private void collectRoles(Role role, Set<RoleResource> collected, boolean includeInherited) throws RequestValidationException, RequestExecutionException { for (String memberOf : role.memberOf) { Role granted = getRole(memberOf); if (granted.equals(NULL_ROLE)) continue; collected.add(RoleResource.role(granted.name)); if (includeInherited) collectRoles(granted, collected, true); } }
private void removeAllMembers(String role) throws RequestValidationException, RequestExecutionException { // Get the membership list of the the given role UntypedResultSet rows = process(String.format("SELECT member FROM %s.%s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_MEMBERS, escape(role)), consistencyForRole(role)); if (rows.isEmpty()) return; // Update each member in the list, removing this role from its own list of granted roles for (UntypedResultSet.Row row : rows) modifyRoleMembership(row.getString("member"), role, "-"); // Finally, remove the membership list for the dropped role process(String.format("DELETE FROM %s.%s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_MEMBERS, escape(role)), consistencyForRole(role)); }
public void setup() { loadRoleStatement = (SelectStatement) prepare("SELECT * from %s.%s WHERE role = ?", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES); // If the old users table exists, we may need to migrate the legacy authn // data to the new table. We also need to prepare a statement to read from // it, so we can continue to use the old tables while the cluster is upgraded. // Otherwise, we may need to create a default superuser role to enable others // to be added. if (Schema.instance.getCFMetaData(SchemaConstants.AUTH_KEYSPACE_NAME, "users") != null) { legacySelectUserStatement = prepareLegacySelectUserStatement(); scheduleSetupTask(() -> { convertLegacyData(); return null; }); } else { scheduleSetupTask(() -> { setupDefaultRole(); return null; }); } }
private void modifyRoleMembership(String grantee, String role, String op) throws RequestExecutionException { process(String.format("UPDATE %s.%s SET member_of = member_of %s {'%s'} WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, op, escape(role), escape(grantee)), consistencyForRole(grantee)); }
public void dropRole(AuthenticatedUser performer, RoleResource role) throws RequestValidationException, RequestExecutionException { process(String.format("DELETE FROM %s.%s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, escape(role.getRoleName())), consistencyForRole(role.getRoleName())); removeAllMembers(role.getRoleName()); }
public void alterRole(AuthenticatedUser performer, RoleResource role, RoleOptions options) { // Unlike most of the other data access methods here, this does not use a // prepared statement in order to allow the set of assignments to be variable. String assignments = Joiner.on(',').join(Iterables.filter(optionsToAssignments(options.getOptions()), Predicates.notNull())); if (!Strings.isNullOrEmpty(assignments)) { process(String.format("UPDATE %s.%s SET %s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, assignments, escape(role.getRoleName())), consistencyForRole(role.getRoleName())); } }
public void createRole(AuthenticatedUser performer, RoleResource role, RoleOptions options) throws RequestValidationException, RequestExecutionException { String insertCql = options.getPassword().isPresent() ? String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) VALUES ('%s', %s, %s, '%s')", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, escape(role.getRoleName()), options.getSuperuser().or(false), options.getLogin().or(false), escape(hashpw(options.getPassword().get()))) : String.format("INSERT INTO %s.%s (role, is_superuser, can_login) VALUES ('%s', %s, %s)", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, escape(role.getRoleName()), options.getSuperuser().or(false), options.getLogin().or(false)); process(insertCql, consistencyForRole(role.getRoleName())); }
private static void setupDefaultRole() { if (StorageService.instance.getTokenMetadata().sortedTokens().isEmpty()) throw new IllegalStateException("CassandraRoleManager skipped default role setup: no known tokens in ring"); try { if (!hasExistingRoles()) { QueryProcessor.process(String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) " + "VALUES ('%s', true, true, '%s')", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, DEFAULT_SUPERUSER_NAME, escape(hashpw(DEFAULT_SUPERUSER_PASSWORD))), consistencyForRole(DEFAULT_SUPERUSER_NAME)); logger.info("Created default superuser role '{}'", DEFAULT_SUPERUSER_NAME); } } catch (RequestExecutionException e) { logger.warn("CassandraRoleManager skipped default role setup: some nodes were not ready"); throw e; } }
private Role getRole(String name) { try { // If it exists, try the legacy users table in case the cluster // is in the process of being upgraded and so is running with mixed // versions of the authn schema. if (Schema.instance.getCFMetaData(SchemaConstants.AUTH_KEYSPACE_NAME, "users") == null) return getRoleFromTable(name, loadRoleStatement, ROW_TO_ROLE); else { if (legacySelectUserStatement == null) legacySelectUserStatement = prepareLegacySelectUserStatement(); return getRoleFromTable(name, legacySelectUserStatement, LEGACY_ROW_TO_ROLE); } } catch (RequestExecutionException | RequestValidationException e) { throw new RuntimeException(e); } }
options.setOption(Option.SUPERUSER, row.getBoolean("super")); options.setOption(Option.LOGIN, true); createRole(null, RoleResource.role(row.getString("name")), options); row.getString("salted_hash"), row.getString("username")), consistencyForRole(row.getString("username")));
public boolean canLogin(RoleResource role) { return getRole(role.getRoleName()).canLogin; }
private Role getRoleFromTable(String name, SelectStatement statement, Function<UntypedResultSet.Row, Role> function) throws RequestExecutionException, RequestValidationException { ResultMessage.Rows rows = statement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForRole(name), Collections.singletonList(ByteBufferUtil.bytes(name))), System.nanoTime()); if (rows.result.isEmpty()) return NULL_ROLE; return function.apply(UntypedResultSet.create(rows.result).one()); }
roleManager = FBUtilities.newRoleManager(conf.role_manager); else roleManager = new CassandraRoleManager();
public void dropRole(AuthenticatedUser performer, RoleResource role) throws RequestValidationException, RequestExecutionException { process(String.format("DELETE FROM %s.%s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, escape(role.getRoleName())), consistencyForRole(role.getRoleName())); removeAllMembers(role.getRoleName()); }
public void alterRole(AuthenticatedUser performer, RoleResource role, RoleOptions options) { // Unlike most of the other data access methods here, this does not use a // prepared statement in order to allow the set of assignments to be variable. String assignments = Joiner.on(',').join(Iterables.filter(optionsToAssignments(options.getOptions()), Predicates.notNull())); if (!Strings.isNullOrEmpty(assignments)) { process(String.format("UPDATE %s.%s SET %s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, assignments, escape(role.getRoleName())), consistencyForRole(role.getRoleName())); } }
public void createRole(AuthenticatedUser performer, RoleResource role, RoleOptions options) throws RequestValidationException, RequestExecutionException { String insertCql = options.getPassword().isPresent() ? String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) VALUES ('%s', %s, %s, '%s')", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, escape(role.getRoleName()), options.getSuperuser().or(false), options.getLogin().or(false), escape(hashpw(options.getPassword().get()))) : String.format("INSERT INTO %s.%s (role, is_superuser, can_login) VALUES ('%s', %s, %s)", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, escape(role.getRoleName()), options.getSuperuser().or(false), options.getLogin().or(false)); process(insertCql, consistencyForRole(role.getRoleName())); }
private static void setupDefaultRole() { if (StorageService.instance.getTokenMetadata().sortedTokens().isEmpty()) throw new IllegalStateException("CassandraRoleManager skipped default role setup: no known tokens in ring"); try { if (!hasExistingRoles()) { QueryProcessor.process(String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) " + "VALUES ('%s', true, true, '%s')", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, DEFAULT_SUPERUSER_NAME, escape(hashpw(DEFAULT_SUPERUSER_PASSWORD))), consistencyForRole(DEFAULT_SUPERUSER_NAME)); logger.info("Created default superuser role '{}'", DEFAULT_SUPERUSER_NAME); } } catch (RequestExecutionException e) { logger.warn("CassandraRoleManager skipped default role setup: some nodes were not ready"); throw e; } }
private void modifyRoleMembership(String grantee, String role, String op) throws RequestExecutionException { process(String.format("UPDATE %s.%s SET member_of = member_of %s {'%s'} WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, op, escape(role), escape(grantee)), consistencyForRole(grantee)); }
private Role getRole(String name) { try { // If it exists, try the legacy users table in case the cluster // is in the process of being upgraded and so is running with mixed // versions of the authn schema. if (Schema.instance.getCFMetaData(SchemaConstants.AUTH_KEYSPACE_NAME, "users") == null) return getRoleFromTable(name, loadRoleStatement, ROW_TO_ROLE); else { if (legacySelectUserStatement == null) legacySelectUserStatement = prepareLegacySelectUserStatement(); return getRoleFromTable(name, legacySelectUserStatement, LEGACY_ROW_TO_ROLE); } } catch (RequestExecutionException | RequestValidationException e) { throw new RuntimeException(e); } }
options.setOption(Option.SUPERUSER, row.getBoolean("super")); options.setOption(Option.LOGIN, true); createRole(null, RoleResource.role(row.getString("name")), options); row.getString("salted_hash"), row.getString("username")), consistencyForRole(row.getString("username")));