Permalink
Browse files

Update IAuthenticator to match the new IAuthorizer;

patch by Aleksey Yeschenko, reviewed by Jonathan Ellis for CASSANDRA-5003
  • Loading branch information...
1 parent fbf9f55 commit bddfa9e120bdafc204bde97bb51de1f86bf9695b @iamaleksey iamaleksey committed Dec 8, 2012
Showing with 1,079 additions and 163 deletions.
  1. +1 −0 CHANGES.txt
  2. +14 −0 NEWS.txt
  3. +2 −0 doc/native_protocol.spec
  4. +3 −2 examples/simple_authentication/conf/passwd.properties
  5. +8 −16 examples/simple_authentication/src/org/apache/cassandra/auth/SimpleAuthenticator.java
  6. +34 −8 pylib/cqlshlib/cql3handling.py
  7. +40 −10 src/java/org/apache/cassandra/auth/AllowAllAuthenticator.java
  8. +9 −9 src/java/org/apache/cassandra/auth/AllowAllAuthorizer.java
  9. +131 −0 src/java/org/apache/cassandra/auth/Auth.java
  10. +28 −10 src/java/org/apache/cassandra/auth/AuthenticatedUser.java
  11. +87 −9 src/java/org/apache/cassandra/auth/IAuthenticator.java
  12. +9 −9 src/java/org/apache/cassandra/auth/IAuthorizer.java
  13. +4 −4 src/java/org/apache/cassandra/auth/IResource.java
  14. +92 −0 src/java/org/apache/cassandra/auth/LegacyAuthenticator.java
  15. +9 −6 src/java/org/apache/cassandra/auth/LegacyAuthorizer.java
  16. +6 −0 src/java/org/apache/cassandra/config/CFMetaData.java
  17. +3 −1 src/java/org/apache/cassandra/config/DatabaseDescriptor.java
  18. +7 −0 src/java/org/apache/cassandra/config/KSMetaData.java
  19. +3 −2 src/java/org/apache/cassandra/config/Schema.java
  20. +77 −11 src/java/org/apache/cassandra/cql3/Cql.g
  21. +21 −0 src/java/org/apache/cassandra/cql3/QueryProcessor.java
  22. +62 −0 src/java/org/apache/cassandra/cql3/UserOptions.java
  23. +86 −0 src/java/org/apache/cassandra/cql3/statements/AlterUserStatement.java
  24. +57 −0 src/java/org/apache/cassandra/cql3/statements/AuthenticationStatement.java
  25. +4 −6 src/java/org/apache/cassandra/cql3/statements/AuthorizationStatement.java
  26. +64 −0 src/java/org/apache/cassandra/cql3/statements/CreateUserStatement.java
  27. +62 −0 src/java/org/apache/cassandra/cql3/statements/DropUserStatement.java
  28. +3 −4 src/java/org/apache/cassandra/cql3/statements/GrantStatement.java
  29. +19 −6 src/java/org/apache/cassandra/cql3/statements/ListPermissionsStatement.java
  30. +48 −0 src/java/org/apache/cassandra/cql3/statements/ListUsersStatement.java
  31. +5 −2 src/java/org/apache/cassandra/cql3/statements/PermissionAlteringStatement.java
  32. +3 −4 src/java/org/apache/cassandra/cql3/statements/RevokeStatement.java
  33. +26 −0 src/java/org/apache/cassandra/exceptions/AuthenticationException.java
  34. +2 −0 src/java/org/apache/cassandra/exceptions/ExceptionCode.java
  35. +3 −5 src/java/org/apache/cassandra/service/CassandraDaemon.java
  36. +27 −33 src/java/org/apache/cassandra/service/ClientState.java
  37. +8 −1 src/java/org/apache/cassandra/thrift/CassandraServer.java
  38. +5 −0 src/java/org/apache/cassandra/thrift/ThriftConversion.java
  39. +1 −2 src/java/org/apache/cassandra/transport/messages/CredentialsMessage.java
  40. +3 −0 src/java/org/apache/cassandra/transport/messages/ErrorMessage.java
  41. +3 −3 src/java/org/apache/cassandra/transport/messages/StartupMessage.java
View
@@ -6,6 +6,7 @@
* Fix preparing updates with collections (CASSANDRA-5017)
* Don't generate UUID based on other node address (CASSANDRA-5002)
* Fix message when trying to alter a clustering key type (CASSANDRA-5012)
+ * Update IAuthenticator to match the new IAuthorizer (CASSANDRA-5003)
Merged from 1.1
* Improve schema propagation performance (CASSANDRA-5025)
* Fix for IndexHelper.IndexFor throws OOB Exception (CASSANDRA-5030)
View
@@ -14,6 +14,15 @@ by version X, but the inverse is not necessarily the case.)
Upgrading
---------
+ - IAuthenticator interface has been updated to support dynamic
+ user creation, modification and removal. Users, even when stored
+ externally, now have to be explicitly created using
+ CREATE USER query first. AllowAllAuthenticator and SimpleAuthenticator
+ have been updated for the new interface, but you'll have to update
+ your old IAuthenticator implementations for 1.2. To ease this process,
+ a new abstract LegacyAuthenticator class has been added - subclass it
+ in your old IAuthenticator implementaion and everything should just work
+ (this only affects users who implemented custom authenticators).
- IAuthority interface has been deprecated in favor of IAuthorizer.
AllowAllAuthority and SimpleAuthority have been renamed to
AllowAllAuthorizer and SimpleAuthorizer, respectively. In order to
@@ -107,6 +116,11 @@ Features
GRANT, REVOKE, LIST PERMISSIONS. A native implementation storing
the permissions in Cassandra is being worked on and we expect to
include it in 1.2.1 or 1.2.2.
+ - IAuthenticator interface has been updated to support dynamic user
+ creation, modification and removal via new CQL3 statements:
+ CREATE USER, ALTER USER, DROP USER, LIST USERS. A native implementation
+ that stores users in Cassandra itself is being worked on and is expected to
+ become part of 1.2.1 or 1.2.2.
1.1.5
View
@@ -550,6 +550,8 @@ Table of Contents
0x000A Protocol error: some client message triggered a protocol
violation (for instance a QUERY message is sent before a STARTUP
one has been sent)
+ 0x0100 Bad credentials: CREDENTIALS request failed because Cassandra
+ did not accept the provided credentials.
0x1000 Unavailable exception. The rest of the ERROR message body will be
<cl><required><alive>
@@ -17,7 +17,8 @@
# This is a sample password file for SimpleAuthenticator. The format of
# this file is username=password. If -Dpasswd.mode=MD5 then the password
# is represented as an md5 digest, otherwise it is cleartext (keep this
-# in mind when setting file mode and ownership).
+# in mind when setting file mode and ownership). 'cassandra' is the default
+# superuser and can be removed later.
+cassandra=cassandra
jsmith=havebadpass
-Elvis\ Presley=graceland4evar
dilbert=nomoovertime
@@ -29,31 +29,29 @@
import java.util.Map;
import java.util.Properties;
+import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.io.util.FileUtils;
-import org.apache.cassandra.thrift.AuthenticationException;
import org.apache.cassandra.utils.FBUtilities;
import org.apache.cassandra.utils.Hex;
-public class SimpleAuthenticator implements IAuthenticator
+public class SimpleAuthenticator extends LegacyAuthenticator
{
public final static String PASSWD_FILENAME_PROPERTY = "passwd.properties";
public final static String PMODE_PROPERTY = "passwd.mode";
- public static final String USERNAME_KEY = "username";
- public static final String PASSWORD_KEY = "password";
public enum PasswordMode
{
PLAIN, MD5,
- };
+ }
public AuthenticatedUser defaultUser()
{
// users must log in
return null;
}
- public AuthenticatedUser authenticate(Map<? extends CharSequence,? extends CharSequence> credentials) throws AuthenticationException
+ public AuthenticatedUser authenticate(Map<String, String> credentials) throws AuthenticationException
{
String pmode_plain = System.getProperty(PMODE_PROPERTY);
PasswordMode mode = PasswordMode.PLAIN;
@@ -78,19 +76,13 @@ public AuthenticatedUser authenticate(Map<? extends CharSequence,? extends CharS
String pfilename = System.getProperty(PASSWD_FILENAME_PROPERTY);
- String username = null;
- CharSequence user = credentials.get(USERNAME_KEY);
- if (user == null)
+ String username = credentials.get(USERNAME_KEY);
+ if (username == null)
throw new AuthenticationException("Authentication request was missing the required key '" + USERNAME_KEY + "'");
- else
- username = user.toString();
- String password = null;
- CharSequence pass = credentials.get(PASSWORD_KEY);
- if (pass == null)
+ String password = credentials.get(PASSWORD_KEY);
+ if (password == null)
throw new AuthenticationException("Authentication request was missing the required key '" + PASSWORD_KEY + "'");
- else
- password = pass.toString();
boolean authenticated = false;
@@ -257,6 +257,7 @@ def dequote_any(cls, t):
| <selectStatement>
| <dataChangeStatement>
| <schemaChangeStatement>
+ | <authenticationStatement>
| <authorizationStatement>
;
@@ -277,10 +278,16 @@ def dequote_any(cls, t):
| <alterKeyspaceStatement>
;
-<authorizationStatement> ::= | <grantStatement>
- | <revokeStatement>
- | <listPermissionsStatement>
- ;
+<authenticationStatement> ::= <createUserStatement>
+ | <alterUserStatement>
+ | <dropUserStatement>
+ | <listUsersStatement>
+ ;
+
+<authorizationStatement> ::= <grantStatement>
+ | <revokeStatement>
+ | <listPermissionsStatement>
+ ;
# timestamp is included here, since it's also a keyword
<simpleStorageType> ::= typename=( <identifier> | <stringLiteral> | <K_TIMESTAMP> ) ;
@@ -1240,6 +1247,27 @@ def alter_table_col_completer(ctxt, cass):
'''
syntax_rules += r'''
+<username> ::= user=( <identifier> | <stringLiteral> )
+ ;
+
+<createUserStatement> ::= "CREATE" "USER" <username>
+ ( "WITH" "PASSWORD" <stringLiteral> )?
