private void preventSystemKSSchemaModification(String keyspace, DataResource resource, Permission perm) throws UnauthorizedException { // we only care about schema modification. if (!(perm.equals(Permission.ALTER) || perm.equals(Permission.DROP) || perm.equals(Permission.CREATE))) return; // prevent system keyspace modification if (Keyspace.SYSTEM_KS.equalsIgnoreCase(keyspace)) throw new UnauthorizedException(keyspace + " keyspace is not user-modifiable."); // we want to allow altering AUTH_KS and TRACING_KS. Set<String> allowAlter = Sets.newHashSet(Auth.AUTH_KS, Tracing.TRACE_KS); if (allowAlter.contains(keyspace.toLowerCase()) && !(resource.isKeyspaceLevel() && perm.equals(Permission.ALTER))) throw new UnauthorizedException(String.format("Cannot %s %s", perm, resource)); }
private void preventSystemKSSchemaModification(String keyspace, DataResource resource, Permission perm) throws UnauthorizedException { // we only care about DDL statements if (perm != Permission.ALTER && perm != Permission.DROP && perm != Permission.CREATE) return; // prevent ALL local system keyspace modification if (SchemaConstants.isLocalSystemKeyspace(keyspace)) throw new UnauthorizedException(keyspace + " keyspace is not user-modifiable."); if (SchemaConstants.isReplicatedSystemKeyspace(keyspace)) { // allow users with sufficient privileges to alter replication params of replicated system keyspaces if (perm == Permission.ALTER && resource.isKeyspaceLevel()) return; // allow users with sufficient privileges to drop legacy tables in replicated system keyspaces if (perm == Permission.DROP && DROPPABLE_SYSTEM_AUTH_TABLES.contains(resource)) return; // prevent all other modifications of replicated system keyspaces throw new UnauthorizedException(String.format("Cannot %s %s", perm, resource)); } }
private void preventSystemKSSchemaModification(String keyspace, DataResource resource, Permission perm) throws UnauthorizedException { // we only care about DDL statements if (perm != Permission.ALTER && perm != Permission.DROP && perm != Permission.CREATE) return; // prevent ALL local system keyspace modification if (SchemaConstants.isLocalSystemKeyspace(keyspace)) throw new UnauthorizedException(keyspace + " keyspace is not user-modifiable."); if (SchemaConstants.isReplicatedSystemKeyspace(keyspace)) { // allow users with sufficient privileges to alter replication params of replicated system keyspaces if (perm == Permission.ALTER && resource.isKeyspaceLevel()) return; // allow users with sufficient privileges to drop legacy tables in replicated system keyspaces if (perm == Permission.DROP && DROPPABLE_SYSTEM_AUTH_TABLES.contains(resource)) return; // prevent all other modifications of replicated system keyspaces throw new UnauthorizedException(String.format("Cannot %s %s", perm, resource)); } }
private void preventSystemKSSchemaModification(String keyspace, DataResource resource, Permission perm) throws UnauthorizedException { // we only care about DDL statements if (perm != Permission.ALTER && perm != Permission.DROP && perm != Permission.CREATE) return; // prevent ALL local system keyspace modification if (SchemaConstants.isLocalSystemKeyspace(keyspace)) throw new UnauthorizedException(keyspace + " keyspace is not user-modifiable."); if (SchemaConstants.isReplicatedSystemKeyspace(keyspace)) { // allow users with sufficient privileges to alter replication params of replicated system keyspaces if (perm == Permission.ALTER && resource.isKeyspaceLevel()) return; // allow users with sufficient privileges to drop legacy tables in replicated system keyspaces if (perm == Permission.DROP && DROPPABLE_SYSTEM_AUTH_TABLES.contains(resource)) return; // prevent all other modifications of replicated system keyspaces throw new UnauthorizedException(String.format("Cannot %s %s", perm, resource)); } }