You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by sa...@apache.org on 2018/05/09 18:34:41 UTC
[2/3] cassandra-dtest git commit: Infer Cassandra version from build
http://git-wip-us.apache.org/repos/asf/cassandra-dtest/blob/a06c0e70/auth_test.py
----------------------------------------------------------------------
diff --git a/auth_test.py b/auth_test.py
index e7aef05..8d82b63 100644
--- a/auth_test.py
+++ b/auth_test.py
@@ -13,7 +13,7 @@ from cassandra.cluster import NoHostAvailable
from cassandra.protocol import ServerError, SyntaxException
from dtest_setup_overrides import DTestSetupOverrides
-from dtest import CASSANDRA_VERSION_FROM_BUILD, Tester
+from dtest import Tester
from tools.assertions import (assert_all, assert_exception, assert_invalid,
assert_length_equal, assert_one,
assert_unauthorized)
@@ -397,20 +397,32 @@ class TestAuth(Tester):
self.prepare()
session = self.get_session(user='cassandra', password='cassandra')
- assert_one(session, "LIST USERS", ['cassandra', True] + all_dcs)
+ if self.dtest_config.cassandra_version_from_build >= '4.0':
+ assert_one(session, "LIST USERS", ['cassandra', True, 'ALL'])
+ else:
+ assert_one(session, "LIST USERS", ['cassandra', True])
session.execute("CREATE USER IF NOT EXISTS aleksey WITH PASSWORD 'sup'")
session.execute("CREATE USER IF NOT EXISTS aleksey WITH PASSWORD 'ignored'")
self.get_session(user='aleksey', password='sup')
- assert_all(session, "LIST USERS", [['aleksey', False] + all_dcs, ['cassandra', True] + all_dcs])
+ if self.dtest_config.cassandra_version_from_build >= '4.0':
+ assert_all(session, "LIST USERS", [['aleksey', False, 'ALL'], ['cassandra', True, 'ALL']])
+ else:
+ assert_all(session, "LIST USERS", [['aleksey', False], ['cassandra', True]])
session.execute("DROP USER IF EXISTS aleksey")
- assert_one(session, "LIST USERS", ['cassandra', True] + all_dcs)
+ if self.dtest_config.cassandra_version_from_build >= '4.0':
+ assert_one(session, "LIST USERS", ['cassandra', True, 'ALL'])
+ else:
+ assert_one(session, "LIST USERS", ['cassandra', True])
session.execute("DROP USER IF EXISTS aleksey")
- assert_one(session, "LIST USERS", ['cassandra', True] + all_dcs)
+ if self.dtest_config.cassandra_version_from_build >= '4.0':
+ assert_one(session, "LIST USERS", ['cassandra', True, 'ALL'])
+ else:
+ assert_one(session, "LIST USERS", ['cassandra', True])
def test_create_ks_auth(self):
"""
@@ -1010,15 +1022,17 @@ class TestAuth(Tester):
self.cluster.stop()
config = {'authenticator': 'org.apache.cassandra.auth.AllowAllAuthenticator',
- 'authorizer': 'org.apache.cassandra.auth.AllowAllAuthorizer',
- 'network_authorizer': 'org.apache.cassandra.auth.AllowAllNetworkAuthorizer'}
+ 'authorizer': 'org.apache.cassandra.auth.AllowAllAuthorizer'}
+ if self.dtest_config.cassandra_version_from_build >= '4.0':
+ config['network_authorizer'] = 'org.apache.cassandra.auth.AllowAllNetworkAuthorizer'
self.cluster.set_configuration_options(values=config)
self.cluster.start(wait_for_binary_proto=True)
self.cluster.stop()
config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator',
- 'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer',
- 'network_authorizer': 'org.apache.cassandra.auth.CassandraNetworkAuthorizer'}
+ 'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer'}
+ if self.dtest_config.cassandra_version_from_build >= '4.0':
+ config['network_authorizer'] = 'org.apache.cassandra.auth.CassandraNetworkAuthorizer'
self.cluster.set_configuration_options(values=config)
self.cluster.start(wait_for_binary_proto=True)
@@ -1077,8 +1091,9 @@ class TestAuth(Tester):
"""
config = {'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator',
'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer',
- 'network_authorizer': 'org.apache.cassandra.auth.CassandraNetworkAuthorizer',
'permissions_validity_in_ms': permissions_validity}
+ if self.dtest_config.cassandra_version_from_build >= '4.0':
+ config['network_authorizer'] = 'org.apache.cassandra.auth.CassandraNetworkAuthorizer'
self.cluster.set_configuration_options(values=config)
self.cluster.populate(nodes).start()
@@ -1129,38 +1144,66 @@ def data_resource_creator_permissions(creator, resource):
return permissions
-# First value is the role name
-# Second value is superuser status
-# Third value is login status
-# Fourth value is role options
-# See CASSANDRA-7653 for explanations of these
-dcs_field = [] if CASSANDRA_VERSION_FROM_BUILD < '4.0' else ['dcs']
-Role = namedtuple('Role', ['name', 'superuser', 'login', 'options'] + dcs_field)
-
-all_dcs = [] if CASSANDRA_VERSION_FROM_BUILD < '4.0' else ['ALL']
-na_dcs = [] if CASSANDRA_VERSION_FROM_BUILD < '4.0' else ['n/a']
-mike_role = Role('mike', False, True, {}, *all_dcs)
-role1_role = Role('role1', False, False, {}, *na_dcs)
-role2_role = Role('role2', False, False, {}, *na_dcs)
-cassandra_role = Role('cassandra', True, True, {}, *all_dcs)
-
-
@since('2.2')
class TestAuthRoles(Tester):
+ Role = None
+ cassandra_role = None
+
+ @pytest.fixture(autouse=True)
+ def fixture_setup_auth(self, fixture_dtest_setup):
+ if fixture_dtest_setup.dtest_config.cassandra_version_from_build >= '4.0':
+ fixture_dtest_setup.cluster.set_configuration_options(values={
+ 'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator',
+ 'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer',
+ 'network_authorizer': 'org.apache.cassandra.auth.CassandraNetworkAuthorizer',
+ 'role_manager': 'org.apache.cassandra.auth.CassandraRoleManager',
+ 'permissions_validity_in_ms': 0,
+ 'roles_validity_in_ms': 0,
+ 'num_tokens': 1
+ })
+ else:
+ fixture_dtest_setup.cluster.set_configuration_options(values={
+ 'authenticator': 'org.apache.cassandra.auth.PasswordAuthenticator',
+ 'authorizer': 'org.apache.cassandra.auth.CassandraAuthorizer',
+ 'role_manager': 'org.apache.cassandra.auth.CassandraRoleManager',
+ 'permissions_validity_in_ms': 0,
+ 'roles_validity_in_ms': 0,
+ 'num_tokens': 1
+ })
+ fixture_dtest_setup.cluster.populate(1, debug=True).start(wait_for_binary_proto=True, jvm_args=['-XX:-PerfDisableSharedMem'])
+ nodes = fixture_dtest_setup.cluster.nodelist()
+ fixture_dtest_setup.superuser = fixture_dtest_setup.patient_exclusive_cql_connection(nodes[0], user='cassandra', password='cassandra')
+
@pytest.fixture(scope='function', autouse=True)
- def fixture_dtest_setup_overrides(self):
+ def fixture_dtest_setup_overrides(self, dtest_config):
"""
@jira_ticket CASSANDRA-7653
"""
dtest_setup_overrides = DTestSetupOverrides()
- if CASSANDRA_VERSION_FROM_BUILD >= '3.0':
+ if dtest_config.cassandra_version_from_build >= '3.0':
dtest_setup_overrides.cluster_options = ImmutableMapping({'enable_user_defined_functions': 'true',
- 'enable_scripted_user_defined_functions': 'true'})
+ 'enable_scripted_user_defined_functions': 'true'})
+ else:
+ dtest_setup_overrides.cluster_options = ImmutableMapping({'enable_user_defined_functions': 'true'})
+
+ if dtest_config.cassandra_version_from_build >= '4.0':
+ self.Role = namedtuple('Role', ['name', 'superuser', 'login', 'options', 'dcs'])
+ self.cassandra_role = self.Role('cassandra', True, True, {}, 'ALL')
else:
- dtest_setup_overrides.cluster_options.cluster_options = ImmutableMapping({'enable_user_defined_functions': 'true'})
+ self.Role = namedtuple('Role', ['name', 'superuser', 'login', 'options'])
+ self.cassandra_role = self.Role('cassandra', True, True, {})
+
return dtest_setup_overrides
+ def role(self, name, superuser=False, login=True, options=None):
+ options = options or {}
+ if self.dtest_config.cassandra_version_from_build >= '4.0':
+ dcs = 'n/a' if not login else 'ALL'
+ return self.Role(name, superuser, login, options, dcs)
+ else:
+ return self.Role(name, superuser, login, options)
+
def test_create_drop_role(self):
"""
* Launch a one node cluster
@@ -1168,15 +1211,17 @@ class TestAuthRoles(Tester):
* Create a new role, check it exists
* Drop the role, check it is gone
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- assert_one(cassandra, 'LIST ROLES', list(cassandra_role))
+ # self.prepare()
+ # cassandra = self.get_session(user='cassandra', password='cassandra')
+ role1 = self.role('role1', login=False)
- cassandra.execute("CREATE ROLE role1")
- assert_all(cassandra, "LIST ROLES", [list(cassandra_role), list(role1_role)])
+ assert_one(self.superuser, 'LIST ROLES', list(self.cassandra_role))
- cassandra.execute("DROP ROLE role1")
- assert_one(cassandra, "LIST ROLES", list(cassandra_role))
+ self.superuser.execute("CREATE ROLE role1")
+ assert_all(self.superuser, "LIST ROLES", [list(self.cassandra_role), list(role1)])
+
+ self.superuser.execute("DROP ROLE role1")
+ assert_one(self.superuser, "LIST ROLES", list(self.cassandra_role))
def test_conditional_create_drop_role(self):
"""
@@ -1187,17 +1232,16 @@ class TestAuthRoles(Tester):
* Drop the new role twice, using IF EXISTS
* Check neither query failed, but only superuser remains
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- assert_one(cassandra, "LIST ROLES", list(cassandra_role))
+ role1 = self.role('role1', login=False)
+ assert_one(self.superuser, "LIST ROLES", list(self.cassandra_role))
- cassandra.execute("CREATE ROLE IF NOT EXISTS role1")
- cassandra.execute("CREATE ROLE IF NOT EXISTS role1")
- assert_all(cassandra, "LIST ROLES", [list(cassandra_role), list(role1_role)])
+ self.superuser.execute("CREATE ROLE IF NOT EXISTS role1")
+ self.superuser.execute("CREATE ROLE IF NOT EXISTS role1")
+ assert_all(self.superuser, "LIST ROLES", [list(self.cassandra_role), list(role1)])
- cassandra.execute("DROP ROLE IF EXISTS role1")
- cassandra.execute("DROP ROLE IF EXISTS role1")
- assert_one(cassandra, "LIST ROLES", list(cassandra_role))
+ self.superuser.execute("DROP ROLE IF EXISTS role1")
+ self.superuser.execute("DROP ROLE IF EXISTS role1")
+ assert_one(self.superuser, "LIST ROLES", list(self.cassandra_role))
def test_create_drop_role_validation(self):
"""
@@ -1212,23 +1256,21 @@ class TestAuthRoles(Tester):
* Drop the new role.
