mirror of
https://github.com/scylladb/scylladb.git
synced 2026-05-29 11:10:40 +00:00
auth: Remove unused "performer" argument
This argument used to be used for access-control checks, but this has all moved to the CQL layer.
This commit is contained in:
Jesse Haber-Kucharsky
@@ -60,17 +60,16 @@ public:
|
||||
return make_ready_future<permission_set>(permissions::ALL);
|
||||
}
|
||||
|
||||
virtual future<> grant(const authenticated_user&, permission_set, resource, sstring) override {
|
||||
virtual future<> grant(permission_set, resource, sstring) override {
|
||||
throw exceptions::invalid_request_exception("GRANT operation is not supported by AllowAllAuthorizer");
|
||||
}
|
||||
|
||||
virtual future<> revoke(const authenticated_user&, permission_set, resource, sstring) override {
|
||||
virtual future<> revoke(permission_set, resource, sstring) override {
|
||||
throw exceptions::invalid_request_exception("REVOKE operation is not supported by AllowAllAuthorizer");
|
||||
}
|
||||
|
||||
virtual future<std::vector<permission_details>> list(
|
||||
service&,
|
||||
const authenticated_user& performer,
|
||||
permission_set,
|
||||
std::optional<resource>,
|
||||
std::optional<sstring>) const override {
|
||||
|
||||
@@ -57,8 +57,6 @@ namespace auth {
|
||||
|
||||
class service;
|
||||
|
||||
class authenticated_user;
|
||||
|
||||
struct permission_details {
|
||||
sstring user;
|
||||
::auth::resource resource;
|
||||
@@ -95,12 +93,12 @@ public:
|
||||
///
|
||||
/// Grant a set of permissions to a user for a particular \ref resource.
|
||||
///
|
||||
virtual future<> grant(const authenticated_user& performer, permission_set, resource, sstring to) = 0;
|
||||
virtual future<> grant(permission_set, resource, sstring to) = 0;
|
||||
|
||||
///
|
||||
/// Revoke a set of permissions from a user for a particular \ref resource.
|
||||
///
|
||||
virtual future<> revoke(const authenticated_user& performer, permission_set, resource, sstring from) = 0;
|
||||
virtual future<> revoke(permission_set, resource, sstring from) = 0;
|
||||
|
||||
///
|
||||
/// Query for granted permissions.
|
||||
@@ -112,12 +110,7 @@ public:
|
||||
/// If `user` is empty, query for permissions of all users. Otherwise, query for permissions specific to that user.
|
||||
///
|
||||
virtual future<std::vector<permission_details>>
|
||||
list(
|
||||
service&,
|
||||
const authenticated_user& performer,
|
||||
permission_set matching,
|
||||
std::optional<resource> resource,
|
||||
std::optional<sstring> user) const = 0;
|
||||
list(service&, permission_set matching, std::optional<resource> resource, std::optional<sstring> user) const = 0;
|
||||
|
||||
///
|
||||
/// Revoke all permissions granted to a particular user.
|
||||
|
||||
@@ -167,12 +167,7 @@ future<auth::permission_set> auth::default_authorizer::authorize(
|
||||
});
|
||||
}
|
||||
|
||||
future<> auth::default_authorizer::modify(
|
||||
const authenticated_user& performer,
|
||||
permission_set set,
|
||||
resource resource,
|
||||
sstring user,
|
||||
sstring op) {
|
||||
future<> auth::default_authorizer::modify(permission_set set, resource resource, sstring user, sstring op) {
|
||||
// TODO: why does this not check super user?
|
||||
auto query = sprint(
|
||||
"UPDATE %s.%s SET %s = %s %s ? WHERE %s = ? AND %s = ?",
|
||||
@@ -191,25 +186,16 @@ future<> auth::default_authorizer::modify(
|
||||
}
|
||||
|
||||
|
||||
future<> auth::default_authorizer::grant(
|
||||
const authenticated_user& performer,
|
||||
permission_set set,
|
||||
resource resource,
|
||||
sstring to) {
|
||||
return modify(performer, std::move(set), std::move(resource), std::move(to), "+");
|
||||
future<> auth::default_authorizer::grant(permission_set set, resource resource, sstring to) {
|
||||
return modify(std::move(set), std::move(resource), std::move(to), "+");
|
||||
}
|
||||
|
||||
future<> auth::default_authorizer::revoke(
|
||||
const authenticated_user& performer,
|
||||
permission_set set,
|
||||
resource resource,
|
||||
sstring from) {
|
||||
return modify(performer, std::move(set), std::move(resource), std::move(from), "-");
|
||||
future<> auth::default_authorizer::revoke(permission_set set, resource resource, sstring from) {
|
||||
return modify(std::move(set), std::move(resource), std::move(from), "-");
|
||||
}
|
||||
|
||||
future<std::vector<auth::permission_details>> auth::default_authorizer::list(
|
||||
service& ser,
|
||||
const authenticated_user&,
|
||||
permission_set set,
|
||||
std::optional<resource> resource,
|
||||
std::optional<sstring> role) const {
|
||||
|
||||
@@ -71,17 +71,12 @@ public:
|
||||
|
||||
virtual future<permission_set> authorize(service&, sstring, resource) const override;
|
||||
|
||||
virtual future<> grant(const authenticated_user&, permission_set, resource, sstring) override;
|
||||
virtual future<> grant(permission_set, resource, sstring) override;
|
||||
|
||||
virtual future<> revoke(const authenticated_user&, permission_set, resource, sstring) override;
|
||||
virtual future<> revoke(permission_set, resource, sstring) override;
|
||||
|
||||
virtual future<std::vector<permission_details>>
|
||||
list(
|
||||
service&,
|
||||
const authenticated_user&,
|
||||
permission_set,
|
||||
std::optional<resource>,
|
||||
std::optional<sstring>) const override;
|
||||
list(service&, permission_set, std::optional<resource>, std::optional<sstring>) const override;
|
||||
|
||||
virtual future<> revoke_all(sstring) override;
|
||||
|
||||
@@ -90,7 +85,7 @@ public:
|
||||
virtual const resource_set& protected_resources() override;
|
||||
|
||||
private:
|
||||
future<> modify(const authenticated_user& performer, permission_set, resource, sstring, sstring);
|
||||
future<> modify(permission_set, resource, sstring, sstring);
|
||||
|
||||
///
|
||||
/// Permissions granted directly to a role, rather than those inherited.
|
||||
|
||||
@@ -37,8 +37,6 @@
|
||||
|
||||
namespace auth {
|
||||
|
||||
class authenticated_user;
|
||||
|
||||
struct role_config final {
|
||||
bool is_superuser{false};
|
||||
bool can_login{false};
|
||||
@@ -141,31 +139,27 @@ public:
|
||||
virtual future<> stop() = 0;
|
||||
|
||||
// Must throw `role_already_exists` for a role that has previously been created.
|
||||
virtual future<>
|
||||
create(const authenticated_user& performer, stdx::string_view role_name, const role_config&) = 0;
|
||||
virtual future<> create(stdx::string_view role_name, const role_config&) = 0;
|
||||
|
||||
// Must throw `nonexistant_role` if the role does not exist.
|
||||
virtual future<> drop(const authenticated_user& performer, stdx::string_view role_name) = 0;
|
||||
virtual future<> drop(stdx::string_view role_name) = 0;
|
||||
|
||||
// Must throw `nonexistant_role` if the role does not exist.
|
||||
virtual future<>
|
||||
alter(const authenticated_user& performer, stdx::string_view role_name, const role_config_update&) = 0;
|
||||
virtual future<> alter(stdx::string_view role_name, const role_config_update&) = 0;
|
||||
|
||||
// Grant `role_name` to `grantee_name`.
|
||||
//
|
||||
// Must throw `nonexistant_role` if either the role or the grantee do not exist.
|
||||
//
|
||||
// Must throw `role_already_included` if granting the role would be redundant, or create a cycle.
|
||||
virtual future<>
|
||||
grant(const authenticated_user& performer, stdx::string_view grantee_name, stdx::string_view role_name) = 0;
|
||||
virtual future<> grant(stdx::string_view grantee_name, stdx::string_view role_name) = 0;
|
||||
|
||||
// Revoke `role_name` from `revokee_name`.
|
||||
//
|
||||
// Must throw `nonexistant_role` if either the role or the revokee do not exist.
|
||||
//
|
||||
// Must throw `revoke_ungranted_role` if the role was not granted.
|
||||
virtual future<>
|
||||
revoke(const authenticated_user& performer, stdx::string_view revokee_name, stdx::string_view role_name) = 0;
|
||||
virtual future<> revoke(stdx::string_view revokee_name, stdx::string_view role_name) = 0;
|
||||
|
||||
// Must throw `nonexistant_role` if the role does not exist.
|
||||
virtual future<std::unordered_set<sstring>> query_granted(stdx::string_view grantee, recursive_role_query) const = 0;
|
||||
|
||||
@@ -322,14 +322,10 @@ static void validate_authentication_options_are_supported(
|
||||
|
||||
future<> create_role(
|
||||
service& ser,
|
||||
const authenticated_user& performer,
|
||||
stdx::string_view name,
|
||||
const role_config& config,
|
||||
const authentication_options& options) {
|
||||
return ser.underlying_role_manager().create(
|
||||
performer,
|
||||
name,
|
||||
config).then([&ser, &performer, name, &options] {
|
||||
return ser.underlying_role_manager().create(name, config).then([&ser, name, &options] {
|
||||
if (!auth::any_authentication_options(options)) {
|
||||
return make_ready_future<>();
|
||||
}
|
||||
@@ -339,9 +335,9 @@ future<> create_role(
|
||||
options,
|
||||
ser.underlying_authenticator().supported_options()).then([&ser, name, &options] {
|
||||
return ser.underlying_authenticator().create(sstring(name), options);
|
||||
}).handle_exception([&ser, &performer, &name](std::exception_ptr ep) {
|
||||
}).handle_exception([&ser, &name](std::exception_ptr ep) {
|
||||
// Roll-back.
|
||||
return ser.underlying_role_manager().drop(performer, name).then([ep = std::move(ep)] {
|
||||
return ser.underlying_role_manager().drop(name).then([ep = std::move(ep)] {
|
||||
std::rethrow_exception(ep);
|
||||
});
|
||||
});
|
||||
@@ -350,11 +346,10 @@ future<> create_role(
|
||||
|
||||
future<> alter_role(
|
||||
service& ser,
|
||||
const authenticated_user& performer,
|
||||
stdx::string_view name,
|
||||
const role_config_update& config_update,
|
||||
const authentication_options& options) {
|
||||
return ser.underlying_role_manager().alter(performer, name, config_update).then([&ser, name, &options] {
|
||||
return ser.underlying_role_manager().alter(name, config_update).then([&ser, name, &options] {
|
||||
if (!any_authentication_options(options)) {
|
||||
return make_ready_future<>();
|
||||
}
|
||||
@@ -368,12 +363,12 @@ future<> alter_role(
|
||||
});
|
||||
}
|
||||
|
||||
future<> drop_role(service& ser, const authenticated_user& performer, stdx::string_view name) {
|
||||
return do_with(sstring(name), [&ser, &performer](const auto& name) {
|
||||
future<> drop_role(service& ser, stdx::string_view name) {
|
||||
return do_with(sstring(name), [&ser](const auto& name) {
|
||||
return ser.underlying_authorizer().revoke_all(name).then([&ser, &name] {
|
||||
return ser.underlying_authenticator().drop(name);
|
||||
}).then([&ser, &performer, &name] {
|
||||
return ser.underlying_role_manager().drop(performer, name);
|
||||
}).then([&ser, &name] {
|
||||
return ser.underlying_role_manager().drop(name);
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
@@ -29,7 +29,6 @@
|
||||
|
||||
#include "auth/authenticator.hh"
|
||||
#include "auth/authorizer.hh"
|
||||
#include "auth/authenticated_user.hh"
|
||||
#include "auth/permission.hh"
|
||||
#include "auth/permissions_cache.hh"
|
||||
#include "auth/role_manager.hh"
|
||||
@@ -190,7 +189,6 @@ bool is_enforcing(const service&);
|
||||
///
|
||||
future<> create_role(
|
||||
service&,
|
||||
const authenticated_user& performer,
|
||||
stdx::string_view name,
|
||||
const role_config&,
|
||||
const authentication_options&);
|
||||
@@ -204,7 +202,6 @@ future<> create_role(
|
||||
///
|
||||
future<> alter_role(
|
||||
service&,
|
||||
const authenticated_user& performer,
|
||||
stdx::string_view name,
|
||||
const role_config_update&,
|
||||
const authentication_options&);
|
||||
@@ -214,7 +211,7 @@ future<> alter_role(
|
||||
///
|
||||
/// \returns an exceptional future with \ref nonexistant_role if the named role does not exist.
|
||||
///
|
||||
future<> drop_role(service&, const authenticated_user& performer, stdx::string_view name);
|
||||
future<> drop_role(service&, stdx::string_view name);
|
||||
|
||||
///
|
||||
/// Check if `grantee` has been granted the named role.
|
||||
|
||||
@@ -240,7 +240,7 @@ future<> standard_role_manager::stop() {
|
||||
}
|
||||
|
||||
future<>
|
||||
standard_role_manager::create(const authenticated_user& performer, stdx::string_view role_name, const role_config& c) {
|
||||
standard_role_manager::create(stdx::string_view role_name, const role_config& c) {
|
||||
static const sstring query = sprint(
|
||||
"INSERT INTO %s (%s, is_superuser, can_login) VALUES (?, ?, ?)",
|
||||
meta::roles_table::qualified_name(),
|
||||
@@ -260,7 +260,7 @@ standard_role_manager::create(const authenticated_user& performer, stdx::string_
|
||||
}
|
||||
|
||||
future<>
|
||||
standard_role_manager::alter(const authenticated_user&, stdx::string_view role_name, const role_config_update& u) {
|
||||
standard_role_manager::alter(stdx::string_view role_name, const role_config_update& u) {
|
||||
static const auto build_column_assignments = [](const role_config_update& u) -> sstring {
|
||||
std::vector<sstring> assignments;
|
||||
|
||||
@@ -291,7 +291,7 @@ standard_role_manager::alter(const authenticated_user&, stdx::string_view role_n
|
||||
});
|
||||
}
|
||||
|
||||
future<> standard_role_manager::drop(const authenticated_user&, stdx::string_view role_name) {
|
||||
future<> standard_role_manager::drop(stdx::string_view role_name) {
|
||||
return this->exists(role_name).then([this, role_name](bool role_exists) {
|
||||
if (!role_exists) {
|
||||
throw nonexistant_role(role_name);
|
||||
@@ -400,10 +400,7 @@ standard_role_manager::modify_membership(
|
||||
}
|
||||
|
||||
future<>
|
||||
standard_role_manager::grant(
|
||||
const authenticated_user&,
|
||||
stdx::string_view grantee_name,
|
||||
stdx::string_view role_name) {
|
||||
standard_role_manager::grant(stdx::string_view grantee_name, stdx::string_view role_name) {
|
||||
const auto check_redundant = [this, role_name, grantee_name] {
|
||||
return this->query_granted(
|
||||
grantee_name,
|
||||
@@ -434,10 +431,7 @@ standard_role_manager::grant(
|
||||
}
|
||||
|
||||
future<>
|
||||
standard_role_manager::revoke(
|
||||
