[02/10] cassandra git commit: CASSANDRA-13053: Properly handle GRANT/REVOKE authz when keyspace isn't set

[al...@apache.org]

CASSANDRA-13053: Properly handle GRANT/REVOKE authz when keyspace isn't set


Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/e8350108
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/e8350108
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/e8350108

Branch: refs/heads/cassandra-3.0
Commit: e8350108866be740218ce296a02d3ae3fdc3b077
Parents: 44fefef
Author: Aleksey Yeschenko <al...@apache.org>
Authored: Tue Feb 28 18:23:00 2017 +0000
Committer: Aleksey Yeschenko <al...@apache.org>
Committed: Tue Mar 7 23:54:46 2017 +0000

----------------------------------------------------------------------
 CHANGES.txt                                                     | 2 ++
 .../cql3/statements/PermissionsManagementStatement.java         | 5 +++++
 2 files changed, 7 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cassandra/blob/e8350108/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index ca1aa27..0982de9 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
 2.2.10
+ * Fix GRANT/REVOKE when keyspace isn't specified (CASSANDRA-13053)
  * Avoid race on receiver by starting streaming sender thread after sending init message (CASSANDRA-12886)
  * Fix "multiple versions of ant detected..." when running ant test (CASSANDRA-13232)
  * Coalescing strategy sleeps too much (CASSANDRA-13090)
@@ -11,6 +12,7 @@ Merged from 2.1:
  * Remove unused repositories (CASSANDRA-13278)
  * Log stacktrace of uncaught exceptions (CASSANDRA-13108)
 
+
 2.2.9
  * Fix negative mean latency metric (CASSANDRA-12876)
  * Use only one file pointer when creating commitlog segments (CASSANDRA-12539)

http://git-wip-us.apache.org/repos/asf/cassandra/blob/e8350108/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java b/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java
index b22e400..56a2f26 100644
--- a/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java
+++ b/src/java/org/apache/cassandra/cql3/statements/PermissionsManagementStatement.java
@@ -50,6 +50,7 @@ public abstract class PermissionsManagementStatement extends AuthorizationStatem
             throw new InvalidRequestException(String.format("Role %s doesn't exist", grantee.getRoleName()));
 
         // if a keyspace is omitted when GRANT/REVOKE ON TABLE <table>, we need to correct the resource.
+        // called both here and in checkAccess(), as in some cases we do not call the latter.
         resource = maybeCorrectResource(resource, state);
 
         // altering permissions on builtin functions is not supported
@@ -65,8 +66,12 @@ public abstract class PermissionsManagementStatement extends AuthorizationStatem
 
     public void checkAccess(ClientState state) throws UnauthorizedException
     {
+        // if a keyspace is omitted when GRANT/REVOKE ON TABLE <table>, we need to correct the resource.
+        resource = maybeCorrectResource(resource, state);
+
         // check that the user has AUTHORIZE permission on the resource or its parents, otherwise reject GRANT/REVOKE.
         state.ensureHasPermission(Permission.AUTHORIZE, resource);
+
         // check that the user has [a single permission or all in case of ALL] on the resource or its parents.
         for (Permission p : permissions)
             state.ensureHasPermission(p, resource);