+ ( "SUPERUSER" | "NOSUPERUSER" )?
+ ;
+
+<alterUserStatement> ::= "ALTER" "USER" <username>
+ ( "WITH" "PASSWORD" <stringLiteral> )?
+ ( "SUPERUSER" | "NOSUPERUSER" )?
+ ;
+
+<dropUserStatement> ::= "DROP" "USER" <username>
+ ;
+
+<listUsersStatement> ::= "LIST" "USERS"
+ ;
+'''
+
+syntax_rules += r'''
<grantStatement> ::= "GRANT" <permissionExpr> "ON" <resource> "TO" <username>
;
@@ -1269,14 +1297,12 @@ def alter_table_col_completer(ctxt, cass):
| ( "KEYSPACE" <nonSystemKeyspaceName> )
| ( "TABLE"? <columnFamilyName> )
;
-
-<username> ::= user=( <identifier> | <stringLiteral> )
- ;
'''
+
@completer_for('username', 'user')
def username_user_completer(ctxt, cass):
- # TODO: implement user autocompletion
+ # TODO: implement user autocompletion for grant/revoke/list/drop user/alter user
# with I could see a way to do this usefully, but I don't. I don't know
# how any Authorities other than AllowAllAuthorizer work :/
return [Hint('<username>')]
@@ -17,31 +17,61 @@
*/
package org.apache.cassandra.auth;
+import java.util.Collections;
import java.util.Map;
+import java.util.Set;
+import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
-import org.apache.cassandra.thrift.AuthenticationException;
+import org.apache.cassandra.exceptions.InvalidRequestException;
public class AllowAllAuthenticator implements IAuthenticator
{
- private final static AuthenticatedUser DEFAULT_USER = new AuthenticatedUser("nobody");
+ public boolean requireAuthentication()
+ {
+ return false;
+ }
+
+ public Set<Option> supportedOptions()
+ {
+ return Collections.emptySet();
+ }
- public AuthenticatedUser defaultUser()
+ public Set<Option> alterableOptions()
{
- return DEFAULT_USER;
+ return Collections.emptySet();
}
- public AuthenticatedUser authenticate(Map<? extends CharSequence,? extends CharSequence> credentials) throws AuthenticationException
+ public AuthenticatedUser authenticate(Map<String, String> credentials) throws AuthenticationException
{
+ return AuthenticatedUser.ANONYMOUS_USER;
+ }
- CharSequence username = credentials.get(IAuthenticator.USERNAME_KEY);
- if (username == null)
- return DEFAULT_USER;
- return new AuthenticatedUser((String)username);
+ public void create(String username, Map<Option, Object> options) throws InvalidRequestException
+ {
+ throw new InvalidRequestException("CREATE USER operation is not supported by AllowAllAuthenticator");
+ }
+
+ public void alter(String username, Map<Option, Object> options) throws InvalidRequestException
+ {
+ throw new InvalidRequestException("ALTER USER operation is not supported by AllowAllAuthenticator");
+ }
+
+ public void drop(String username) throws InvalidRequestException
+ {
+ throw new InvalidRequestException("DROP USER operation is not supported by AllowAllAuthenticator");
+ }
+
+ public Set<IResource> protectedResources()
+ {
+ return Collections.emptySet();
}
public void validateConfiguration() throws ConfigurationException
{
- // pass
+ }
+
+ public void setup()
+ {
}
}
@@ -29,14 +29,6 @@
return Permission.ALL;
}
- public void validateConfiguration()
- {
- }
-
- public void setup()
- {
- }
-
public void grant(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String to)
throws InvalidRequestException
{
@@ -57,7 +49,7 @@ public void revokeAll(IResource droppedResource)
{
}
- public Set<PermissionDetails> listPermissions(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of)
+ public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of)
throws InvalidRequestException
{
throw new InvalidRequestException("LIST PERMISSIONS operation is not supported by AllowAllAuthorizer");
@@ -67,4 +59,12 @@ public void revokeAll(IResource droppedResource)
{
return Collections.emptySet();
}
+
+ public void validateConfiguration()
+ {
+ }
+
+ public void setup()
+ {
+ }
}
Oops, something went wrong.

0 comments on commit bddfa9e

Please sign in to comment.