;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.config.CFMetaData;
import org.apache.cassandra.config.Schema;
import org.apache.cassandra.config.TriggerDefinition;
import org.apache.cassandra.cql3.CFName;
import org.apache.cassandra.exceptions.ConfigurationException;
-import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.service.ClientState;
@@ -49,9 +47,9 @@ public class CreateTriggerStatement extends SchemaAlteringStatement
this.triggerClass = clazz;
}
- public void checkAccess(ClientState state) throws UnauthorizedException, InvalidRequestException
+ public void checkAccess(ClientState state) throws UnauthorizedException
{
- state.hasColumnFamilyAccess(keyspace(), columnFamily(), Permission.ALTER);
+ state.ensureIsSuper("Only superusers are allowed to perfrom CREATE TRIGGER queries");
}
public void validate(ClientState state) throws RequestValidationException
@@ -67,7 +65,7 @@ public class CreateTriggerStatement extends SchemaAlteringStatement
}
}
- public void announceMigration() throws InvalidRequestException, ConfigurationException
+ public void announceMigration() throws ConfigurationException
{
CFMetaData cfm = Schema.instance.getCFMetaData(keyspace(), columnFamily()).clone();
cfm.addTriggerDefinition(TriggerDefinition.create(triggerName, triggerClass));
http://git-wip-us.apache.org/repos/asf/cassandra/blob/edc75312/src/java/org/apache/cassandra/cql3/statements/DropTriggerStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/DropTriggerStatement.java b/src/java/org/apache/cassandra/cql3/statements/DropTriggerStatement.java
index 884aaa0..ce17047 100644
--- a/src/java/org/apache/cassandra/cql3/statements/DropTriggerStatement.java
+++ b/src/java/org/apache/cassandra/cql3/statements/DropTriggerStatement.java
@@ -20,12 +20,10 @@ package org.apache.cassandra.cql3.statements;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.config.CFMetaData;
import org.apache.cassandra.config.Schema;
import org.apache.cassandra.cql3.CFName;
import org.apache.cassandra.exceptions.ConfigurationException;
-import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.service.ClientState;
@@ -45,9 +43,9 @@ public class DropTriggerStatement extends SchemaAlteringStatement
this.triggerName = triggerName;
}
- public void checkAccess(ClientState state) throws UnauthorizedException, InvalidRequestException
+ public void checkAccess(ClientState state) throws UnauthorizedException
{
- state.hasColumnFamilyAccess(keyspace(), columnFamily(), Permission.ALTER);
+ state.ensureIsSuper("Only superusers are allowed to perfrom DROP TRIGGER queries");
}
public void validate(ClientState state) throws RequestValidationException
@@ -55,7 +53,7 @@ public class DropTriggerStatement extends SchemaAlteringStatement
ThriftValidation.validateColumnFamily(keyspace(), columnFamily());
}
- public void announceMigration() throws InvalidRequestException, ConfigurationException
+ public void announceMigration() throws ConfigurationException
{
CFMetaData cfm = Schema.instance.getCFMetaData(keyspace(), columnFamily()).clone();
if (!cfm.removeTrigger(triggerName))
http://git-wip-us.apache.org/repos/asf/cassandra/blob/edc75312/src/java/org/apache/cassandra/service/ClientState.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java
index eb75a34..32e21f4 100644
--- a/src/java/org/apache/cassandra/service/ClientState.java
+++ b/src/java/org/apache/cassandra/service/ClientState.java
@@ -201,6 +201,12 @@ public class ClientState
throw new UnauthorizedException("You have to be logged in and not anonymous to perform this request");
}
+ public void ensureIsSuper(String message) throws UnauthorizedException
+ {
+ if (DatabaseDescriptor.getAuthenticator().requireAuthentication() && (user == null || !user.isSuper()))
+ throw new UnauthorizedException(message);
+ }
+
private static void validateKeyspace(String keyspace) throws InvalidRequestException
{
if (keyspace == null)
http://git-wip-us.apache.org/repos/asf/cassandra/blob/edc75312/src/java/org/apache/cassandra/thrift/CassandraServer.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/thrift/CassandraServer.java b/src/java/org/apache/cassandra/thrift/CassandraServer.java
index 1099834..3d77743 100644
--- a/src/java/org/apache/cassandra/thrift/CassandraServer.java
+++ b/src/java/org/apache/cassandra/thrift/CassandraServer.java
@@ -1489,8 +1489,11 @@ public class CassandraServer implements Cassandra.Iface
cf_def.unsetId(); // explicitly ignore any id set by client (Hector likes to set zero)
CFMetaData cfm = CFMetaData.fromThrift(cf_def);
CFMetaData.validateCompactionOptions(cfm.compactionStrategyClass, cfm.compactionStrategyOptions);
-
cfm.addDefaultIndexNames();
+
+ if (!cfm.getTriggers().isEmpty())
+ state().ensureIsSuper("Only superusers are allowed to add triggers.");
+
MigrationManager.announceNewColumnFamily(cfm);
return Schema.instance.getVersion().toString();
}
@@ -1546,6 +1549,10 @@ public class CassandraServer implements Cassandra.Iface
cf_def.unsetId(); // explicitly ignore any id set by client (same as system_add_column_family)
CFMetaData cfm = CFMetaData.fromThrift(cf_def);
cfm.addDefaultIndexNames();
+
+ if (!cfm.getTriggers().isEmpty())
+ state().ensureIsSuper("Only superusers are allowed to add triggers.");
+
cfDefs.add(cfm);
}
MigrationManager.announceNewKeyspace(KSMetaData.fromThrift(ks_def, cfDefs.toArray(new CFMetaData[cfDefs.size()])));
@@ -1610,16 +1617,22 @@ public class CassandraServer implements Cassandra.Iface
{
if (cf_def.keyspace == null || cf_def.name == null)
throw new InvalidRequestException("Keyspace and CF name must be set.");
+
+ state().hasColumnFamilyAccess(cf_def.keyspace, cf_def.name, Permission.ALTER);
CFMetaData oldCfm = Schema.instance.getCFMetaData(cf_def.keyspace, cf_def.name);
+
if (oldCfm == null)
throw new InvalidRequestException("Could not find column family definition to modify.");
- state().hasColumnFamilyAccess(cf_def.keyspace, cf_def.name, Permission.ALTER);
CFMetaData.applyImplicitDefaults(cf_def);
CFMetaData cfm = CFMetaData.fromThrift(cf_def);
CFMetaData.validateCompactionOptions(cfm.compactionStrategyClass, cfm.compactionStrategyOptions);
cfm.addDefaultIndexNames();
+
+ if (!oldCfm.getTriggers().equals(cfm.getTriggers()))
+ state().ensureIsSuper("Only superusers are allowed to add or remove triggers.");
+
MigrationManager.announceColumnFamilyUpdate(cfm, true);
return Schema.instance.getVersion().toString();
}