* Try to drop the new role again, assert throws InvalidRequest
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
mike = self.get_session(user='mike', password='12345')
assert_unauthorized(mike,
"CREATE ROLE role2",
"User mike does not have sufficient privileges to perform the requested operation")
- cassandra.execute("CREATE ROLE role1")
+ self.superuser.execute("CREATE ROLE role1")
assert_unauthorized(mike,
"DROP ROLE role1",
"User mike does not have sufficient privileges to perform the requested operation")
- assert_invalid(cassandra, "CREATE ROLE role1", "role1 already exists")
- cassandra.execute("DROP ROLE role1")
- assert_invalid(cassandra, "DROP ROLE role1", "role1 doesn't exist")
+ assert_invalid(self.superuser, "CREATE ROLE role1", "role1 already exists")
+ self.superuser.execute("DROP ROLE role1")
+ assert_invalid(self.superuser, "DROP ROLE role1", "role1 doesn't exist")
def test_role_admin_validation(self):
"""
@@ -1246,51 +1288,52 @@ class TestAuthRoles(Tester):
* Verify mike can drop roles
* Verify roles without admin cannot drop roles
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE administrator WITH SUPERUSER = false AND LOGIN = false")
- cassandra.execute("GRANT ALL ON ALL ROLES TO administrator")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("GRANT administrator TO mike")
- cassandra.execute("CREATE ROLE klaus WITH PASSWORD = '54321' AND SUPERUSER = false AND LOGIN = true")
- mike = self.get_session(user='mike', password='12345')
- klaus = self.get_session(user='klaus', password='54321')
+ self.superuser.execute("CREATE ROLE administrator WITH SUPERUSER = false AND LOGIN = false")
+ self.superuser.execute("GRANT ALL ON ALL ROLES TO administrator")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("GRANT administrator TO mike")
+ self.superuser.execute("CREATE ROLE klaus WITH PASSWORD = '54321' AND SUPERUSER = false AND LOGIN = true")
+ administrator = self.role('administrator', login=False)
+ mike = self.role('mike')
+ as_mike = self.get_session(user='mike', password='12345')
+ klaus = self.role('klaus')
+ as_klaus = self.get_session(user='klaus', password='54321')
# roles with CREATE on ALL ROLES can create roles
- mike.execute("CREATE ROLE role1 WITH PASSWORD = '11111' AND LOGIN = false")
+ as_mike.execute("CREATE ROLE role1 WITH PASSWORD = '11111' AND LOGIN = false")
# require ALTER on ALL ROLES or a SPECIFIC ROLE to modify
self.assert_login_not_allowed('role1', '11111')
- cassandra.execute("GRANT ALTER on ROLE role1 TO klaus")
- klaus.execute("ALTER ROLE role1 WITH LOGIN = true")
- mike.execute("ALTER ROLE role1 WITH PASSWORD = '22222'")
- role1 = self.get_session(user='role1', password='22222')
+ self.superuser.execute("GRANT ALTER on ROLE role1 TO klaus")
+ as_klaus.execute("ALTER ROLE role1 WITH LOGIN = true")
+ as_mike.execute("ALTER ROLE role1 WITH PASSWORD = '22222'")
+ as_role1 = self.get_session(user='role1', password='22222')
# only superusers can set superuser status
- assert_unauthorized(mike, "ALTER ROLE role1 WITH SUPERUSER = true",
+ assert_unauthorized(as_mike, "ALTER ROLE role1 WITH SUPERUSER = true",
"Only superusers are allowed to alter superuser status")
- assert_unauthorized(mike, "ALTER ROLE mike WITH SUPERUSER = true",
+ assert_unauthorized(as_mike, "ALTER ROLE mike WITH SUPERUSER = true",
"You aren't allowed to alter your own superuser status or that of a role granted to you")
# roles without necessary permissions cannot create, drop or alter roles except themselves
- assert_unauthorized(role1, "CREATE ROLE role2 WITH LOGIN = false",
+ assert_unauthorized(as_role1, "CREATE ROLE role2 WITH LOGIN = false",
"User role1 does not have sufficient privileges to perform the requested operation")
- assert_unauthorized(role1, "ALTER ROLE mike WITH LOGIN = false",
+ assert_unauthorized(as_role1, "ALTER ROLE mike WITH LOGIN = false",
"User role1 does not have sufficient privileges to perform the requested operation")
- assert_unauthorized(role1, "DROP ROLE mike",
+ assert_unauthorized(as_role1, "DROP ROLE mike",
"User role1 does not have sufficient privileges to perform the requested operation")
- role1.execute("ALTER ROLE role1 WITH PASSWORD = '33333'")
+ as_role1.execute("ALTER ROLE role1 WITH PASSWORD = '33333'")
# roles with roleadmin can drop roles
- mike.execute("DROP ROLE role1")
- assert_all(cassandra, "LIST ROLES", [['administrator', False, False, {}] + na_dcs,
- list(cassandra_role),
- ['klaus', False, True, {}] + all_dcs,
- list(mike_role)])
+ as_mike.execute("DROP ROLE role1")
+ assert_all(self.superuser, "LIST ROLES", [list(administrator),
+ list(self.cassandra_role),
+ list(klaus),
+ list(mike)])
# revoking role admin removes its privileges
- cassandra.execute("REVOKE administrator FROM mike")
- assert_unauthorized(mike, "CREATE ROLE role3 WITH LOGIN = false",
+ self.superuser.execute("REVOKE administrator FROM mike")
+ assert_unauthorized(as_mike, "CREATE ROLE role3 WITH LOGIN = false",
"User mike does not have sufficient privileges to perform the requested operation")
def test_creator_of_db_resource_granted_all_permissions(self):
@@ -1301,23 +1344,21 @@ class TestAuthRoles(Tester):
* Connect as mike
* Verify that mike is automatically granted permissions on any resource he creates
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("GRANT CREATE ON ALL KEYSPACES TO mike")
- cassandra.execute("GRANT CREATE ON ALL ROLES TO mike")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("GRANT CREATE ON ALL KEYSPACES TO mike")
+ self.superuser.execute("GRANT CREATE ON ALL ROLES TO mike")
- mike = self.get_session(user='mike', password='12345')
+ as_mike = self.get_session(user='mike', password='12345')
# mike should automatically be granted permissions on any resource he creates, i.e. tables or roles
- mike.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
- mike.execute("CREATE TABLE ks.cf (id int primary key, val int)")
- mike.execute("CREATE ROLE role1 WITH PASSWORD = '11111' AND SUPERUSER = false AND LOGIN = true")
- mike.execute("""CREATE FUNCTION ks.state_function_1(a int, b int)
+ as_mike.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
+ as_mike.execute("CREATE TABLE ks.cf (id int primary key, val int)")
+ as_mike.execute("CREATE ROLE role1 WITH PASSWORD = '11111' AND SUPERUSER = false AND LOGIN = true")
+ as_mike.execute("""CREATE FUNCTION ks.state_function_1(a int, b int)
CALLED ON NULL INPUT
RETURNS int
LANGUAGE javascript
AS ' a + b'""")
- mike.execute("""CREATE AGGREGATE ks.simple_aggregate_1(int)
+ as_mike.execute("""CREATE AGGREGATE ks.simple_aggregate_1(int)
SFUNC state_function_1
STYPE int
INITCOND 0""")
@@ -1332,7 +1373,7 @@ class TestAuthRoles(Tester):
mike_permissions.extend(function_resource_creator_permissions('mike', '<function ks.simple_aggregate_1(int)>'))
self.assert_permissions_listed(cassandra_permissions + mike_permissions,
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS")
def test_create_and_grant_roles_with_superuser_status(self):
@@ -1344,26 +1385,24 @@ class TestAuthRoles(Tester):
* Connect as mike
* Verify mike can create new roles, but not grant them superuser
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE another_superuser WITH SUPERUSER = true AND LOGIN = false")
- cassandra.execute("CREATE ROLE non_superuser WITH SUPERUSER = false AND LOGIN = false")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE another_superuser WITH SUPERUSER = true AND LOGIN = false")
+ self.superuser.execute("CREATE ROLE non_superuser WITH SUPERUSER = false AND LOGIN = false")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
# mike can create and grant any role, except superusers
- cassandra.execute("GRANT CREATE ON ALL ROLES TO mike")
- cassandra.execute("GRANT AUTHORIZE ON ALL ROLES TO mike")
+ self.superuser.execute("GRANT CREATE ON ALL ROLES TO mike")
+ self.superuser.execute("GRANT AUTHORIZE ON ALL ROLES TO mike")
# mike can create roles, but not with superuser status
# and can grant any role, including those with superuser status
- mike = self.get_session(user='mike', password='12345')
- mike.execute("CREATE ROLE role1 WITH SUPERUSER = false")
- mike.execute("GRANT non_superuser TO role1")
- mike.execute("GRANT another_superuser TO role1")
- assert_unauthorized(mike, "CREATE ROLE role2 WITH SUPERUSER = true",
+ as_mike = self.get_session(user='mike', password='12345')
+ as_mike.execute("CREATE ROLE role1 WITH SUPERUSER = false")
+ as_mike.execute("GRANT non_superuser TO role1")
+ as_mike.execute("GRANT another_superuser TO role1")
+ assert_unauthorized(as_mike, "CREATE ROLE role2 WITH SUPERUSER = true",
"Only superusers can create a role with superuser status")
- assert_all(cassandra, "LIST ROLES OF role1", [['another_superuser', True, False, {}] + na_dcs,
- ['non_superuser', False, False, {}] + na_dcs,
- ['role1', False, False, {}] + na_dcs])
+ assert_all(self.superuser, "LIST ROLES OF role1", [list(self.role('another_superuser', superuser=True, login=False)),
+ list(self.role('non_superuser', login=False)),
+ list(self.role('role1', login=False))])
def test_drop_and_revoke_roles_with_superuser_status(self):
"""
@@ -1374,23 +1413,21 @@ class TestAuthRoles(Tester):
* Connect as mike
* Verify mike can drop or revoke any roles, regardless of its superuser status
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE another_superuser WITH SUPERUSER = true AND LOGIN = false")
- cassandra.execute("CREATE ROLE non_superuser WITH SUPERUSER = false AND LOGIN = false")
- cassandra.execute("CREATE ROLE role1 WITH SUPERUSER = false")
- cassandra.execute("GRANT another_superuser TO role1")
- cassandra.execute("GRANT non_superuser TO role1")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("GRANT DROP ON ALL ROLES TO mike")
- cassandra.execute("GRANT AUTHORIZE ON ALL ROLES TO mike")
+ self.superuser.execute("CREATE ROLE another_superuser WITH SUPERUSER = true AND LOGIN = false")
+ self.superuser.execute("CREATE ROLE non_superuser WITH SUPERUSER = false AND LOGIN = false")
+ self.superuser.execute("CREATE ROLE role1 WITH SUPERUSER = false")
+ self.superuser.execute("GRANT another_superuser TO role1")
+ self.superuser.execute("GRANT non_superuser TO role1")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("GRANT DROP ON ALL ROLES TO mike")
+ self.superuser.execute("GRANT AUTHORIZE ON ALL ROLES TO mike")
# mike can drop and revoke any role, including superusers
- mike = self.get_session(user='mike', password='12345')
- mike.execute("REVOKE another_superuser FROM role1")
- mike.execute("REVOKE non_superuser FROM role1")
- mike.execute("DROP ROLE non_superuser")
- mike.execute("DROP ROLE role1")
+ as_mike = self.get_session(user='mike', password='12345')
+ as_mike.execute("REVOKE another_superuser FROM role1")
+ as_mike.execute("REVOKE non_superuser FROM role1")
+ as_mike.execute("DROP ROLE non_superuser")
+ as_mike.execute("DROP ROLE role1")
def test_drop_role_removes_memberships(self):
"""
@@ -1403,26 +1440,27 @@ class TestAuthRoles(Tester):
* Recreate role2. Grant to role1 again. Verify is in LIST ROLES of mike
* DROP role1. Verify mike's roles only include mike, but LIST ROLES still includes role2
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE role1")
- cassandra.execute("CREATE ROLE role2")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("GRANT role2 TO role1")
- cassandra.execute("GRANT role1 TO mike")
- assert_all(cassandra, "LIST ROLES OF mike", [list(mike_role), list(role1_role), list(role2_role)])
+ self.superuser.execute("CREATE ROLE role1")
+ self.superuser.execute("CREATE ROLE role2")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("GRANT role2 TO role1")
+ self.superuser.execute("GRANT role1 TO mike")
+ mike = self.role('mike')
+ role1 = self.role('role1', login=False)
+ role2 = self.role('role2', login=False)
+ assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(role1), list(role2)])
# drop the role indirectly granted
- cassandra.execute("DROP ROLE role2")
- assert_all(cassandra, "LIST ROLES OF mike", [list(mike_role), list(role1_role)])
+ self.superuser.execute("DROP ROLE role2")
+ assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(role1)])
- cassandra.execute("CREATE ROLE role2")
- cassandra.execute("GRANT role2 to role1")
- assert_all(cassandra, "LIST ROLES OF mike", [list(mike_role), list(role1_role), list(role2_role)])
+ self.superuser.execute("CREATE ROLE role2")
+ self.superuser.execute("GRANT role2 to role1")
+ assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(role1), list(role2)])
# drop the directly granted role
- cassandra.execute("DROP ROLE role1")
- assert_one(cassandra, "LIST ROLES OF mike", list(mike_role))
- assert_all(cassandra, "LIST ROLES", [list(cassandra_role), list(mike_role), list(role2_role)])
+ self.superuser.execute("DROP ROLE role1")
+ assert_one(self.superuser, "LIST ROLES OF mike", list(mike))
+ assert_all(self.superuser, "LIST ROLES", [list(self.cassandra_role), list(mike), list(role2)])
def test_drop_role_revokes_permissions_granted_on_it(self):
"""
@@ -1434,22 +1472,20 @@ class TestAuthRoles(Tester):
* Drop role1 and role2
* Assert mike has no permissions remaining
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE role1")
- cassandra.execute("CREATE ROLE role2")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("GRANT ALTER ON ROLE role1 TO mike")
- cassandra.execute("GRANT AUTHORIZE ON ROLE role2 TO mike")
+ self.superuser.execute("CREATE ROLE role1")
+ self.superuser.execute("CREATE ROLE role2")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("GRANT ALTER ON ROLE role1 TO mike")
+ self.superuser.execute("GRANT AUTHORIZE ON ROLE role2 TO mike")
self.assert_permissions_listed([("mike", "<role role1>", "ALTER"),
("mike", "<role role2>", "AUTHORIZE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("DROP ROLE role1")
- cassandra.execute("DROP ROLE role2")
- assert list(cassandra.execute("LIST ALL PERMISSIONS OF mike")) == []
+ self.superuser.execute("DROP ROLE role1")
+ self.superuser.execute("DROP ROLE role2")
+ assert list(self.superuser.execute("LIST ALL PERMISSIONS OF mike")) == []
def test_grant_revoke_roles(self):
"""
@@ -1460,23 +1496,24 @@ class TestAuthRoles(Tester):
* Verify the output of LIST ROLES
* REVOKE various roles, verify the output of LIST ROLES
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("CREATE ROLE role1")
- cassandra.execute("CREATE ROLE role2")
- cassandra.execute("GRANT role1 TO role2")
- cassandra.execute("GRANT role2 TO mike")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE role1")
+ self.superuser.execute("CREATE ROLE role2")
+ self.superuser.execute("GRANT role1 TO role2")
+ self.superuser.execute("GRANT role2 TO mike")
+ mike = self.role('mike')
+ role1 = self.role('role1', login=False)
+ role2 = self.role('role2', login=False)
- assert_all(cassandra, "LIST ROLES OF role2", [list(role1_role), list(role2_role)])
- assert_all(cassandra, "LIST ROLES OF mike", [list(mike_role), list(role1_role), list(role2_role)])
- assert_all(cassandra, "LIST ROLES OF mike NORECURSIVE", [list(mike_role), list(role2_role)])
+ assert_all(self.superuser, "LIST ROLES OF role2", [list(role1), list(role2)])
+ assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(role1), list(role2)])
+ assert_all(self.superuser, "LIST ROLES OF mike NORECURSIVE", [list(mike), list(role2)])
- cassandra.execute("REVOKE role2 FROM mike")
- assert_one(cassandra, "LIST ROLES OF mike", list(mike_role))
+ self.superuser.execute("REVOKE role2 FROM mike")
+ assert_one(self.superuser, "LIST ROLES OF mike", list(mike))
- cassandra.execute("REVOKE role1 FROM role2")
- assert_one(cassandra, "LIST ROLES OF role2", list(role2_role))
+ self.superuser.execute("REVOKE role1 FROM role2")
+ assert_one(self.superuser, "LIST ROLES OF role2", list(role2))
def test_grant_revoke_role_validation(self):
"""
@@ -1488,36 +1525,34 @@ class TestAuthRoles(Tester):
* Create ROLE john
* Verify mike cannot grant/revoke roles to/from john without the AUTHORIZE permission
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- mike = self.get_session(user='mike', password='12345')
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ as_mike = self.get_session(user='mike', password='12345')
- assert_invalid(cassandra, "GRANT role1 TO mike", "role1 doesn't exist")
- cassandra.execute("CREATE ROLE role1")
+ assert_invalid(self.superuser, "GRANT role1 TO mike", "role1 doesn't exist")
+ self.superuser.execute("CREATE ROLE role1")
- assert_invalid(cassandra, "GRANT role1 TO john", "john doesn't exist")
- assert_invalid(cassandra, "GRANT role2 TO john", "role2 doesn't exist")
+ assert_invalid(self.superuser, "GRANT role1 TO john", "john doesn't exist")
+ assert_invalid(self.superuser, "GRANT role2 TO john", "role2 doesn't exist")
- cassandra.execute("CREATE ROLE john WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("CREATE ROLE role2")
+ self.superuser.execute("CREATE ROLE john WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE role2")
- assert_unauthorized(mike,
+ assert_unauthorized(as_mike,
"GRANT role2 TO john",
"User mike does not have sufficient privileges to perform the requested operation")
# superusers can always grant roles
- cassandra.execute("GRANT role1 TO john")
+ self.superuser.execute("GRANT role1 TO john")
# but regular users need AUTHORIZE permission on the granted role
- cassandra.execute("GRANT AUTHORIZE ON ROLE role2 TO mike")
- mike.execute("GRANT role2 TO john")
+ self.superuser.execute("GRANT AUTHORIZE ON ROLE role2 TO mike")
+ as_mike.execute("GRANT role2 TO john")
# same applies to REVOKEing roles
- assert_unauthorized(mike,
+ assert_unauthorized(as_mike,
"REVOKE role1 FROM john",
"User mike does not have sufficient privileges to perform the requested operation")
- cassandra.execute("REVOKE role1 FROM john")
- mike.execute("REVOKE role2 from john")
+ self.superuser.execute("REVOKE role1 FROM john")
+ as_mike.execute("REVOKE role2 from john")
def test_list_roles(self):
"""
@@ -1527,36 +1562,37 @@ class TestAuthRoles(Tester):
* Verify LIST ROLES for each role is correct
* Verify a role cannot LIST ROLES for another ROLE without being a superuser, or having the DESCRIBE permission
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("CREATE ROLE role1")
- cassandra.execute("CREATE ROLE role2")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE role1")
+ self.superuser.execute("CREATE ROLE role2")
+ mike = self.role('mike')
+ role1 = self.role('role1', login=False)
+ role2 = self.role('role2', login=False)
- assert_all(cassandra, "LIST ROLES", [list(cassandra_role), list(mike_role), list(role1_role), list(role2_role)])
+ assert_all(self.superuser, "LIST ROLES", [list(self.cassandra_role), list(mike), list(role1), list(role2)])
- cassandra.execute("GRANT role1 TO role2")
- cassandra.execute("GRANT role2 TO mike")
+ self.superuser.execute("GRANT role1 TO role2")
+ self.superuser.execute("GRANT role2 TO mike")
- assert_all(cassandra, "LIST ROLES OF role2", [list(role1_role), list(role2_role)])
- assert_all(cassandra, "LIST ROLES OF mike", [list(mike_role), list(role1_role), list(role2_role)])
- assert_all(cassandra, "LIST ROLES OF mike NORECURSIVE", [list(mike_role), list(role2_role)])
+ assert_all(self.superuser, "LIST ROLES OF role2", [list(role1), list(role2)])
+ assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(role1), list(role2)])
+ assert_all(self.superuser, "LIST ROLES OF mike NORECURSIVE", [list(mike), list(role2)])
- mike = self.get_session(user='mike', password='12345')
- assert_unauthorized(mike,
+ as_mike = self.get_session(user='mike', password='12345')
+ assert_unauthorized(as_mike,