const authenticated_user&,
|
||||
stdx::string_view revokee_name,
|
||||
stdx::string_view role_name) {
|
||||
standard_role_manager::revoke(stdx::string_view revokee_name, stdx::string_view role_name) {
|
||||
return this->exists(role_name).then([this, revokee_name, role_name](bool role_exists) {
|
||||
if (!role_exists) {
|
||||
throw nonexistant_role(sstring(role_name));
|
||||
|
||||
@@ -64,19 +64,15 @@ public:
|
||||
|
||||
virtual future<> stop() override;
|
||||
|
||||
virtual future<>
|
||||
create(const authenticated_user& performer, stdx::string_view role_name, const role_config&) override;
|
||||
virtual future<> create(stdx::string_view role_name, const role_config&) override;
|
||||
|
||||
virtual future<> drop(const authenticated_user& performer, stdx::string_view role_name) override;
|
||||
virtual future<> drop(stdx::string_view role_name) override;
|
||||
|
||||
virtual future<>
|
||||
alter(const authenticated_user& performer, stdx::string_view role_name, const role_config_update&) override;
|
||||
virtual future<> alter(stdx::string_view role_name, const role_config_update&) override;
|
||||
|
||||
virtual future<>
|
||||
grant(const authenticated_user& performer, stdx::string_view grantee_name, stdx::string_view role_name) override;
|
||||
virtual future<> grant(stdx::string_view grantee_name, stdx::string_view role_name) override;
|
||||
|
||||
virtual future<>
|
||||
revoke(const authenticated_user& performer, stdx::string_view revokee_name, stdx::string_view role_name) override;
|
||||
virtual future<> revoke(stdx::string_view revokee_name, stdx::string_view role_name) override;
|
||||
|
||||
virtual future<std::unordered_set<sstring>>
|
||||
query_granted(stdx::string_view grantee_name, recursive_role_query) const override;
|
||||
|
||||
@@ -218,22 +218,21 @@ public:
|
||||
});
|
||||
}
|
||||
|
||||
virtual future<> grant(const authenticated_user& user, permission_set ps, resource r, sstring s) override {
|
||||
return _authorizer->grant(user, std::move(ps), std::move(r), std::move(s));
|
||||
virtual future<> grant(permission_set ps, resource r, sstring s) override {
|
||||
return _authorizer->grant(std::move(ps), std::move(r), std::move(s));
|
||||
}
|
||||
|
||||
virtual future<> revoke(const authenticated_user& user, permission_set ps, resource r, sstring s) override {
|
||||
return _authorizer->revoke(user, std::move(ps), std::move(r), std::move(s));
|
||||
virtual future<> revoke(permission_set ps, resource r, sstring s) override {
|
||||
return _authorizer->revoke(std::move(ps), std::move(r), std::move(s));
|
||||
}
|
||||
|
||||
virtual future<std::vector<permission_details>>
|
||||
list(
|
||||
service& ser,
|
||||
const authenticated_user& user,
|
||||
permission_set ps,
|
||||
std::optional<resource> r,
|
||||
std::optional<sstring> s) const override {
|
||||
return _authorizer->list(ser, user, std::move(ps), std::move(r), std::move(s));
|
||||
return _authorizer->list(ser, std::move(ps), std::move(r), std::move(s));
|
||||
}
|
||||
|
||||
virtual future<> revoke_all(sstring s) override {
|
||||
|
||||
@@ -44,12 +44,9 @@
|
||||
|
||||
future<::shared_ptr<cql_transport::messages::result_message>>
|
||||
cql3::statements::grant_statement::execute(distributed<service::storage_proxy>& proxy, service::query_state& state, const query_options& options) {
|
||||
auto& client_state = state.get_client_state();
|
||||
auto& auth_service = *client_state.get_auth_service();
|
||||
