public Set<Permission> authorize(AuthenticatedUser user, IResource resource) { if (user.isSuper()) return resource.applicablePermissions(); Set<Permission> permissions = EnumSet.noneOf(Permission.class); try { for (RoleResource role: user.getRoles()) addPermissionsForRole(permissions, resource, role); } catch (RequestValidationException e) { throw new AssertionError(e); // not supposed to happen } catch (RequestExecutionException e) { logger.warn("CassandraAuthorizer failed to authorize {} for {}", user, resource); throw new RuntimeException(e); } return permissions; }
public Set<Permission> authorize(AuthenticatedUser user, IResource resource) { if (user.isSuper()) return resource.applicablePermissions(); Set<Permission> permissions = EnumSet.noneOf(Permission.class); try { for (RoleResource role: user.getRoles()) addPermissionsForRole(permissions, resource, role); } catch (RequestValidationException e) { throw new AssertionError(e); // not supposed to happen } catch (RequestExecutionException e) { logger.warn("CassandraAuthorizer failed to authorize {} for {}", user, resource); throw new RuntimeException(e); } return permissions; }
public Set<Permission> authorize(AuthenticatedUser user, IResource resource) { if (user.isSuper()) return resource.applicablePermissions(); Set<Permission> permissions = EnumSet.noneOf(Permission.class); try { for (RoleResource role: user.getRoles()) addPermissionsForRole(permissions, resource, role); } catch (RequestValidationException e) { throw new AssertionError(e); // not supposed to happen } catch (RequestExecutionException e) { logger.warn("CassandraAuthorizer failed to authorize {} for {}", user, resource); throw new RuntimeException(e); } return permissions; }
public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, RoleResource grantee) throws RequestValidationException, RequestExecutionException { if (!(performer.isSuper() || performer.isSystem()) && !performer.getRoles().contains(grantee)) throw new UnauthorizedException(String.format("You are not authorized to view %s's permissions", grantee == null ? "everyone" : grantee.getRoleName())); if (null == grantee) return listPermissionsForRole(permissions, resource, grantee); Set<RoleResource> roles = DatabaseDescriptor.getRoleManager().getRoles(grantee, true); Set<PermissionDetails> details = new HashSet<>(); for (RoleResource role : roles) details.addAll(listPermissionsForRole(permissions, resource, role)); return details; }
public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, RoleResource grantee) throws RequestValidationException, RequestExecutionException { if (!(performer.isSuper() || performer.isSystem()) && !performer.getRoles().contains(grantee)) throw new UnauthorizedException(String.format("You are not authorized to view %s's permissions", grantee == null ? "everyone" : grantee.getRoleName())); if (null == grantee) return listPermissionsForRole(permissions, resource, grantee); Set<RoleResource> roles = DatabaseDescriptor.getRoleManager().getRoles(grantee, true); Set<PermissionDetails> details = new HashSet<>(); for (RoleResource role : roles) details.addAll(listPermissionsForRole(permissions, resource, role)); return details; }
public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, RoleResource grantee) throws RequestValidationException, RequestExecutionException { if (!(performer.isSuper() || performer.isSystem()) && !performer.getRoles().contains(grantee)) throw new UnauthorizedException(String.format("You are not authorized to view %s's permissions", grantee == null ? "everyone" : grantee.getRoleName())); if (null == grantee) return listPermissionsForRole(permissions, resource, grantee); Set<RoleResource> roles = DatabaseDescriptor.getRoleManager().getRoles(grantee, true); Set<PermissionDetails> details = new HashSet<>(); for (RoleResource role : roles) details.addAll(listPermissionsForRole(permissions, resource, role)); return details; }
public void checkAccess(ClientState state) throws UnauthorizedException { AuthenticatedUser user = state.getUser(); boolean isSuper = user.isSuper(); if (opts.getSuperuser().isPresent() && user.getRoles().contains(role)) throw new UnauthorizedException("You aren't allowed to alter your own superuser " + "status or that of a role granted to you"); if (opts.getSuperuser().isPresent() && !isSuper) throw new UnauthorizedException("Only superusers are allowed to alter superuser status"); // superusers can do whatever else they like if (isSuper) return; // a role may only modify the subset of its own attributes as determined by IRoleManager#alterableOptions if (user.getName().equals(role.getRoleName())) { for (Option option : opts.getOptions().keySet()) { if (!DatabaseDescriptor.getRoleManager().alterableOptions().contains(option)) throw new UnauthorizedException(String.format("You aren't allowed to alter %s", option)); } } else { // if not attempting to alter another role, ensure we have ALTER permissions on it super.checkPermission(state, Permission.ALTER, role); } }
public void checkAccess(ClientState state) throws UnauthorizedException { AuthenticatedUser user = state.getUser(); boolean isSuper = user.isSuper(); if (opts.getSuperuser().isPresent() && user.getRoles().contains(role)) throw new UnauthorizedException("You aren't allowed to alter your own superuser " + "status or that of a role granted to you"); if (opts.getSuperuser().isPresent() && !isSuper) throw new UnauthorizedException("Only superusers are allowed to alter superuser status"); // superusers can do whatever else they like if (isSuper) return; // a role may only modify the subset of its own attributes as determined by IRoleManager#alterableOptions if (user.getName().equals(role.getRoleName())) { for (Option option : opts.getOptions().keySet()) { if (!DatabaseDescriptor.getRoleManager().alterableOptions().contains(option)) throw new UnauthorizedException(String.format("You aren't allowed to alter %s", option)); } } else { // if not attempting to alter another role, ensure we have ALTER permissions on it super.checkPermission(state, Permission.ALTER, role); } }
public void checkAccess(ClientState state) throws UnauthorizedException { AuthenticatedUser user = state.getUser(); boolean isSuper = user.isSuper(); if (opts.getSuperuser().isPresent() && user.getRoles().contains(role)) throw new UnauthorizedException("You aren't allowed to alter your own superuser " + "status or that of a role granted to you"); if (opts.getSuperuser().isPresent() && !isSuper) throw new UnauthorizedException("Only superusers are allowed to alter superuser status"); // superusers can do whatever else they like if (isSuper) return; // a role may only modify the subset of its own attributes as determined by IRoleManager#alterableOptions if (user.getName().equals(role.getRoleName())) { for (Option option : opts.getOptions().keySet()) { if (!DatabaseDescriptor.getRoleManager().alterableOptions().contains(option)) throw new UnauthorizedException(String.format("You aren't allowed to alter %s", option)); } } else { // if not attempting to alter another role, ensure we have ALTER permissions on it super.checkPermission(state, Permission.ALTER, role); } }