"LIST ROLES OF cassandra",
"You are not authorized to view roles granted to cassandra")
- assert_all(mike, "LIST ROLES", [list(mike_role), list(role1_role), list(role2_role)])
- assert_all(mike, "LIST ROLES OF mike", [list(mike_role), list(role1_role), list(role2_role)])
- assert_all(mike, "LIST ROLES OF mike NORECURSIVE", [list(mike_role), list(role2_role)])
- assert_all(mike, "LIST ROLES OF role2", [list(role1_role), list(role2_role)])
+ assert_all(as_mike, "LIST ROLES", [list(mike), list(role1), list(role2)])
+ assert_all(as_mike, "LIST ROLES OF mike", [list(mike), list(role1), list(role2)])
+ assert_all(as_mike, "LIST ROLES OF mike NORECURSIVE", [list(mike), list(role2)])
+ assert_all(as_mike, "LIST ROLES OF role2", [list(role1), list(role2)])
# without SELECT permission on the root level roles resource, LIST ROLES with no OF
# returns only the roles granted to the user. With it, it includes all roles.
- assert_all(mike, "LIST ROLES", [list(mike_role), list(role1_role), list(role2_role)])
- cassandra.execute("GRANT DESCRIBE ON ALL ROLES TO mike")
- assert_all(mike, "LIST ROLES", [list(cassandra_role), list(mike_role), list(role1_role), list(role2_role)])
+ assert_all(as_mike, "LIST ROLES", [list(mike), list(role1), list(role2)])
+ self.superuser.execute("GRANT DESCRIBE ON ALL ROLES TO mike")
+ assert_all(as_mike, "LIST ROLES", [list(self.cassandra_role), list(mike), list(role1), list(role2)])
def test_grant_revoke_permissions(self):
"""
@@ -1570,29 +1606,27 @@ class TestAuthRoles(Tester):
* Restore role1 to mike, but revoke role1's permissions
* Verify mike can no longer use ks.cf
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
- cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("CREATE ROLE role1")
- cassandra.execute("GRANT ALL ON table ks.cf TO role1")
- cassandra.execute("GRANT role1 TO mike")
+ self.superuser.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
+ self.superuser.execute("CREATE TABLE ks.cf (id int primary key, val int)")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE role1")
+ self.superuser.execute("GRANT ALL ON table ks.cf TO role1")
+ self.superuser.execute("GRANT role1 TO mike")
- mike = self.get_session(user='mike', password='12345')
- mike.execute("INSERT INTO ks.cf (id, val) VALUES (0, 0)")
+ as_mike = self.get_session(user='mike', password='12345')
+ as_mike.execute("INSERT INTO ks.cf (id, val) VALUES (0, 0)")
- assert_one(mike, "SELECT * FROM ks.cf", [0, 0])
+ assert_one(as_mike, "SELECT * FROM ks.cf", [0, 0])
- cassandra.execute("REVOKE role1 FROM mike")
- assert_unauthorized(mike,
+ self.superuser.execute("REVOKE role1 FROM mike")
+ assert_unauthorized(as_mike,
"INSERT INTO ks.cf (id, val) VALUES (0, 0)",
"mike has no MODIFY permission on <table ks.cf> or any of its parents")
- cassandra.execute("GRANT role1 TO mike")
- cassandra.execute("REVOKE ALL ON ks.cf FROM role1")
+ self.superuser.execute("GRANT role1 TO mike")
+ self.superuser.execute("REVOKE ALL ON ks.cf FROM role1")
- assert_unauthorized(mike,
+ assert_unauthorized(as_mike,
"INSERT INTO ks.cf (id, val) VALUES (0, 0)",
"mike has no MODIFY permission on <table ks.cf> or any of its parents")
@@ -1605,112 +1639,110 @@ class TestAuthRoles(Tester):
* Grant ALL permissions to mike for each resource. Verify they show up in LIST ALL PERMISSIONS
* Verify you can't selectively grant invalid permissions for a given resource. ex: CREATE on an existing table
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
- cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("CREATE ROLE role1 WITH SUPERUSER = false AND LOGIN = false")
- cassandra.execute("CREATE FUNCTION ks.state_func(a int, b int) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'a+b'")
- cassandra.execute("CREATE AGGREGATE ks.agg_func(int) SFUNC state_func STYPE int")
+ self.superuser.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
+ self.superuser.execute("CREATE TABLE ks.cf (id int primary key, val int)")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE role1 WITH SUPERUSER = false AND LOGIN = false")
+ self.superuser.execute("CREATE FUNCTION ks.state_func(a int, b int) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'a+b'")
+ self.superuser.execute("CREATE AGGREGATE ks.agg_func(int) SFUNC state_func STYPE int")
# GRANT ALL ON ALL KEYSPACES grants Permission.ALL_DATA
# GRANT ALL ON KEYSPACE grants Permission.ALL_DATA
- cassandra.execute("GRANT ALL ON KEYSPACE ks TO mike")
+ self.superuser.execute("GRANT ALL ON KEYSPACE ks TO mike")
self.assert_permissions_listed([("mike", "<keyspace ks>", "CREATE"),
("mike", "<keyspace ks>", "ALTER"),
("mike", "<keyspace ks>", "DROP"),
("mike", "<keyspace ks>", "SELECT"),
("mike", "<keyspace ks>", "MODIFY"),
("mike", "<keyspace ks>", "AUTHORIZE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE ALL ON KEYSPACE ks FROM mike")
+ self.superuser.execute("REVOKE ALL ON KEYSPACE ks FROM mike")
# GRANT ALL ON TABLE does not include CREATE (because the table must already be created before the GRANT)
- cassandra.execute("GRANT ALL ON ks.cf TO MIKE")
+ self.superuser.execute("GRANT ALL ON ks.cf TO MIKE")
self.assert_permissions_listed([("mike", "<table ks.cf>", "ALTER"),
("mike", "<table ks.cf>", "DROP"),
("mike", "<table ks.cf>", "SELECT"),
("mike", "<table ks.cf>", "MODIFY"),
("mike", "<table ks.cf>", "AUTHORIZE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE ALL ON ks.cf FROM mike")
- assert_invalid(cassandra,
+ self.superuser.execute("REVOKE ALL ON ks.cf FROM mike")
+ assert_invalid(self.superuser,
"GRANT CREATE ON ks.cf TO MIKE",
"Resource type DataResource does not support any of the requested permissions",
SyntaxException)
# GRANT ALL ON ALL ROLES includes SELECT & CREATE on the root level roles resource
- cassandra.execute("GRANT ALL ON ALL ROLES TO mike")
+ self.superuser.execute("GRANT ALL ON ALL ROLES TO mike")
self.assert_permissions_listed([("mike", "<all roles>", "CREATE"),
("mike", "<all roles>", "ALTER"),
("mike", "<all roles>", "DROP"),
("mike", "<all roles>", "DESCRIBE"),
("mike", "<all roles>", "AUTHORIZE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE ALL ON ALL ROLES FROM mike")
- assert_invalid(cassandra,
+ self.superuser.execute("REVOKE ALL ON ALL ROLES FROM mike")
+ assert_invalid(self.superuser,
"GRANT SELECT ON ALL ROLES TO MIKE",
"Resource type RoleResource does not support any of the requested permissions",
SyntaxException)
# GRANT ALL ON ROLE does not include CREATE (because the role must already be created before the GRANT)
- cassandra.execute("GRANT ALL ON ROLE role1 TO mike")
+ self.superuser.execute("GRANT ALL ON ROLE role1 TO mike")
self.assert_permissions_listed([("mike", "<role role1>", "ALTER"),
("mike", "<role role1>", "DROP"),
("mike", "<role role1>", "AUTHORIZE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- assert_invalid(cassandra,
+ assert_invalid(self.superuser,
"GRANT CREATE ON ROLE role1 TO MIKE",
"Resource type RoleResource does not support any of the requested permissions",
SyntaxException)
- cassandra.execute("REVOKE ALL ON ROLE role1 FROM mike")
+ self.superuser.execute("REVOKE ALL ON ROLE role1 FROM mike")
# GRANT ALL ON ALL FUNCTIONS or on all functions for a single keyspace includes AUTHORIZE, EXECUTE and USAGE
- cassandra.execute("GRANT ALL ON ALL FUNCTIONS TO mike")
+ self.superuser.execute("GRANT ALL ON ALL FUNCTIONS TO mike")
self.assert_permissions_listed([("mike", "<all functions>", "CREATE"),
("mike", "<all functions>", "ALTER"),
("mike", "<all functions>", "DROP"),
("mike", "<all functions>", "AUTHORIZE"),
("mike", "<all functions>", "EXECUTE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE ALL ON ALL FUNCTIONS FROM mike")
+ self.superuser.execute("REVOKE ALL ON ALL FUNCTIONS FROM mike")
- cassandra.execute("GRANT ALL ON ALL FUNCTIONS IN KEYSPACE ks TO mike")
+ self.superuser.execute("GRANT ALL ON ALL FUNCTIONS IN KEYSPACE ks TO mike")
self.assert_permissions_listed([("mike", "<all functions in ks>", "CREATE"),
("mike", "<all functions in ks>", "ALTER"),
("mike", "<all functions in ks>", "DROP"),
("mike", "<all functions in ks>", "AUTHORIZE"),
("mike", "<all functions in ks>", "EXECUTE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE ALL ON ALL FUNCTIONS IN KEYSPACE ks FROM mike")
+ self.superuser.execute("REVOKE ALL ON ALL FUNCTIONS IN KEYSPACE ks FROM mike")
# GRANT ALL ON FUNCTION includes AUTHORIZE, EXECUTE and USAGE for scalar functions and
# AUTHORIZE and EXECUTE for aggregates
- cassandra.execute("GRANT ALL ON FUNCTION ks.state_func(int, int) TO mike")
+ self.superuser.execute("GRANT ALL ON FUNCTION ks.state_func(int, int) TO mike")
self.assert_permissions_listed([("mike", "<function ks.state_func(int, int)>", "ALTER"),
("mike", "<function ks.state_func(int, int)>", "DROP"),
("mike", "<function ks.state_func(int, int)>", "AUTHORIZE"),
("mike", "<function ks.state_func(int, int)>", "EXECUTE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE ALL ON FUNCTION ks.state_func(int, int) FROM mike")
+ self.superuser.execute("REVOKE ALL ON FUNCTION ks.state_func(int, int) FROM mike")
- cassandra.execute("GRANT ALL ON FUNCTION ks.agg_func(int) TO mike")
+ self.superuser.execute("GRANT ALL ON FUNCTION ks.agg_func(int) TO mike")
self.assert_permissions_listed([("mike", "<function ks.agg_func(int)>", "ALTER"),
("mike", "<function ks.agg_func(int)>", "DROP"),
("mike", "<function ks.agg_func(int)>", "AUTHORIZE"),
("mike", "<function ks.agg_func(int)>", "EXECUTE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE ALL ON FUNCTION ks.agg_func(int) FROM mike")
+ self.superuser.execute("REVOKE ALL ON FUNCTION ks.agg_func(int) FROM mike")
def test_list_permissions(self):
"""
@@ -1721,19 +1753,17 @@ class TestAuthRoles(Tester):
* Grant various permissions to roles
* Verify they propagate appropriately.