auto& auth_service = *state.get_client_state().get_auth_service();
|
||||
|
||||
return make_ready_future<>().then([this, &auth_service, user = client_state.user()] {
|
||||
return auth_service.underlying_authorizer().grant(*user, _permissions, _resource, _username).finally([user] {});
|
||||
}).then([] {
|
||||
return auth_service.underlying_authorizer().grant(_permissions, _resource, _username).then([] {
|
||||
return make_ready_future<::shared_ptr<cql_transport::messages::result_message>>();
|
||||
});
|
||||
}
|
||||
|
||||
@@ -155,18 +155,7 @@ cql3::statements::list_permissions_statement::execute(
|
||||
resources,
|
||||
[&state, this](opt_resource r) {
|
||||
auto& auth_service = *state.get_client_state().get_auth_service();
|
||||
return make_ready_future<>().then([
|
||||
this,
|
||||
r = std::move(r),
|
||||
&auth_service,
|
||||
user = state.get_client_state().user()] {
|
||||
return auth_service.underlying_authorizer().list(
|
||||
auth_service,
|
||||
*user,
|
||||
_permissions,
|
||||
std::move(r),
|
||||
_username).finally([user] {});
|
||||
});
|
||||
return auth_service.underlying_authorizer().list(auth_service, _permissions, std::move(r), _username);
|
||||
},
|
||||
std::vector<auth::permission_details>(),
|
||||
[](std::vector<auth::permission_details> details, std::vector<auth::permission_details> pd) {
|
||||
|
||||
@@ -44,12 +44,9 @@
|
||||
|
||||
future<::shared_ptr<cql_transport::messages::result_message>>
|
||||
cql3::statements::revoke_statement::execute(distributed<service::storage_proxy>& proxy, service::query_state& state, const query_options& options) {
|
||||
auto& client_state = state.get_client_state();
|
||||
auto& auth_service = *client_state.get_auth_service();
|
||||
auto& auth_service = *state.get_client_state().get_auth_service();
|
||||
|
||||
return make_ready_future<>().then([this, &auth_service, user = client_state.user()] {
|
||||
return auth_service.underlying_authorizer().revoke(*user, _permissions, _resource, _username).finally([user] {});
|
||||
}).then([] {
|
||||
return auth_service.underlying_authorizer().revoke(_permissions, _resource, _username).then([] {
|
||||
return make_ready_future<::shared_ptr<cql_transport::messages::result_message>>();
|
||||
});
|
||||
}
|
||||
|
||||
@@ -111,10 +111,9 @@ create_role_statement::execute(distributed<service::storage_proxy>&,
|
||||
std::move(config),
|
||||
extract_authentication_options(_options),
|
||||
[this, &state](const auth::role_config& config, const auth::authentication_options& authen_options) {
|
||||
auto& cs = state.get_client_state();
|
||||
auto& as = *cs.get_auth_service();
|
||||
auto& as = *state.get_client_state().get_auth_service();
|
||||
|
||||
return auth::create_role(as, *cs.user(), _role, config, authen_options).then([] {
|
||||
return auth::create_role(as, _role, config, authen_options).then([] {
|
||||
return void_result_message();
|
||||
}).handle_exception_type([this](const auth::role_already_exists& e) {
|
||||
if (!_if_not_exists) {
|
||||
@@ -186,10 +185,9 @@ alter_role_statement::execute(distributed<service::storage_proxy>&, service::que
|
||||
std::move(update),
|
||||
extract_authentication_options(_options),
|
||||
[this, &state](const auth::role_config_update& update, const auth::authentication_options& authen_options) {
|
||||
auto& cs = state.get_client_state();
|
||||
auto& as = *cs.get_auth_service();
|
||||
auto& as = *state.get_client_state().get_auth_service();
