You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by sa...@apache.org on 2016/01/04 19:01:40 UTC

cassandra git commit: Add requireAuthorization method to IAuthorizer

Repository: cassandra
Updated Branches:
  refs/heads/trunk d0e203645 -> f54eab71d


Add requireAuthorization method to IAuthorizer


Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/f54eab71
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/f54eab71
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/f54eab71

Branch: refs/heads/trunk
Commit: f54eab71d299429e17f315734484fb176f542167
Parents: d0e2036
Author: Mike Adamson <ma...@datastax.com>
Authored: Sat Dec 12 15:37:40 2015 +0000
Committer: Sam Tunnicliffe <sa...@beobal.com>
Committed: Mon Jan 4 17:57:07 2016 +0000

----------------------------------------------------------------------
 CHANGES.txt                                                 | 1 +
 src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java  | 6 ++++++
 src/java/org/apache/cassandra/auth/IAuthorizer.java         | 9 +++++++++
 src/java/org/apache/cassandra/auth/PermissionsCache.java    | 2 +-
 .../org/apache/cassandra/config/DatabaseDescriptor.java     | 4 ++--
 src/java/org/apache/cassandra/service/ClientState.java      | 4 ++--
 6 files changed, 21 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index cbd109e..e6b22b3 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
 3.2
+ * Add requireAuthorization method to IAuthorizer (CASSANDRA-10852)
  * Fix CassandraVersion to accept x.y version string (CASSANDRA-10931)
  * Add forceUserDefinedCleanup to allow more flexible cleanup (CASSANDRA-10708)
  * (cqlsh) allow setting TTL with COPY (CASSANDRA-9494)

http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java b/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java
index bc6fee4..3b40979 100644
--- a/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java
+++ b/src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java
@@ -22,6 +22,12 @@ import java.util.Set;
 
 public class AllowAllAuthorizer implements IAuthorizer
 {
+    @Override
+    public boolean requireAuthorization()
+    {
+        return false;
+    }
+
     public Set<Permission> authorize(AuthenticatedUser user, IResource resource)
     {
         return resource.applicablePermissions();

http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/auth/IAuthorizer.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/auth/IAuthorizer.java b/src/java/org/apache/cassandra/auth/IAuthorizer.java
index 01c05af..a023e3e 100644
--- a/src/java/org/apache/cassandra/auth/IAuthorizer.java
+++ b/src/java/org/apache/cassandra/auth/IAuthorizer.java
@@ -29,6 +29,15 @@ import org.apache.cassandra.exceptions.RequestValidationException;
 public interface IAuthorizer
 {
     /**
+     * Whether or not the authorizer will attempt authorization.
+     * If false the authorizer will not be called for authorization of resources.
+     */
+    default boolean requireAuthorization()
+    {
+        return true;
+    }
+
+    /**
      * Returns a set of permissions of a user on a resource.
      * Since Roles were introduced in version 2.2, Cassandra does not distinguish in any
      * meaningful way between users and roles. A role may or may not have login privileges

http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/auth/PermissionsCache.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/auth/PermissionsCache.java b/src/java/org/apache/cassandra/auth/PermissionsCache.java
index 8746b36..95aa398 100644
--- a/src/java/org/apache/cassandra/auth/PermissionsCache.java
+++ b/src/java/org/apache/cassandra/auth/PermissionsCache.java
@@ -107,7 +107,7 @@ public class PermissionsCache implements PermissionsCacheMBean
     private LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> initCache(
                                                              LoadingCache<Pair<AuthenticatedUser, IResource>, Set<Permission>> existing)
     {
-        if (authorizer instanceof AllowAllAuthorizer)
+        if (!authorizer.requireAuthorization())
             return null;
 
         if (DatabaseDescriptor.getPermissionsValidity() <= 0)

http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
index e2dea93..edcbcf5 100644
--- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
+++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -324,8 +324,8 @@ public class DatabaseDescriptor
         if (conf.authorizer != null)
             authorizer = FBUtilities.newAuthorizer(conf.authorizer);
 
-        if (authenticator instanceof AllowAllAuthenticator && !(authorizer instanceof AllowAllAuthorizer))
-            throw new ConfigurationException("AllowAllAuthenticator can't be used with " +  conf.authorizer, false);
+        if (!authenticator.requireAuthentication() && authorizer.requireAuthorization())
+            throw new ConfigurationException(conf.authenticator + " can't be used with " +  conf.authorizer, false);
 
         if (conf.role_manager != null)
             roleManager = FBUtilities.newRoleManager(conf.role_manager);

http://git-wip-us.apache.org/repos/asf/cassandra/blob/f54eab71/src/java/org/apache/cassandra/service/ClientState.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java
index d576ac3..78bcf8a 100644
--- a/src/java/org/apache/cassandra/service/ClientState.java
+++ b/src/java/org/apache/cassandra/service/ClientState.java
@@ -274,7 +274,7 @@ public class ClientState
 
     public void ensureHasPermission(Permission perm, IResource resource) throws UnauthorizedException
     {
-        if (DatabaseDescriptor.getAuthorizer() instanceof AllowAllAuthorizer)
+        if (!DatabaseDescriptor.getAuthorizer().requireAuthorization())
             return;
 
         // Access to built in functions is unrestricted
@@ -290,7 +290,7 @@ public class ClientState
     public void ensureHasPermission(Permission permission, Function function)
     {
         // Save creating a FunctionResource is we don't need to
-        if (DatabaseDescriptor.getAuthorizer() instanceof AllowAllAuthorizer)
+        if (!DatabaseDescriptor.getAuthorizer().requireAuthorization())
             return;
 
         // built in functions are always available to all