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
- cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("CREATE ROLE role1")
- cassandra.execute("CREATE ROLE role2")
- cassandra.execute("GRANT SELECT ON table ks.cf TO role1")
- cassandra.execute("GRANT ALTER ON table ks.cf TO role2")
- cassandra.execute("GRANT MODIFY ON table ks.cf TO mike")
- cassandra.execute("GRANT ALTER ON ROLE role1 TO role2")
- cassandra.execute("GRANT role1 TO role2")
- cassandra.execute("GRANT role2 TO mike")
+ self.superuser.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
+ self.superuser.execute("CREATE TABLE ks.cf (id int primary key, val int)")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE role1")
+ self.superuser.execute("CREATE ROLE role2")
+ self.superuser.execute("GRANT SELECT ON table ks.cf TO role1")
+ self.superuser.execute("GRANT ALTER ON table ks.cf TO role2")
+ self.superuser.execute("GRANT MODIFY ON table ks.cf TO mike")
+ self.superuser.execute("GRANT ALTER ON ROLE role1 TO role2")
+ self.superuser.execute("GRANT role1 TO role2")
+ self.superuser.execute("GRANT role2 TO mike")
expected_permissions = [("mike", "<table ks.cf>", "MODIFY"),
("role1", "<table ks.cf>", "SELECT"),
@@ -1745,48 +1775,48 @@ class TestAuthRoles(Tester):
expected_permissions.extend(role_creator_permissions('cassandra', '<role role1>'))
expected_permissions.extend(role_creator_permissions('cassandra', '<role role2>'))
- self.assert_permissions_listed(expected_permissions, cassandra, "LIST ALL PERMISSIONS")
+ self.assert_permissions_listed(expected_permissions, self.superuser, "LIST ALL PERMISSIONS")
self.assert_permissions_listed([("role1", "<table ks.cf>", "SELECT")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF role1")
self.assert_permissions_listed([("role1", "<table ks.cf>", "SELECT"),
("role2", "<table ks.cf>", "ALTER"),
("role2", "<role role1>", "ALTER")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF role2")
self.assert_permissions_listed([("cassandra", "<role role1>", "ALTER"),
("cassandra", "<role role1>", "DROP"),
("cassandra", "<role role1>", "AUTHORIZE"),
("role2", "<role role1>", "ALTER")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS ON ROLE role1")
# we didn't specifically grant DROP on role1, so only it's creator should have it
self.assert_permissions_listed([("cassandra", "<role role1>", "DROP")],
- cassandra,
+ self.superuser,
"LIST DROP PERMISSION ON ROLE role1")
# but we did specifically grant ALTER role1 to role2
# so that should be listed whether we include an OF clause or not
self.assert_permissions_listed([("cassandra", "<role role1>", "ALTER"),
("role2", "<role role1>", "ALTER")],
- cassandra,
+ self.superuser,
"LIST ALTER PERMISSION ON ROLE role1")
self.assert_permissions_listed([("role2", "<role role1>", "ALTER")],
- cassandra,
+ self.superuser,
"LIST ALTER PERMISSION ON ROLE role1 OF role2")
# make sure ALTER on role2 is excluded properly when OF is for another role
- cassandra.execute("CREATE ROLE role3 WITH SUPERUSER = false AND LOGIN = false")
- assert list(cassandra.execute("LIST ALTER PERMISSION ON ROLE role1 OF role3")) == []
+ self.superuser.execute("CREATE ROLE role3 WITH SUPERUSER = false AND LOGIN = false")
+ assert list(self.superuser.execute("LIST ALTER PERMISSION ON ROLE role1 OF role3")) == []
# now check users can list their own permissions
- mike = self.get_session(user='mike', password='12345')
+ as_mike = self.get_session(user='mike', password='12345')
self.assert_permissions_listed([("mike", "<table ks.cf>", "MODIFY"),
("role1", "<table ks.cf>", "SELECT"),
("role2", "<table ks.cf>", "ALTER"),
("role2", "<role role1>", "ALTER")],
- mike,
+ as_mike,
"LIST ALL PERMISSIONS OF mike")
def test_list_permissions_validation(self):
@@ -1798,38 +1828,35 @@ class TestAuthRoles(Tester):
* Verify mike can see the permissions of his role, and the roles granted to him
* Verify mike cannot see all permissions, or those of roles not granted to him
"""
- self.prepare()
+ self.superuser.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
+ self.superuser.execute("CREATE TABLE ks.cf (id int primary key, val int)")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE john WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE role1")
+ self.superuser.execute("CREATE ROLE role2")
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
- cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("CREATE ROLE john WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("CREATE ROLE role1")
- cassandra.execute("CREATE ROLE role2")
+ self.superuser.execute("GRANT SELECT ON table ks.cf TO role1")
+ self.superuser.execute("GRANT ALTER ON table ks.cf TO role2")
+ self.superuser.execute("GRANT MODIFY ON table ks.cf TO john")
- cassandra.execute("GRANT SELECT ON table ks.cf TO role1")
- cassandra.execute("GRANT ALTER ON table ks.cf TO role2")
- cassandra.execute("GRANT MODIFY ON table ks.cf TO john")
+ self.superuser.execute("GRANT role1 TO role2")
+ self.superuser.execute("GRANT role2 TO mike")
- cassandra.execute("GRANT role1 TO role2")
- cassandra.execute("GRANT role2 TO mike")
-
- mike = self.get_session(user='mike', password='12345')
+ as_mike = self.get_session(user='mike', password='12345')
self.assert_permissions_listed([("role1", "<table ks.cf>", "SELECT"),
("role2", "<table ks.cf>", "ALTER")],
- mike,
+ as_mike,
"LIST ALL PERMISSIONS OF role2")
self.assert_permissions_listed([("role1", "<table ks.cf>", "SELECT")],
- mike,
+ as_mike,
"LIST ALL PERMISSIONS OF role1")
- assert_unauthorized(mike,
+ assert_unauthorized(as_mike,
"LIST ALL PERMISSIONS",
"You are not authorized to view everyone's permissions")
- assert_unauthorized(mike,
+ assert_unauthorized(as_mike,
"LIST ALL PERMISSIONS OF john",
"You are not authorized to view john's permissions")
@@ -1845,27 +1872,33 @@ class TestAuthRoles(Tester):
* Revoke role1, and thus read permissions, from mike.
* Try reading as mike, and verify that eventually the cache expires and it fails.
"""
- self.prepare(roles_expiry=2000)
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
- cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("CREATE ROLE role1")
- cassandra.execute("GRANT ALL ON table ks.cf TO role1")
- cassandra.execute("GRANT role1 TO mike")
+ # on older versions the cache is not initialized until used,
+ # we need the MBean registered so let's use it
+ if self.dtest_config.cassandra_version_from_build < '4.0':
+ self.superuser.execute("LIST ROLES")
- mike = self.get_session(user='mike', password='12345')
- mike.execute("INSERT INTO ks.cf (id, val) VALUES (0, 0)")
+ mbean = make_mbean('auth', type='RolesCache')
