You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by ad...@apache.org on 2021/10/27 17:27:07 UTC
[cassandra-dtest] branch trunk updated: Update auth_test.py for users allowed to view permissions of the roles they created

This is an automated email from the ASF dual-hosted git repository.

adelapena pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-dtest.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 027eb0d  Update auth_test.py for users allowed to view permissions of the roles they created
027eb0d is described below

commit 027eb0dbc6b71f547f156c05fad0b418939e4d92
Author: Andrés de la Peña <a....@gmail.com>
AuthorDate: Wed Oct 27 18:20:43 2021 +0100

    Update auth_test.py for users allowed to view permissions of the roles they created
    
    patch by Andrés de la Peña; reviewed by Aleksei Zotov and Benjamin Lerer for CASSANDRA-16902
---
 auth_test.py | 46 ++++++++++++++++++++++++----------------------
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/auth_test.py b/auth_test.py
index 00f7831..4bfe500 100644
--- a/auth_test.py
+++ b/auth_test.py
@@ -25,7 +25,17 @@ since = pytest.mark.since
 logger = logging.getLogger(__name__)
 
 
-class TestAuth(Tester):
+class AbstractTestAuth(Tester):
+
+    def role_creator_permissions(self, creator, role):
+        if self.dtest_config.cassandra_version_from_build >= '3.0':
+            permissions = ('ALTER', 'DROP', 'DESCRIBE', 'AUTHORIZE')
+        else:
+            permissions = ('ALTER', 'DROP', 'DESCRIBE')
+        return [(creator, role, perm) for perm in permissions]
+
+
+class TestAuth(AbstractTestAuth):
 
     @pytest.fixture(autouse=True)
     def fixture_add_additional_log_patterns(self, fixture_dtest_setup):
@@ -940,8 +950,8 @@ class TestAuth(Tester):
             all_permissions.extend(data_resource_creator_permissions('cassandra', '<keyspace ks>'))
             all_permissions.extend(data_resource_creator_permissions('cassandra', '<table ks.cf>'))
             all_permissions.extend(data_resource_creator_permissions('cassandra', '<table ks.cf2>'))
-            all_permissions.extend(role_creator_permissions('cassandra', '<role bob>'))
-            all_permissions.extend(role_creator_permissions('cassandra', '<role cathy>'))
+            all_permissions.extend(self.role_creator_permissions('cassandra', '<role bob>'))
+            all_permissions.extend(self.role_creator_permissions('cassandra', '<role cathy>'))
 
         self.assertPermissionsListed(all_permissions, cassandra, "LIST ALL PERMISSIONS")
 
@@ -1146,7 +1156,7 @@ def data_resource_creator_permissions(creator, resource):
 
 
 @since('2.2')
-class TestAuthRoles(Tester):
+class TestAuthRoles(AbstractTestAuth):
 
     Role = None
     cassandra_role = None
@@ -1364,10 +1374,10 @@ class TestAuthRoles(Tester):
                         STYPE int
                         INITCOND 0""")
 
-        cassandra_permissions = role_creator_permissions('cassandra', '<role mike>')
+        cassandra_permissions = self.role_creator_permissions('cassandra', '<role mike>')
         mike_permissions = [('mike', '<all roles>', 'CREATE'),
                             ('mike', '<all keyspaces>', 'CREATE')]
-        mike_permissions.extend(role_creator_permissions('mike', '<role role1>'))
+        mike_permissions.extend(self.role_creator_permissions('mike', '<role role1>'))
         mike_permissions.extend(data_resource_creator_permissions('mike', '<keyspace ks>'))
         mike_permissions.extend(data_resource_creator_permissions('mike', '<table ks.cf>'))
         mike_permissions.extend(function_resource_creator_permissions('mike', '<function ks.state_function_1(int, int)>'))
@@ -1693,9 +1703,7 @@ class TestAuthRoles(Tester):
 
         # GRANT ALL ON ROLE does not include CREATE (because the role must already be created before the GRANT)
         self.superuser.execute("GRANT ALL ON ROLE role1 TO mike")
-        self.assert_permissions_listed([("mike", "<role role1>", "ALTER"),
-                                        ("mike", "<role role1>", "DROP"),
-                                        ("mike", "<role role1>", "AUTHORIZE")],
+        self.assert_permissions_listed(self.role_creator_permissions("mike", "<role role1>"),
                                        self.superuser,
                                        "LIST ALL PERMISSIONS OF mike")
         assert_invalid(self.superuser,
@@ -1772,9 +1780,9 @@ class TestAuthRoles(Tester):
                                 ("role2", "<role role1>", "ALTER")]
         expected_permissions.extend(data_resource_creator_permissions('cassandra', '<keyspace ks>'))
         expected_permissions.extend(data_resource_creator_permissions('cassandra', '<table ks.cf>'))
-        expected_permissions.extend(role_creator_permissions('cassandra', '<role mike>'))
-        expected_permissions.extend(role_creator_permissions('cassandra', '<role role1>'))
-        expected_permissions.extend(role_creator_permissions('cassandra', '<role role2>'))
+        expected_permissions.extend(self.role_creator_permissions('cassandra', '<role mike>'))
+        expected_permissions.extend(self.role_creator_permissions('cassandra', '<role role1>'))
+        expected_permissions.extend(self.role_creator_permissions('cassandra', '<role role2>'))
 
         self.assert_permissions_listed(expected_permissions, self.superuser, "LIST ALL PERMISSIONS")
 
@@ -1788,10 +1796,8 @@ class TestAuthRoles(Tester):
                                        self.superuser,
                                        "LIST ALL PERMISSIONS OF role2")
 
-        self.assert_permissions_listed([("cassandra", "<role role1>", "ALTER"),
-                                        ("cassandra", "<role role1>", "DROP"),
-                                        ("cassandra", "<role role1>", "AUTHORIZE"),
-                                        ("role2", "<role role1>", "ALTER")],
+        self.assert_permissions_listed(self.role_creator_permissions("cassandra", "<role role1>") +
+                                       [("role2", "<role role1>", "ALTER")],
                                        self.superuser,
                                        "LIST ALL PERMISSIONS ON ROLE role1")
         # we didn't specifically grant DROP on role1, so only it's creator should have it
@@ -2708,7 +2714,7 @@ class TestAuthRoles(Tester):
 
 
 @since('2.2')
-class TestAuthUnavailable(Tester):
+class TestAuthUnavailable(AbstractTestAuth):
     """
     * These tests verify behavior when backends for authentication & authorization are unable to pull data from the
     * system_auth keyspace. Failure scenarios are simulated based on the default CL for auth being LOCAL_QUORUM for reads,
@@ -3031,7 +3037,7 @@ class TestAuthUnavailable(Tester):
 
 
 @since('4.0')
-class TestNetworkAuth(Tester):
+class TestNetworkAuth(AbstractTestAuth):
 
     @pytest.fixture(autouse=True)
     def fixture_setup_auth(self, fixture_dtest_setup):
@@ -3165,9 +3171,5 @@ class TestNetworkAuth(Tester):
         self.assertUnauthorized(lambda: session.execute("SELECT * FROM ks.tbl"))
 
 
-def role_creator_permissions(creator, role):
-    return [(creator, role, perm) for perm in ('ALTER', 'DROP', 'AUTHORIZE')]
-
-
 def function_resource_creator_permissions(creator, resource):
     return [(creator, resource, perm) for perm in ('ALTER', 'DROP', 'AUTHORIZE', 'EXECUTE')]

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org