You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by sa...@apache.org on 2016/01/04 19:01:40 UTC
cassandra git commit: Add requireAuthorization method to IAuthorizer
Repository: cassandra
Updated Branches:
refs/heads/trunk d0e203645 -> f54eab71d
Add requireAuthorization method to IAuthorizer
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/f54eab71
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/f54eab71
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/f54eab71
Branch: refs/heads/trunk
Commit: f54eab71d299429e17f315734484fb176f542167
Parents: d0e2036
Author: Mike Adamson <ma...@datastax.com>
Authored: Sat Dec 12 15:37:40 2015 +0000
Committer: Sam Tunnicliffe <sa...@beobal.com>
Committed: Mon Jan 4 17:57:07 2016 +0000
----------------------------------------------------------------------
CHANGES.txt | 1 +
src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java | 6 ++++++
src/java/org/apache/cassandra/auth/IAuthorizer.java | 9 +++++++++
src/java/org/apache/cassandra/auth/PermissionsCache.java | 2 +-
.../org/apache/cassandra/config/DatabaseDescriptor.java | 4 ++--
src/java/org/apache/cassandra/service/ClientState.java | 4 ++--
6 files changed, 21 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index cbd109e..e6b22b3 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
3.2
+ * Add requireAuthorization method to IAuthorizer (CASSANDRA-10852)
* Fix CassandraVersion to accept x.y version string (CASSANDRA-10931)
* Add forceUserDefinedCleanup to allow more flexible cleanup (CASSANDRA-10708)
* (cqlsh) allow setting TTL with COPY (CASSANDRA-9494)
http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java b/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java
index bc6fee4..3b40979 100644
--- a/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java
+++ b/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java
@@ -22,6 +22,12 @@ import java.util.Set;
public class AllowAllAuthorizer implements IAuthorizer
{
+ @Override
+ public boolean requireAuthorization()
+ {
+ return false;
+ }
+
public Set<Permission> authorize(AuthenticatedUser user, IResource resource)
{
return resource.applicablePermissions();
http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/auth/IAuthorizer.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/auth/IAuthorizer.java b/src/java/org/apache/cassandra/auth/IAuthorizer.java
index 01c05af..a023e3e 100644
--- a/src/java/org/apache/cassandra/auth/IAuthorizer.java
+++ b/src/java/org/apache/cassandra/auth/IAuthorizer.java
@@ -29,6 +29,15 @@ import org.apache.cassandra.exceptions.RequestValidationException;
public interface IAuthorizer
{
/**
+ * Whether or not the authorizer will attempt authorization.
+ * If false the authorizer will not be called for authorization of resources.
+ */
+ default boolean requireAuthorization()
+ {
+ return true;
+ }
+
+ /**
* Returns a set of permissions of a user on a resource.
* Since Roles were introduced in version 2.2, Cassandra does not distinguish in any
* meaningful way between users and roles. A role may or may not have login privileges
http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/auth/PermissionsCache.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/auth/PermissionsCache.java b/src/java/org/apache/cassandra/auth/PermissionsCache.java
index 8746b36..95aa398 100644
--- a/src/java/org/apache/cassandra/auth/PermissionsCache.java
+++ b/src/java/org/apache/cassandra/auth/PermissionsCache.java
@@ -107,7 +107,7 @@ public class PermissionsCache implements PermissionsCacheMBean
private LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> initCache(
LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> existing)
{
- if (authorizer instanceof AllowAllAuthorizer)
+ if (!authorizer.requireAuthorization())
return null;
if (DatabaseDescriptor.getPermissionsValidity() <= 0)
http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
index e2dea93..edcbcf5 100644
--- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
+++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -324,8 +324,8 @@ public class DatabaseDescriptor
if (conf.authorizer != null)
authorizer = FBUtilities.newAuthorizer(conf.authorizer);
- if (authenticator instanceof AllowAllAuthenticator && !(authorizer instanceof AllowAllAuthorizer))
- throw new ConfigurationException("AllowAllAuthenticator can't be used with " + conf.authorizer, false);
+ if (!authenticator.requireAuthentication() && authorizer.requireAuthorization())
+ throw new ConfigurationException(conf.authenticator + " can't be used with " + conf.authorizer, false);
if (conf.role_manager != null)
roleManager = FBUtilities.newRoleManager(conf.role_manager);
http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/service/ClientState.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java
index d576ac3..78bcf8a 100644
--- a/src/java/org/apache/cassandra/service/ClientState.java
+++ b/src/java/org/apache/cassandra/service/ClientState.java
@@ -274,7 +274,7 @@ public class ClientState
public void ensureHasPermission(Permission perm, IResource resource) throws UnauthorizedException
{
- if (DatabaseDescriptor.getAuthorizer() instanceof AllowAllAuthorizer)
+ if (!DatabaseDescriptor.getAuthorizer().requireAuthorization())
return;
// Access to built in functions is unrestricted
@@ -290,7 +290,7 @@ public class ClientState
public void ensureHasPermission(Permission permission, Function function)
{
// Save creating a FunctionResource is we don't need to
- if (DatabaseDescriptor.getAuthorizer() instanceof AllowAllAuthorizer)
+ if (!DatabaseDescriptor.getAuthorizer().requireAuthorization())
return;
// built in functions are always available to all