+ with JolokiaAgent(self.cluster.nodelist()[0]) as jmx:
+ jmx.write_attribute(mbean, 'Validity', 2000)
+
+ self.setup_table()
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE role1")
+ self.superuser.execute("GRANT ALL ON table ks.t1 TO role1")
+ self.superuser.execute("GRANT role1 TO mike")
- assert_one(mike, "SELECT * FROM ks.cf", [0, 0])
+ as_mike = self.get_session(user='mike', password='12345')
+ as_mike.execute("INSERT INTO ks.t1 (k, v) VALUES (0, 0)")
- cassandra.execute("REVOKE role1 FROM mike")
+ assert_one(as_mike, "SELECT * FROM ks.t1", [0, 0])
+
+ self.superuser.execute("REVOKE role1 FROM mike")
# mike should retain permissions until the cache expires
unauthorized = None
cnt = 0
while not unauthorized and cnt < 20:
try:
- mike.execute("SELECT * FROM ks.cf")
+ as_mike.execute("SELECT * FROM ks.t1")
cnt += 1
time.sleep(.5)
except Unauthorized as e:
@@ -1873,7 +1906,7 @@ class TestAuthRoles(Tester):
assert unauthorized is not None
- def drop_non_existent_role_should_not_update_cache(self):
+ def test_drop_non_existent_role_should_not_update_cache(self):
"""
This test checks that dropping a nonexistent role doesn't
create an entry in the auth cache.
@@ -1884,22 +1917,30 @@ class TestAuthRoles(Tester):
* Connect as the new role, and ensure it can issue reads.
@jira_ticket CASSANDRA-9189
"""
+
+ # on older versions the cache is not initialized until used,
+ # we need the MBean registered so let's use it
+ if self.dtest_config.cassandra_version_from_build < '4.0':
+ self.superuser.execute("LIST ROLES")
+
# The su status check during DROP ROLE IF EXISTS <role>
# should not cause a non-existent role to be cached (CASSANDRA-9189)
- self.prepare(roles_expiry=10000)
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE KEYSPACE ks WITH replication = {'class':'SimpleStrategy', 'replication_factor':1}")
- cassandra.execute("CREATE TABLE ks.cf (id int primary key, val int)")
+ mbean = make_mbean('auth', type='RolesCache')
+ with JolokiaAgent(self.cluster.nodelist()[0]) as jmx:
+ jmx.write_attribute(mbean, 'Validity', 10000)
+
+ self.setup_table()
+
# Dropping a role which doesn't exist should be a no-op. If we cache the fact
# that the role doesn't exist though, subsequent authz attempts which should
# succeed will fail due to the erroneous cache entry
- cassandra.execute("DROP ROLE IF EXISTS mike")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true")
- cassandra.execute("GRANT ALL ON ks.cf TO mike")
+ self.superuser.execute("DROP ROLE IF EXISTS mike")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true")
+ self.superuser.execute("GRANT ALL ON ks.t1 TO mike")
- mike = self.get_session(user='mike', password='12345')
- mike.execute("SELECT * FROM ks.cf")
+ as_mike = self.get_session(user='mike', password='12345')
+ as_mike.execute("SELECT * FROM ks.t1")
def test_prevent_circular_grants(self):
"""
@@ -1908,18 +1949,16 @@ class TestAuthRoles(Tester):
* Create several roles
* Verify we cannot grant roles in circular chain
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE mike")
- cassandra.execute("CREATE ROLE role1")
- cassandra.execute("CREATE ROLE role2")
- cassandra.execute("GRANT role2 to role1")
- cassandra.execute("GRANT role1 TO mike")
- assert_invalid(cassandra,
+ self.superuser.execute("CREATE ROLE mike")
+ self.superuser.execute("CREATE ROLE role1")
+ self.superuser.execute("CREATE ROLE role2")
+ self.superuser.execute("GRANT role2 to role1")
+ self.superuser.execute("GRANT role1 TO mike")
+ assert_invalid(self.superuser,
"GRANT mike TO role1",
"mike is a member of role1",
InvalidRequest)
- assert_invalid(cassandra,
+ assert_invalid(self.superuser,
"GRANT mike TO role2",
"mike is a member of role2",
InvalidRequest)
@@ -1930,13 +1969,11 @@ class TestAuthRoles(Tester):
* Connect as the default superuser
* Attempt to create roles using "CREATE USER". Verify still works
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE USER mike WITH PASSWORD '12345' NOSUPERUSER")
- assert_one(cassandra, "LIST ROLES OF mike", list(mike_role))
+ self.superuser.execute("CREATE USER mike WITH PASSWORD '12345' NOSUPERUSER")
+ assert_one(self.superuser, "LIST ROLES OF mike", list(self.role('mike')))
- cassandra.execute("CREATE USER super_user WITH PASSWORD '12345' SUPERUSER")
- assert_one(cassandra, "LIST ROLES OF super_user", ["super_user", True, True, {}] + all_dcs)
+ self.superuser.execute("CREATE USER super_user WITH PASSWORD '12345' SUPERUSER")
+ assert_one(self.superuser, "LIST ROLES OF super_user", list(self.role('super_user', superuser=True)))
def test_role_name(self):
"""
@@ -1948,32 +1985,30 @@ class TestAuthRoles(Tester):
* Verify that CREATE USER is always case sensitive
@jira_ticket CASSANDRA-10394
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
# unquoted identifiers and unreserved keyword do not preserve case
# count
- cassandra.execute("CREATE ROLE ROLE1 WITH PASSWORD = '12345' AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE ROLE1 WITH PASSWORD = '12345' AND LOGIN = true")
self.assert_unauthenticated('ROLE1', '12345')
- cassandra.execute("CREATE ROLE COUNT WITH PASSWORD = '12345' AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE COUNT WITH PASSWORD = '12345' AND LOGIN = true")
self.assert_unauthenticated('COUNT', '12345')
self.get_session(user='count', password='12345')
# string literals and quoted names do preserve case
- cassandra.execute("CREATE ROLE 'ROLE2' WITH PASSWORD = '12345' AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE 'ROLE2' WITH PASSWORD = '12345' AND LOGIN = true")
self.get_session(user='ROLE2', password='12345')
self.assert_unauthenticated('Role2', '12345')
- cassandra.execute("""CREATE ROLE "ROLE3" WITH PASSWORD = '12345' AND LOGIN = true""")
+ self.superuser.execute("""CREATE ROLE "ROLE3" WITH PASSWORD = '12345' AND LOGIN = true""")
self.get_session(user='ROLE3', password='12345')
self.assert_unauthenticated('Role3', '12345')
# when using legacy USER syntax, both unquoted identifiers and string literals preserve case
- cassandra.execute("CREATE USER USER1 WITH PASSWORD '12345'")
+ self.superuser.execute("CREATE USER USER1 WITH PASSWORD '12345'")
self.get_session(user='USER1', password='12345')
self.assert_unauthenticated('User1', '12345')
- cassandra.execute("CREATE USER 'USER2' WITH PASSWORD '12345'")
+ self.superuser.execute("CREATE USER 'USER2' WITH PASSWORD '12345'")
self.get_session(user='USER2', password='12345')
self.assert_unauthenticated('User2', '12345')
@@ -1986,18 +2021,16 @@ class TestAuthRoles(Tester):
* Remove mike's login privilege. Verify mike cannot login
* Restore mike's login privilege. Verify mike can connect again.
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- assert_one(cassandra, "LIST ROLES OF mike", list(mike_role))
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ assert_one(self.superuser, "LIST ROLES OF mike", list(self.role('mike')))
self.get_session(user='mike', password='12345')
- cassandra.execute("ALTER ROLE mike WITH LOGIN = false")
- assert_one(cassandra, "LIST ROLES OF mike", ["mike", False, False, {}] + na_dcs)
+ self.superuser.execute("ALTER ROLE mike WITH LOGIN = false")
+ assert_one(self.superuser, "LIST ROLES OF mike", list(self.role('mike', login=False)))
self.assert_login_not_allowed('mike', '12345')
- cassandra.execute("ALTER ROLE mike WITH LOGIN = true")
- assert_one(cassandra, "LIST ROLES OF mike", ["mike", False, True, {}] + all_dcs)
+ self.superuser.execute("ALTER ROLE mike WITH LOGIN = true")
+ assert_one(self.superuser, "LIST ROLES OF mike", list(self.role('mike', login=True)))
self.get_session(user='mike', password='12345')
def test_roles_do_not_inherit_login_privilege(self):
@@ -2008,15 +2041,14 @@ class TestAuthRoles(Tester):
* Grant the other user to mike.
* Verify mike still cannot log in.
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = false")
- cassandra.execute("CREATE ROLE with_login WITH PASSWORD = '54321' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("GRANT with_login to mike")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = false")
+ self.superuser.execute("CREATE ROLE with_login WITH PASSWORD = '54321' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("GRANT with_login to mike")
+ mike = self.role('mike', login=False)
+ with_login = self.role('with_login')
- assert_all(cassandra, "LIST ROLES OF mike", [["mike", False, False, {}] + na_dcs,
- ["with_login", False, True, {}] + all_dcs])
- assert_one(cassandra, "LIST ROLES OF with_login", ["with_login", False, True, {}] + all_dcs)
+ assert_all(self.superuser, "LIST ROLES OF mike", [list(mike), list(with_login)])
+ assert_one(self.superuser, "LIST ROLES OF with_login", list(with_login))
self.assert_login_not_allowed("mike", "12345")
@@ -2029,14 +2061,9 @@ class TestAuthRoles(Tester):
* Alter mike and add a password
* Verify mike can now connect
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE mike WITH SUPERUSER = false AND LOGIN = true")
- if self.cluster.cassandra_version() >= '3.8':
- self.assert_unauthenticated('mike', None)
- else:
- self.assert_unauthenticated('mike', None)
- cassandra.execute("ALTER ROLE mike WITH PASSWORD = '12345'")
+ self.superuser.execute("CREATE ROLE mike WITH SUPERUSER = false AND LOGIN = true")
+ self.assert_unauthenticated('mike', None)
+ self.superuser.execute("ALTER ROLE mike WITH PASSWORD = '12345'")
self.get_session(user='mike', password='12345')
def test_superuser_status_is_inherited(self):
@@ -2049,22 +2076,20 @@ class TestAuthRoles(Tester):
* Grant the superuser role to mike.
* Verify that mike now has all permissions
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("CREATE ROLE db_admin WITH SUPERUSER = true")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("CREATE ROLE db_admin WITH SUPERUSER = true")
- mike = self.get_session(user='mike', password='12345')
- assert_unauthorized(mike,
+ as_mike = self.get_session(user='mike', password='12345')
+ assert_unauthorized(as_mike,
"CREATE ROLE another_role WITH SUPERUSER = false AND LOGIN = false",
"User mike does not have sufficient privileges to perform the requested operation")
- cassandra.execute("GRANT db_admin TO mike")
- mike.execute("CREATE ROLE another_role WITH SUPERUSER = false AND LOGIN = false")
- assert_all(mike, "LIST ROLES", [["another_role", False, False, {}] + na_dcs,
- list(cassandra_role),
- ["db_admin", True, False, {}] + na_dcs,
- list(mike_role)])
+ self.superuser.execute("GRANT db_admin TO mike")
+ as_mike.execute("CREATE ROLE another_role WITH SUPERUSER = false AND LOGIN = false")
+ assert_all(as_mike, "LIST ROLES", [list(self.role('another_role', superuser=False, login=False)),
+ list(self.cassandra_role),
+ list(self.role('db_admin', superuser=True, login=False)),
+ list(self.role('mike'))])
def test_list_users_considers_inherited_superuser_status(self):
"""
@@ -2074,13 +2099,13 @@ class TestAuthRoles(Tester):
* Grant the superuser role to mike
* Verify that LIST USERS shows mike as a superuser, even though that privilege is granted indirectly
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- cassandra.execute("CREATE ROLE db_admin WITH SUPERUSER = true")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
- cassandra.execute("GRANT db_admin TO mike")
- assert_all(cassandra, "LIST USERS", [['cassandra', True] + all_dcs,
- ["mike", True] + all_dcs])
+ self.superuser.execute("CREATE ROLE db_admin WITH SUPERUSER = true")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND SUPERUSER = false AND LOGIN = true")
+ self.superuser.execute("GRANT db_admin TO mike")
+ if self.dtest_config.cassandra_version_from_build >= '4.0':
+ assert_all(self.superuser, "LIST USERS", [['cassandra', True, 'ALL'], ['mike', True, 'ALL']])
+ else:
+ assert_all(self.superuser, "LIST USERS", [['cassandra', True], ['mike', True]])
# UDF permissions tests # TODO move to separate fixture & refactor this + auth_test.py
def test_grant_revoke_udf_permissions(self):
@@ -2091,43 +2116,41 @@ class TestAuthRoles(Tester):
* Create two UDFs
* Selectively grant and revoke each possible UDF permission to mike, and verify those operations worked
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- self.setup_table(cassandra)
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true")
- cassandra.execute("CREATE FUNCTION ks.plus_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'")
- cassandra.execute("CREATE FUNCTION ks.\"plusOne\" ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'")
+ self.setup_table()
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true")
+ self.superuser.execute("CREATE FUNCTION ks.plus_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'")
+ self.superuser.execute("CREATE FUNCTION ks.\"plusOne\" ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'")
# grant / revoke on a specific function
- cassandra.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike")
- cassandra.execute("GRANT EXECUTE ON FUNCTION ks.\"plusOne\"(int) TO mike")
+ self.superuser.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike")
+ self.superuser.execute("GRANT EXECUTE ON FUNCTION ks.\"plusOne\"(int) TO mike")
self.assert_permissions_listed([("mike", "<function ks.plus_one(int)>", "EXECUTE"),
("mike", "<function ks.plusOne(int)>", "EXECUTE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE ALL PERMISSIONS ON FUNCTION ks.plus_one(int) FROM mike")
+ self.superuser.execute("REVOKE ALL PERMISSIONS ON FUNCTION ks.plus_one(int) FROM mike")
self.assert_permissions_listed([("mike", "<function ks.plusOne(int)>", "EXECUTE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE EXECUTE PERMISSION ON FUNCTION ks.\"plusOne\"(int) FROM mike")
- self.assert_no_permissions(cassandra, "LIST ALL PERMISSIONS OF mike")
+ self.superuser.execute("REVOKE EXECUTE PERMISSION ON FUNCTION ks.\"plusOne\"(int) FROM mike")
+ self.assert_no_permissions(self.superuser, "LIST ALL PERMISSIONS OF mike")
# grant / revoke on all functions in a given keyspace
- cassandra.execute("GRANT EXECUTE PERMISSION ON ALL FUNCTIONS IN KEYSPACE ks TO mike")
+ self.superuser.execute("GRANT EXECUTE PERMISSION ON ALL FUNCTIONS IN KEYSPACE ks TO mike")
self.assert_permissions_listed([("mike", "<all functions in ks>", "EXECUTE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE EXECUTE PERMISSION ON ALL FUNCTIONS IN KEYSPACE ks FROM mike")
- self.assert_no_permissions(cassandra, "LIST ALL PERMISSIONS OF mike")
+ self.superuser.execute("REVOKE EXECUTE PERMISSION ON ALL FUNCTIONS IN KEYSPACE ks FROM mike")
+ self.assert_no_permissions(self.superuser, "LIST ALL PERMISSIONS OF mike")
# grant / revoke on all (non-builtin) functions
- cassandra.execute("GRANT EXECUTE PERMISSION ON ALL FUNCTIONS TO mike")
+ self.superuser.execute("GRANT EXECUTE PERMISSION ON ALL FUNCTIONS TO mike")
self.assert_permissions_listed([("mike", "<all functions>", "EXECUTE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE EXECUTE PERMISSION ON ALL FUNCTIONS FROM mike")
- self.assert_no_permissions(cassandra, "LIST ALL PERMISSIONS OF mike")
+ self.superuser.execute("REVOKE EXECUTE PERMISSION ON ALL FUNCTIONS FROM mike")
+ self.assert_no_permissions(self.superuser, "LIST ALL PERMISSIONS OF mike")
def test_grant_revoke_are_idempotent(self):
"""
@@ -2138,20 +2161,18 @@ class TestAuthRoles(Tester):
* Issue multiple grants and revokes of permissions for the UDF to mike
* Verify the grants/revokes are idempotent, and were successful
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- self.setup_table(cassandra)
- cassandra.execute("CREATE ROLE mike")
- cassandra.execute("CREATE FUNCTION ks.plus_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'")
- cassandra.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike")
- cassandra.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike")
+ self.setup_table()
+ self.superuser.execute("CREATE ROLE mike")
+ self.superuser.execute("CREATE FUNCTION ks.plus_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'")
+ self.superuser.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike")
+ self.superuser.execute("GRANT EXECUTE ON FUNCTION ks.plus_one(int) TO mike")
self.assert_permissions_listed([("mike", "<function ks.plus_one(int)>", "EXECUTE")],
- cassandra,
+ self.superuser,
"LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE EXECUTE ON FUNCTION ks.plus_one(int) FROM mike")
- self.assert_no_permissions(cassandra, "LIST ALL PERMISSIONS OF mike")
- cassandra.execute("REVOKE EXECUTE ON FUNCTION ks.plus_one(int) FROM mike")
- self.assert_no_permissions(cassandra, "LIST ALL PERMISSIONS OF mike")
+ self.superuser.execute("REVOKE EXECUTE ON FUNCTION ks.plus_one(int) FROM mike")
+ self.assert_no_permissions(self.superuser, "LIST ALL PERMISSIONS OF mike")
+ self.superuser.execute("REVOKE EXECUTE ON FUNCTION ks.plus_one(int) FROM mike")
+ self.assert_no_permissions(self.superuser, "LIST ALL PERMISSIONS OF mike")
def test_function_resource_hierarchy_permissions(self):
"""
@@ -2166,54 +2187,52 @@ class TestAuthRoles(Tester):
* Verify that revoking EXECUTE ON ALL FUNCTIONS for mike does not affect his function specific permissions
* Check that if mike has keyspace level EXECUTE, that granting/revoking function specific permissions doesn't affect the keyspace level permissions
"""
- self.prepare()
- cassandra = self.get_session(user='cassandra', password='cassandra')
- self.setup_table(cassandra)
- cassandra.execute("INSERT INTO ks.t1 (k,v) values (1,1)")
- cassandra.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true")
- cassandra.execute("GRANT SELECT ON ks.t1 TO mike")
- cassandra.execute("CREATE FUNCTION ks.func_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'")
- cassandra.execute("CREATE FUNCTION ks.func_two ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'")
+ self.setup_table()
+ self.superuser.execute("INSERT INTO ks.t1 (k,v) values (1,1)")
+ self.superuser.execute("CREATE ROLE mike WITH PASSWORD = '12345' AND LOGIN = true")
+ self.superuser.execute("GRANT SELECT ON ks.t1 TO mike")
+ self.superuser.execute("CREATE FUNCTION ks.func_one ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'")
+ self.superuser.execute("CREATE FUNCTION ks.func_two ( input int ) CALLED ON NULL INPUT RETURNS int LANGUAGE javascript AS 'input + 1'")
- mike = self.get_session(user='mike', password='12345')
+ as_mike = self.get_session(user='mike', password='12345')
select_one = "SELECT k, v, ks.func_one(v) FROM ks.t1 WHERE k = 1"
select_two = "SELECT k, v, ks.func_two(v) FROM ks.t1 WHERE k = 1"
# grant EXECUTE on only one of the two functions
- cassandra.execute("GRANT EXECUTE ON FUNCTION ks.func_one(int) TO mike")
- mike.execute(select_one)
- assert_unauthorized(mike, select_two,
+ self.superuser.execute("GRANT EXECUTE ON FUNCTION ks.func_one(int) TO mike")
+ as_mike.execute(select_one)
+ assert_unauthorized(as_mike, select_two,
"User mike has no EXECUTE permission on <function ks.func_two\(int\)> or any of its parents")
# granting EXECUTE on all of the parent keyspace's should enable mike to use both functions
- cassandra.execute("GRANT EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks TO mike")
- mike.execute(select_one)
- mike.execute(select_two)
+ self.superuser.execute("GRANT EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks TO mike")
+ as_mike.execute(select_one)
+ as_mike.execute(select_two)
# revoke the keyspace level privilege and verify that the function specific perms are unaffected
- cassandra.execute("REVOKE EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks FROM mike")
- mike.execute(select_one)
- assert_unauthorized(mike, select_two,
+ self.superuser.execute("REVOKE EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks FROM mike")
+ as_mike.execute(select_one)
+ assert_unauthorized(as_mike, select_two,
"User mike has no EXECUTE permission on <function ks.func_two\(int\)> or any of its parents")
# now check that EXECUTE on ALL FUNCTIONS works in the same way
- cassandra.execute("GRANT EXECUTE ON ALL FUNCTIONS TO mike")
- mike.execute(select_one)
- mike.execute(select_two)
- cassandra.execute("REVOKE EXECUTE ON ALL FUNCTIONS FROM mike")
- mike.execute(select_one)
- assert_unauthorized(mike, select_two,
+ self.superuser.execute("GRANT EXECUTE ON ALL FUNCTIONS TO mike")
+ as_mike.execute(select_one)
+ as_mike.execute(select_two)
+ self.superuser.execute("REVOKE EXECUTE ON ALL FUNCTIONS FROM mike")
+ as_mike.execute(select_one)
+ assert_unauthorized(as_mike, select_two,
"User mike has no EXECUTE permission on <function ks.func_two\(int\)> or any of its parents")
# finally, check that revoking function level permissions doesn't affect root/keyspace level perms
- cassandra.execute("GRANT EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks TO mike")
- cassandra.execute("REVOKE EXECUTE ON FUNCTION ks.func_one(int) FROM mike")
- mike.execute(select_one)
- mike.execute(select_two)
- cassandra.execute("REVOKE EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks FROM mike")
- cassandra.execute("GRANT EXECUTE ON FUNCTION ks.func_one(int) TO mike")
- cassandra.execute("GRANT EXECUTE ON ALL FUNCTIONS TO mike")
- mike.execute(select_one)
- mike.execute(select_two)
- cassandra.execute("REVOKE EXECUTE ON FUNCTION ks.func_one(int) FROM mike")
- mike.execute(select_one)
- mike.execute(select_two)
+ self.superuser.execute("GRANT EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks TO mike")
+ self.superuser.execute("REVOKE EXECUTE ON FUNCTION ks.func_one(int) FROM mike")
+ as_mike.execute(select_one)
+ as_mike.execute(select_two)
+ self.superuser.execute("REVOKE EXECUTE ON ALL FUNCTIONS IN KEYSPACE ks FROM mike")
+
<TRUNCATED>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org