Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-14088

Forward slash in role name breaks CassandraAuthorizer

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Low
    • Resolution: Fixed
    • Fix Version/s: 3.0.16, 3.11.2, 4.0, 4.0-alpha1
    • Component/s: Feature/Authorization
    • Labels:
      None
    • Environment:

      Git commit: 4c80eeece37d79f434078224a0504400ae10a20d (HEAD of trunk).

    • Severity:
      Low

      Description

      The standard system authorizer (org.apache.cassandra.auth.CassandraAuthorizer) stores the permissions granted to each user for a given resource in system_auth.role_permissions.

      A resource like the my_keyspace.items table is stored as "data/my_keyspace/items" (note the / delimiter).

      Similarly, role resources (like the joe role) are stored as "roles/joe".

      The problem is that roles can be created with / in their names, which confuses the authorizer when the table is queried.

      For example,

      $ bin/cqlsh -u cassandra -p cassandra
      Connected to Test Cluster at 127.0.0.1:9042.
      [cqlsh 5.0.1 | Cassandra 4.0-SNAPSHOT | CQL spec 3.4.5 | Native protocol v4]
      Use HELP for help.
      cassandra@cqlsh> CREATE ROLE emperor;
      cassandra@cqlsh> CREATE ROLE "ki/ng";
      cassandra@cqlsh> GRANT ALTER ON ROLE "ki/ng" TO emperor;
      cassandra@cqlsh> LIST ROLES;
      
       role      | super | login | options
      -----------+-------+-------+---------
       cassandra |  True |  True |        {}
         emperor | False | False |        {}
           ki/ng | False | False |        {}
      
      (3 rows)
      cassandra@cqlsh> SELECT * FROM system_auth.role_permissions;
      
       role      | resource      | permissions
      -----------+---------------+--------------------------------
         emperor |   roles/ki/ng |                      {'ALTER'}
       cassandra | roles/emperor | {'ALTER', 'AUTHORIZE', 'DROP'}
       cassandra |   roles/ki/ng | {'ALTER', 'AUTHORIZE', 'DROP'}
      
      (3 rows)
      cassandra@cqlsh> LIST ALL PERMISSIONS OF emperor;
      ServerError: java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name
      

      Here's the backtrace from the server process:

      ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,811 QueryMessage.java:129 - Unexpected error during query
      java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name
              at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na]
              at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na]
              at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) ~[main/:na]
              at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) ~[main/:na]
              at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) ~[main/:na]
              at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) ~[main/:na]
              at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) ~[main/:na]
              at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) ~[main/:na]
              at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) ~[main/:na]
              at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) ~[main/:na]
              at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) ~[main/:na]
              at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) [main/:na]
              at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na]
              at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.1.14.Final.jar:4.1.14.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-all-4.1.14.Final.jar:4.1.14.Final]
              at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) [netty-all-4.1.14.Final.jar:4.1.14.Final]
              at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) [netty-all-4.1.14.Final.jar:4.1.14.Final]
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151]
              at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na]
              at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na]
              at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151]
      ERROR [Native-Transport-Requests-1] 2017-12-01 11:07:52,812 ErrorMessage.java:389 - Unexpected exception during request
      java.lang.IllegalArgumentException: roles/ki/ng is not a valid role resource name
              at org.apache.cassandra.auth.RoleResource.fromName(RoleResource.java:101) ~[main/:na]
              at org.apache.cassandra.auth.Resources.fromName(Resources.java:56) ~[main/:na]
              at org.apache.cassandra.auth.CassandraAuthorizer.listPermissionsForRole(CassandraAuthorizer.java:283) ~[main/:na]
              at org.apache.cassandra.auth.CassandraAuthorizer.list(CassandraAuthorizer.java:263) ~[main/:na]
              at org.apache.cassandra.cql3.statements.ListPermissionsStatement.list(ListPermissionsStatement.java:108) ~[main/:na]
              at org.apache.cassandra.cql3.statements.ListPermissionsStatement.execute(ListPermissionsStatement.java:96) ~[main/:na]
              at org.apache.cassandra.cql3.statements.AuthorizationStatement.execute(AuthorizationStatement.java:48) ~[main/:na]
              at org.apache.cassandra.cql3.QueryProcessor.processStatement(QueryProcessor.java:207) ~[main/:na]
              at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:238) ~[main/:na]
              at org.apache.cassandra.cql3.QueryProcessor.process(QueryProcessor.java:223) ~[main/:na]
              at org.apache.cassandra.transport.messages.QueryMessage.execute(QueryMessage.java:116) ~[main/:na]
              at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:517) [main/:na]
              at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na]
              at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.1.14.Final.jar:4.1.14.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-all-4.1.14.Final.jar:4.1.14.Final]
              at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) [netty-all-4.1.14.Final.jar:4.1.14.Final]
              at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) [netty-all-4.1.14.Final.jar:4.1.14.Final]
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_151]
              at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na]
              at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:109) [main/:na]
              at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151]
      

        Attachments

          Activity

            People

            • Assignee:
              KurtG Kurt Greaves
              Reporter:
              jhaberku Jesse Haber-Kucharsky
              Authors:
              Kurt Greaves
              Reviewers:
              Jeremiah Jordan
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: