/** * Deletes the user from AUTH_KS.USERS_CF. * * @param username Username to delete. * @throws RequestExecutionException */ public static void deleteUser(String username) throws RequestExecutionException { QueryProcessor.process(String.format("DELETE FROM %s.%s WHERE name = '%s'", AUTH_KS, USERS_CF, escape(username)), consistencyForUser(username)); }
private Set<Permission> authorize(IResource resource) { return Auth.getPermissions(user, resource); } }
private static void setupDefaultSuperuser() { try { // insert a default superuser if AUTH_KS.USERS_CF is empty. if (!hasExistingUsers()) { QueryProcessor.process(String.format("INSERT INTO %s.%s (name, super) VALUES ('%s', %s) USING TIMESTAMP 0", AUTH_KS, USERS_CF, DEFAULT_SUPERUSER_NAME, true), ConsistencyLevel.ONE); logger.info("Created default superuser '{}'", DEFAULT_SUPERUSER_NAME); } } catch (RequestExecutionException e) { logger.warn("Skipped default superuser setup: some nodes were not ready"); } }
public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException { // not rejected in validate() if (ifNotExists && Auth.isExistingUser(username)) return null; DatabaseDescriptor.getAuthenticator().create(username, opts.getOptions()); Auth.insertUser(username, superuser); return null; } }
public void validate(ClientState state) throws RequestValidationException { if (username.isEmpty()) throw new InvalidRequestException("Username can't be an empty string"); opts.validate(); // validate login here before checkAccess to avoid leaking user existence to anonymous users. state.ensureNotAnonymous(); if (!ifNotExists && Auth.isExistingUser(username)) throw new InvalidRequestException(String.format("User %s already exists", username)); }
public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException { // not rejected in validate() if (ifExists && !Auth.isExistingUser(username)) return null; // clean up permissions after the dropped user. DatabaseDescriptor.getAuthorizer().revokeAll(username); Auth.deleteUser(username); DatabaseDescriptor.getAuthenticator().drop(username); return null; } }
/** * Checks if the username is stored in AUTH_KS.USERS_CF. * * @param username Username to query. * @return whether or not Cassandra knows about the user. */ public static boolean isExistingUser(String username) { return !selectUser(username).isEmpty(); }
public synchronized void joinRing() throws IOException { if (!joined) { logger.info("Joining ring by operator request"); try { joinTokenRing(0); } catch (ConfigurationException e) { throw new IOException(e.getMessage()); } } else if (isSurveyMode) { setTokens(SystemKeyspace.getSavedTokens()); SystemKeyspace.setBootstrapState(SystemKeyspace.BootstrapState.COMPLETED); isSurveyMode = false; logger.info("Leaving write survey mode and joining ring at operator request"); assert tokenMetadata.sortedTokens().size() > 0; Auth.setup(); } }
/** * Checks the user's superuser status. * Only a superuser is allowed to perform CREATE USER and DROP USER queries. * Im most cased, though not necessarily, a superuser will have Permission.ALL on every resource * (depends on IAuthorizer implementation). */ public boolean isSuper() { return !isAnonymous() && Auth.isSuperuser(name); }
public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException { if (!opts.isEmpty()) DatabaseDescriptor.getAuthenticator().alter(username, opts.getOptions()); if (superuser != null) Auth.insertUser(username, superuser.booleanValue()); return null; } }
private static UntypedResultSet selectUser(String username) { try { ResultMessage.Rows rows = selectUserStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForUser(username), Lists.newArrayList(ByteBufferUtil.bytes(username)))); return UntypedResultSet.create(rows.result); } catch (RequestValidationException e) { throw new AssertionError(e); // not supposed to happen } catch (RequestExecutionException e) { throw new RuntimeException(e); } }
/** * Attempts to login the given user. */ public void login(AuthenticatedUser user) throws AuthenticationException { if (!user.isAnonymous() && !Auth.isExistingUser(user.getName())) throw new AuthenticationException(String.format("User %s doesn't exist - create it with CREATE USER query first", user.getName())); this.user = user; }
/** * Checks if the user is a known superuser. * * @param username Username to query. * @return true is the user is a superuser, false if they aren't or don't exist at all. */ public static boolean isSuperuser(String username) { UntypedResultSet result = selectUser(username); return !result.isEmpty() && result.one().getBoolean("super"); }
assert tokenMetadata.sortedTokens().size() > 0; Auth.setup();
/** * Inserts the user into AUTH_KS.USERS_CF (or overwrites their superuser status as a result of an ALTER USER query). * * @param username Username to insert. * @param isSuper User's new status. * @throws RequestExecutionException */ public static void insertUser(String username, boolean isSuper) throws RequestExecutionException { QueryProcessor.process(String.format("INSERT INTO %s.%s (name, super) VALUES ('%s', %s)", AUTH_KS, USERS_CF, escape(username), isSuper), consistencyForUser(username)); }
public void validate(ClientState state) throws RequestValidationException { // validate login here before checkAccess to avoid leaking user existence to anonymous users. state.ensureNotAnonymous(); if (!ifExists && !Auth.isExistingUser(username)) throw new InvalidRequestException(String.format("User %s doesn't exist", username)); AuthenticatedUser user = state.getUser(); if (user != null && user.getName().equals(username)) throw new InvalidRequestException("Users aren't allowed to DROP themselves"); }
public void validate(ClientState state) throws RequestValidationException { // validate login here before checkAccess to avoid leaking user existence to anonymous users. state.ensureNotAnonymous(); if (!Auth.isExistingUser(username)) throw new InvalidRequestException(String.format("User %s doesn't exist", username)); // if a keyspace is omitted when GRANT/REVOKE ON TABLE <table>, we need to correct the resource. resource = maybeCorrectResource(resource, state); if (!resource.exists()) throw new InvalidRequestException(String.format("%s doesn't exist", resource)); }
public void validate(ClientState state) throws RequestValidationException { // a check to ensure the existence of the user isn't being leaked by user existence check. state.ensureNotAnonymous(); if (username != null && !Auth.isExistingUser(username)) throw new InvalidRequestException(String.format("User %s doesn't exist", username)); if (resource != null) { resource = maybeCorrectResource(resource, state); if (!resource.exists()) throw new InvalidRequestException(String.format("%s doesn't exist", resource)); } }
public void validate(ClientState state) throws RequestValidationException { opts.validate(); if (superuser == null && opts.isEmpty()) throw new InvalidRequestException("ALTER USER can't be empty"); // validate login here before checkAccess to avoid leaking user existence to anonymous users. state.ensureNotAnonymous(); if (!Auth.isExistingUser(username)) throw new InvalidRequestException(String.format("User %s doesn't exist", username)); }