/** * Creates a DataResource instance representing a table. * * @param keyspace Name of the keyspace. * @param table Name of the table. * @return DataResource instance representing the column family. */ public static DataResource table(String keyspace, String table) { return new DataResource(Level.TABLE, keyspace, table); }
public static IResource maybeCorrectResource(IResource resource, ClientState state) throws InvalidRequestException { if (DataResource.class.isInstance(resource)) { DataResource dataResource = (DataResource) resource; if (dataResource.isTableLevel() && dataResource.getKeyspace() == null) return DataResource.table(state.getKeyspace(), dataResource.getTable()); } return resource; } }
/** * @return keyspace of the resource. Throws IllegalStateException if it's the root-level resource. */ public String getKeyspace() { if (isRootLevel()) throw new IllegalStateException("ROOT data resource has no keyspace"); return keyspace; }
/** * @return Parent of the resource, if any. Throws IllegalStateException if it's the root-level resource. */ public IResource getParent() { switch (level) { case KEYSPACE: return root(); case TABLE: return keyspace(keyspace); } throw new IllegalStateException("Root-level resource can't have a parent"); }
public static DataResource maybeCorrectResource(DataResource resource, ClientState state) throws InvalidRequestException { if (resource.isColumnFamilyLevel() && resource.getKeyspace() == null) return DataResource.columnFamily(state.getKeyspace(), resource.getColumnFamily()); return resource; } }
/** * Parses a data resource name into a DataResource instance. * * @param name Name of the data resource. * @return DataResource instance matching the name. */ public static DataResource fromName(String name) { String[] parts = StringUtils.split(name, '/'); if (!parts[0].equals(ROOT_NAME) || parts.length > 3) throw new IllegalArgumentException(String.format("%s is not a valid data resource name", name)); if (parts.length == 1) return root(); if (parts.length == 2) return keyspace(parts[1]); return table(parts[1], parts[2]); }
/** * Creates an IResource instance from its external name. * Resource implementation class is inferred by matching against the known IResource * impls' root level resources. * @param name * @return an IResource instance created from the name */ public static IResource fromName(String name) { if (name.startsWith(RoleResource.root().getName())) return RoleResource.fromName(name); else if (name.startsWith(DataResource.root().getName())) return DataResource.fromName(name); else if (name.startsWith(FunctionResource.root().getName())) return FunctionResource.fromName(name); else if (name.startsWith(JMXResource.root().getName())) return JMXResource.fromName(name); else throw new IllegalArgumentException(String.format("Name %s is not valid for any resource type", name)); }
/** * Parses a data resource name into a DataResource instance. * * @param name Name of the data resource. * @return DataResource instance matching the name. */ public static DataResource fromName(String name) { String[] parts = StringUtils.split(name, '/'); if (!parts[0].equals(ROOT_NAME) || parts.length > 3) throw new IllegalArgumentException(String.format("%s is not a valid data resource name", name)); if (parts.length == 1) return root(); if (parts.length == 2) return keyspace(parts[1]); return columnFamily(parts[1], parts[2]); }
/** * Translates new-style authorize() method call to the old-style (including permissions and the hierarchy). */ @Override public Set<Permission> authorize(AuthenticatedUser user, IResource resource) { if (!(resource instanceof DataResource)) throw new IllegalArgumentException(String.format("%s resource is not supported by LegacyAuthorizer", resource.getName())); DataResource dr = (DataResource) resource; List<Object> legacyResource = new ArrayList<Object>(); legacyResource.add(Resources.ROOT); legacyResource.add(Resources.KEYSPACES); if (!dr.isRootLevel()) legacyResource.add(dr.getKeyspace()); if (dr.isColumnFamilyLevel()) legacyResource.add(dr.getColumnFamily()); Set<Permission> permissions = authorize(user, legacyResource); if (permissions.contains(Permission.READ)) permissions.add(Permission.SELECT); if (permissions.contains(Permission.WRITE)) permissions.addAll(EnumSet.of(Permission.CREATE, Permission.ALTER, Permission.DROP, Permission.MODIFY)); return permissions; }
protected void grantPermissionsToCreator(QueryState state) { try { RoleResource role = RoleResource.role(state.getClientState().getUser().getName()); DataResource keyspace = DataResource.keyspace(keyspace()); DatabaseDescriptor.getAuthorizer().grant(AuthenticatedUser.SYSTEM_USER, keyspace.applicablePermissions(), keyspace, role); FunctionResource functions = FunctionResource.keyspace(keyspace()); DatabaseDescriptor.getAuthorizer().grant(AuthenticatedUser.SYSTEM_USER, functions.applicablePermissions(), functions, role); } catch (RequestExecutionException e) { throw new RuntimeException(e); } } }
public void hasKeyspaceAccess(String keyspace, Permission perm) throws UnauthorizedException, InvalidRequestException { hasAccess(keyspace, perm, DataResource.keyspace(keyspace)); }
public void hasAllKeyspacesAccess(Permission perm) throws UnauthorizedException { if (isInternal) return; validateLogin(); ensureHasPermission(perm, DataResource.root()); }
private void preventSystemKSSchemaModification(String keyspace, DataResource resource, Permission perm) throws UnauthorizedException { // we only care about schema modification. if (!(perm.equals(Permission.ALTER) || perm.equals(Permission.DROP) || perm.equals(Permission.CREATE))) return; // prevent system keyspace modification if (Keyspace.SYSTEM_KS.equalsIgnoreCase(keyspace)) throw new UnauthorizedException(keyspace + " keyspace is not user-modifiable."); // we want to allow altering AUTH_KS and TRACING_KS. Set<String> allowAlter = Sets.newHashSet(Auth.AUTH_KS, Tracing.TRACE_KS); if (allowAlter.contains(keyspace.toLowerCase()) && !(resource.isKeyspaceLevel() && perm.equals(Permission.ALTER))) throw new UnauthorizedException(String.format("Cannot %s %s", perm, resource)); }
public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException { if (!performer.isSuper() && !performer.getName().equals(of)) throw new UnauthorizedException(String.format("You are not authorized to view %s's permissions", of == null ? "everyone" : of)); Set<PermissionDetails> details = new HashSet<PermissionDetails>(); for (UntypedResultSet.Row row : process(buildListQuery(resource, of))) { if (row.has(PERMISSIONS)) { for (String p : row.getSet(PERMISSIONS, UTF8Type.instance)) { Permission permission = Permission.valueOf(p); if (permissions.contains(permission)) details.add(new PermissionDetails(row.getString(USERNAME), DataResource.fromName(row.getString(RESOURCE)), permission)); } } } return details; }
/** * Parses a data resource name into a DataResource instance. * * @param name Name of the data resource. * @return DataResource instance matching the name. */ public static DataResource fromName(String name) { String[] parts = StringUtils.split(name, '/'); if (!parts[0].equals(ROOT_NAME) || parts.length > 3) throw new IllegalArgumentException(String.format("%s is not a valid data resource name", name)); if (parts.length == 1) return root(); if (parts.length == 2) return keyspace(parts[1]); return table(parts[1], parts[2]); }
/** * Creates an IResource instance from its external name. * Resource implementation class is inferred by matching against the known IResource * impls' root level resources. * @param name * @return an IResource instance created from the name */ public static IResource fromName(String name) { if (name.startsWith(RoleResource.root().getName())) return RoleResource.fromName(name); else if (name.startsWith(DataResource.root().getName())) return DataResource.fromName(name); else if (name.startsWith(FunctionResource.root().getName())) return FunctionResource.fromName(name); else if (name.startsWith(JMXResource.root().getName())) return JMXResource.fromName(name); else throw new IllegalArgumentException(String.format("Name %s is not valid for any resource type", name)); }
/** * @return Parent of the resource, if any. Throws IllegalStateException if it's the root-level resource. */ public IResource getParent() { switch (level) { case KEYSPACE: return root(); case TABLE: return keyspace(keyspace); } throw new IllegalStateException("Root-level resource can't have a parent"); }
res = DataResource.root(); state._fsp--; res = DataResource.keyspace(ks); state._fsp--; res = DataResource.columnFamily(cf.getKeyspace(), cf.getColumnFamily());
protected void grantPermissionsToCreator(QueryState state) { try { RoleResource role = RoleResource.role(state.getClientState().getUser().getName()); DataResource keyspace = DataResource.keyspace(keyspace()); DatabaseDescriptor.getAuthorizer().grant(AuthenticatedUser.SYSTEM_USER, keyspace.applicablePermissions(), keyspace, role); FunctionResource functions = FunctionResource.keyspace(keyspace()); DatabaseDescriptor.getAuthorizer().grant(AuthenticatedUser.SYSTEM_USER, functions.applicablePermissions(), functions, role); } catch (RequestExecutionException e) { throw new RuntimeException(e); } } }
public void hasKeyspaceAccess(String keyspace, Permission perm) throws UnauthorizedException, InvalidRequestException { hasAccess(keyspace, perm, DataResource.keyspace(keyspace)); }