org.apache.cassandra.auth

Class CassandraAuthorizer

java.lang.Object

org.apache.cassandra.auth.CassandraAuthorizer

All Implemented Interfaces:

IAuthorizer

public class CassandraAuthorizer
extends java.lang.Object
implements IAuthorizer

CassandraAuthorizer is an IAuthorizer implementation that keeps user permissions internally in C* using the system_auth.role_permissions table.

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	USER_PERMISSIONS
static java.lang.String	USERNAME

Constructor Summary

Constructors

Constructor and Description
CassandraAuthorizer()

Method Summary

Modifier and Type	Method and Description
java.util.Set<Permission>	authorize(AuthenticatedUser user, IResource resource) Returns a set of permissions of a user on a resource.
void	grant(AuthenticatedUser performer, java.util.Set<Permission> permissions, IResource resource, RoleResource grantee) Grants a set of permissions on a resource to a role.
java.util.Set<PermissionDetails>	list(AuthenticatedUser performer, java.util.Set<Permission> permissions, IResource resource, RoleResource grantee) Returns a list of permissions on a resource granted to a role.
java.util.Set<DataResource>	protectedResources() Set of resources that should be made inaccessible to users and only accessible internally.
void	revoke(AuthenticatedUser performer, java.util.Set<Permission> permissions, IResource resource, RoleResource revokee) Revokes a set of permissions on a resource from a user.
void	revokeAllFrom(RoleResource revokee) Called before deleting a role with DROP ROLE statement (or the alias provided for compatibility, DROP USER) so that a new role with the same name wouldn't inherit permissions of the deleted one in the future.
void	revokeAllOn(IResource droppedResource) This method is called after a resource is removed (i.e.
void	setup() Setup is called once upon system startup to initialize the IAuthorizer.
void	validateConfiguration() Validates configuration of IAuthorizer implementation (if configurable).

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

USERNAME

public static final java.lang.String USERNAME

See Also:

Constant Field Values

USER_PERMISSIONS

public static final java.lang.String USER_PERMISSIONS

See Also:

Constant Field Values

Constructor Detail

CassandraAuthorizer

public CassandraAuthorizer()

Method Detail

authorize

public java.util.Set<Permission> authorize(AuthenticatedUser user,
                                           IResource resource)

Description copied from interface: IAuthorizer

Returns a set of permissions of a user on a resource. Since Roles were introduced in version 2.2, Cassandra does not distinguish in any meaningful way between users and roles. A role may or may not have login privileges and roles may be granted to other roles. In fact, Cassandra does not really have the concept of a user, except to link a client session to role. AuthenticatedUser can be thought of as a manifestation of a role, linked to a specific client connection.

Specified by:

authorize in interface IAuthorizer

Parameters:

user - Authenticated user requesting authorization.

resource - Resource for which the authorization is being requested. @see DataResource.

Returns:

Set of permissions of the user on the resource. Should never return null. Use Permission.NONE instead.

grant

public void grant(AuthenticatedUser performer,
                  java.util.Set<Permission> permissions,
                  IResource resource,
                  RoleResource grantee)
           throws RequestValidationException,
                  RequestExecutionException

Description copied from interface: IAuthorizer

Grants a set of permissions on a resource to a role. The opposite of revoke(). This method is optional and may be called internally, so implementations which do not support it should be sure to throw UnsupportedOperationException.

Specified by:

grant in interface IAuthorizer

Parameters:

performer - User who grants the permissions.

permissions - Set of permissions to grant.

resource - Resource on which to grant the permissions.

grantee - Role to which the permissions are to be granted.

Throws:

RequestValidationException

RequestExecutionException

revoke

public void revoke(AuthenticatedUser performer,
                   java.util.Set<Permission> permissions,
                   IResource resource,
                   RoleResource revokee)
            throws RequestValidationException,
                   RequestExecutionException

Description copied from interface: IAuthorizer

Revokes a set of permissions on a resource from a user. The opposite of grant(). This method is optional and may be called internally, so implementations which do not support it should be sure to throw UnsupportedOperationException.

Specified by:

revoke in interface IAuthorizer

Parameters:

performer - User who revokes the permissions.

permissions - Set of permissions to revoke.

resource - Resource on which to revoke the permissions.

revokee - Role from which to the permissions are to be revoked.

Throws:

RequestValidationException

RequestExecutionException

revokeAllFrom

public void revokeAllFrom(RoleResource revokee)

Description copied from interface: IAuthorizer

Called before deleting a role with DROP ROLE statement (or the alias provided for compatibility, DROP USER) so that a new role with the same name wouldn't inherit permissions of the deleted one in the future. This removes all permissions granted to the Role in question. This method is optional and may be called internally, so implementations which do not support it should be sure to throw UnsupportedOperationException.

Specified by:

revokeAllFrom in interface IAuthorizer

Parameters:

revokee - The role to revoke all permissions from.

revokeAllOn

public void revokeAllOn(IResource droppedResource)

Description copied from interface: IAuthorizer

This method is called after a resource is removed (i.e. keyspace, table or role is dropped) and revokes all permissions granted on the IResource in question. This method is optional and may be called internally, so implementations which do not support it should be sure to throw UnsupportedOperationException.

Specified by:

revokeAllOn in interface IAuthorizer

Parameters:

droppedResource - The resource to revoke all permissions on.

list

public java.util.Set<PermissionDetails> list(AuthenticatedUser performer,
                                             java.util.Set<Permission> permissions,
                                             IResource resource,
                                             RoleResource grantee)
                                      throws RequestValidationException,
                                             RequestExecutionException

Description copied from interface: IAuthorizer

Returns a list of permissions on a resource granted to a role. This method is optional and may be called internally, so implementations which do not support it should be sure to throw UnsupportedOperationException.

Specified by:

list in interface IAuthorizer

Parameters:

performer - User who wants to see the permissions.

permissions - Set of Permission values the user is interested in. The result should only include the matching ones.

resource - The resource on which permissions are requested. Can be null, in which case permissions on all resources should be returned.

grantee - The role whose permissions are requested. Can be null, in which case permissions of every role should be returned.

Returns:

All of the matching permission that the requesting user is authorized to know about.

Throws:

RequestValidationException

RequestExecutionException

protectedResources

public java.util.Set<DataResource> protectedResources()

Description copied from interface: IAuthorizer

Set of resources that should be made inaccessible to users and only accessible internally.

Specified by:

protectedResources in interface IAuthorizer

Returns:

Keyspaces, column families that will be unmodifiable by users; other resources.

validateConfiguration

public void validateConfiguration()
                           throws ConfigurationException

Description copied from interface: IAuthorizer

Validates configuration of IAuthorizer implementation (if configurable).

Specified by:

validateConfiguration in interface IAuthorizer

Throws:

ConfigurationException - when there is a configuration error.

setup

public void setup()

Description copied from interface: IAuthorizer

Setup is called once upon system startup to initialize the IAuthorizer. For example, use this method to create any required keyspaces/column families.

Specified by:

setup in interface IAuthorizer