/** * Creates a RoleResource representing an individual Role. * @param name name of the Role. * @return RoleResource instance reresenting the Role. */ public static RoleResource role(String name) { return new RoleResource(name); }
public boolean canLogin(RoleResource role) { return getRole(role.getRoleName()).canLogin; }
public AuthenticatedUser(String name) { this.name = name; this.role = RoleResource.role(name); }
/** * Parses a role resource name into a RoleResource instance. * * @param name Name of the data resource. * @return RoleResource instance matching the name. */ public static RoleResource fromName(String name) { String[] parts = StringUtils.split(name, "/", 2); if (!parts[0].equals(ROOT_NAME)) throw new IllegalArgumentException(String.format("%s is not a valid role resource name", name)); if (parts.length == 1) return root(); return role(parts[1]); }
public Set<RoleResource> getRoles(RoleResource grantee, boolean includeInherited) throws RequestValidationException, RequestExecutionException { Set<RoleResource> roles = new HashSet<>(); Role role = getRole(grantee.getRoleName()); if (!role.equals(NULL_ROLE)) { roles.add(RoleResource.role(role.name)); collectRoles(role, roles, includeInherited); } return roles; }
/** * Creates an IResource instance from its external name. * Resource implementation class is inferred by matching against the known IResource * impls' root level resources. * @param name * @return an IResource instance created from the name */ public static IResource fromName(String name) { if (name.startsWith(RoleResource.root().getName())) return RoleResource.fromName(name); else if (name.startsWith(DataResource.root().getName())) return DataResource.fromName(name); else if (name.startsWith(FunctionResource.root().getName())) return FunctionResource.fromName(name); else if (name.startsWith(JMXResource.root().getName())) return JMXResource.fromName(name); else throw new IllegalArgumentException(String.format("Name %s is not valid for any resource type", name)); }
public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException { // If the executing user has DESCRIBE permission on the root roles resource, let them list any and all roles boolean hasRootLevelSelect = DatabaseDescriptor.getAuthorizer() .authorize(state.getUser(), RoleResource.root()) .contains(Permission.DESCRIBE); if (hasRootLevelSelect) { if (grantee == null) return resultMessage(DatabaseDescriptor.getRoleManager().getAllRoles()); else return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(grantee, recursive)); } else { RoleResource currentUser = RoleResource.role(state.getUser().getName()); if (grantee == null) return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(currentUser, recursive)); if (DatabaseDescriptor.getRoleManager().getRoles(currentUser, true).contains(grantee)) return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(grantee, recursive)); else throw new UnauthorizedException(String.format("You are not authorized to view roles granted to %s ", grantee.getRoleName())); } }
/** * Grant all applicable permissions on the newly created role to the user performing the request * see also: SchemaAlteringStatement#grantPermissionsToCreator and the overridden implementations * of it in subclasses CreateKeyspaceStatement & CreateTableStatement. * @param state */ private void grantPermissionsToCreator(ClientState state) { // The creator of a Role automatically gets ALTER/DROP/AUTHORIZE permissions on it if: // * the user is not anonymous // * the configured IAuthorizer supports granting of permissions (not all do, AllowAllAuthorizer doesn't and // custom external implementations may not) if (!state.getUser().isAnonymous()) { try { DatabaseDescriptor.getAuthorizer().grant(AuthenticatedUser.SYSTEM_USER, role.applicablePermissions(), role, RoleResource.role(state.getUser().getName())); } catch (UnsupportedOperationException e) { // not a problem, grant is an optional method on IAuthorizer } } } }
/** * @return Parent of the resource, if any. Throws IllegalStateException if it's the root-level resource. */ public IResource getParent() { if (level == Level.ROLE) return root(); throw new IllegalStateException("Root-level resource can't have a parent"); }
/** * Creates an IResource instance from its external name. * Resource implementation class is inferred by matching against the known IResource * impls' root level resources. * @param name * @return an IResource instance created from the name */ public static IResource fromName(String name) { if (name.startsWith(RoleResource.root().getName())) return RoleResource.fromName(name); else if (name.startsWith(DataResource.root().getName())) return DataResource.fromName(name); else if (name.startsWith(FunctionResource.root().getName())) return FunctionResource.fromName(name); else if (name.startsWith(JMXResource.root().getName())) return JMXResource.fromName(name); else throw new IllegalArgumentException(String.format("Name %s is not valid for any resource type", name)); }
public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException { // If the executing user has DESCRIBE permission on the root roles resource, let them list any and all roles boolean hasRootLevelSelect = DatabaseDescriptor.getAuthorizer() .authorize(state.getUser(), RoleResource.root()) .contains(Permission.DESCRIBE); if (hasRootLevelSelect) { if (grantee == null) return resultMessage(DatabaseDescriptor.getRoleManager().getAllRoles()); else return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(grantee, recursive)); } else { RoleResource currentUser = RoleResource.role(state.getUser().getName()); if (grantee == null) return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(currentUser, recursive)); if (DatabaseDescriptor.getRoleManager().getRoles(currentUser, true).contains(grantee)) return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(grantee, recursive)); else throw new UnauthorizedException(String.format("You are not authorized to view roles granted to %s ", grantee.getRoleName())); } }
/** * Parses a role resource name into a RoleResource instance. * * @param name Name of the data resource. * @return RoleResource instance matching the name. */ public static RoleResource fromName(String name) { String[] parts = StringUtils.split(name, "/", 2); if (!parts[0].equals(ROOT_NAME)) throw new IllegalArgumentException(String.format("%s is not a valid role resource name", name)); if (parts.length == 1) return root(); return role(parts[1]); }
public Set<RoleResource> getRoles(RoleResource grantee, boolean includeInherited) throws RequestValidationException, RequestExecutionException { Set<RoleResource> roles = new HashSet<>(); Role role = getRole(grantee.getRoleName()); if (!role.equals(NULL_ROLE)) { roles.add(RoleResource.role(role.name)); collectRoles(role, roles, includeInherited); } return roles; }
/** * Grant all applicable permissions on the newly created role to the user performing the request * see also: SchemaAlteringStatement#grantPermissionsToCreator and the overridden implementations * of it in subclasses CreateKeyspaceStatement & CreateTableStatement. * @param state */ private void grantPermissionsToCreator(ClientState state) { // The creator of a Role automatically gets ALTER/DROP/AUTHORIZE permissions on it if: // * the user is not anonymous // * the configured IAuthorizer supports granting of permissions (not all do, AllowAllAuthorizer doesn't and // custom external implementations may not) if (!state.getUser().isAnonymous()) { try { DatabaseDescriptor.getAuthorizer().grant(AuthenticatedUser.SYSTEM_USER, role.applicablePermissions(), role, RoleResource.role(state.getUser().getName())); } catch (UnsupportedOperationException e) { // not a problem, grant is an optional method on IAuthorizer } } } }
/** * @return Parent of the resource, if any. Throws IllegalStateException if it's the root-level resource. */ public IResource getParent() { if (level == Level.ROLE) return root(); throw new IllegalStateException("Root-level resource can't have a parent"); }
public boolean isExistingRole(RoleResource role) { return getRole(role.getRoleName()) != NULL_ROLE; }
public AuthenticatedUser(String name) { this.name = name; this.role = RoleResource.role(name); }
/** * Creates an IResource instance from its external name. * Resource implementation class is inferred by matching against the known IResource * impls' root level resources. * @param name * @return an IResource instance created from the name */ public static IResource fromName(String name) { if (name.startsWith(RoleResource.root().getName())) return RoleResource.fromName(name); else if (name.startsWith(DataResource.root().getName())) return DataResource.fromName(name); else if (name.startsWith(FunctionResource.root().getName())) return FunctionResource.fromName(name); else if (name.startsWith(JMXResource.root().getName())) return JMXResource.fromName(name); else throw new IllegalArgumentException(String.format("Name %s is not valid for any resource type", name)); }
public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException { // If the executing user has DESCRIBE permission on the root roles resource, let them list any and all roles boolean hasRootLevelSelect = DatabaseDescriptor.getAuthorizer() .authorize(state.getUser(), RoleResource.root()) .contains(Permission.DESCRIBE); if (hasRootLevelSelect) { if (grantee == null) return resultMessage(DatabaseDescriptor.getRoleManager().getAllRoles()); else return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(grantee, recursive)); } else { RoleResource currentUser = RoleResource.role(state.getUser().getName()); if (grantee == null) return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(currentUser, recursive)); if (DatabaseDescriptor.getRoleManager().getRoles(currentUser, true).contains(grantee)) return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(grantee, recursive)); else throw new UnauthorizedException(String.format("You are not authorized to view roles granted to %s ", grantee.getRoleName())); } }
/** * Parses a role resource name into a RoleResource instance. * * @param name Name of the data resource. * @return RoleResource instance matching the name. */ public static RoleResource fromName(String name) { String[] parts = StringUtils.split(name, "/", 2); if (!parts[0].equals(ROOT_NAME)) throw new IllegalArgumentException(String.format("%s is not a valid role resource name", name)); if (parts.length == 1) return root(); return role(parts[1]); }