|
||||
|
||||
return auth::alter_role(as, *cs.user(), _role, update, authen_options).then([] {
|
||||
return auth::alter_role(as, _role, update, authen_options).then([] {
|
||||
return void_result_message();
|
||||
}).handle_exception_type([](const auth::roles_argument_exception& e) {
|
||||
return make_exception_future<result_message_ptr>(exceptions::invalid_request_exception(e.what()));
|
||||
@@ -238,10 +236,9 @@ future<result_message_ptr>
|
||||
drop_role_statement::execute(distributed<service::storage_proxy>&, service::query_state& state, const query_options&) {
|
||||
unimplemented::warn(unimplemented::cause::ROLES);
|
||||
|
||||
auto& cs = state.get_client_state();
|
||||
auto& as = *cs.get_auth_service();
|
||||
auto& as = *state.get_client_state().get_auth_service();
|
||||
|
||||
return auth::drop_role(as, *cs.user(), _role).then([] {
|
||||
return auth::drop_role(as, _role).then([] {
|
||||
return void_result_message();
|
||||
}).handle_exception_type([this](const auth::nonexistant_role& e) {
|
||||
if (!_if_exists) {
|
||||
@@ -378,10 +375,9 @@ future<result_message_ptr>
|
||||
grant_role_statement::execute(distributed<service::storage_proxy>&, service::query_state& state, const query_options&) {
|
||||
unimplemented::warn(unimplemented::cause::ROLES);
|
||||
|
||||
auto& cs = state.get_client_state();
|
||||
auto& as = *cs.get_auth_service();
|
||||
auto& as = *state.get_client_state().get_auth_service();
|
||||
|
||||
return as.underlying_role_manager().grant(*cs.user(), _grantee, _role).then([] {
|
||||
return as.underlying_role_manager().grant(_grantee, _role).then([] {
|
||||
return void_result_message();
|
||||
}).handle_exception_type([](const auth::roles_argument_exception& e) {
|
||||
throw exceptions::invalid_request_exception(e.what());
|
||||
@@ -405,10 +401,9 @@ revoke_role_statement::execute(
|
||||
const query_options&) {
|
||||
unimplemented::warn(unimplemented::cause::ROLES);
|
||||
|
||||
auto& cs = state.get_client_state();
|
||||
auto& rm = cs.get_auth_service()->underlying_role_manager();
|
||||
auto& rm = state.get_client_state().get_auth_service()->underlying_role_manager();
|
||||
|
||||
return rm.revoke(*cs.user(), _revokee, _role).then([] {
|
||||
return rm.revoke(_revokee, _role).then([] {
|
||||
return void_result_message();
|
||||
}).handle_exception_type([](const auth::roles_argument_exception& e) {
|
||||
throw exceptions::invalid_request_exception(e.what());
|
||||
|
||||
@@ -371,7 +371,6 @@ public:
|
||||
|
||||
auth::create_role(
|
||||
auth_service->local(),
|
||||
auth::authenticated_user(),
|
||||
testing_superuser,
|
||||
config,
|
||||
auth::authentication_options()).get0();
|
||||
|
||||
@@ -23,7 +23,6 @@
|
||||
|
||||
#include <seastar/tests/test-utils.hh>
|
||||
|
||||
#include "auth/authenticated_user.hh"
|
||||
#include "service/migration_manager.hh"
|
||||
#include "tests/cql_test_env.hh"
|
||||
|
||||
@@ -51,7 +50,7 @@ SEASTAR_TEST_CASE(create_role) {
|
||||
auth::role_config c;
|
||||
c.is_superuser = true;
|
||||
|
||||
m->create(anon, "admin", c).get();
|
||||
m->create("admin", c).get();
|
||||
BOOST_REQUIRE_EQUAL(m->exists("admin").get0(), true);
|
||||
BOOST_REQUIRE_EQUAL(m->can_login("admin").get0(), false);
|
||||
BOOST_REQUIRE_EQUAL(m->is_superuser("admin").get0(), true);
|
||||
@@ -64,7 +63,7 @@ SEASTAR_TEST_CASE(create_role) {
|
||||
// Creating a role that already exists is an error.
|
||||
//
|
||||
|
||||
BOOST_REQUIRE_THROW(m->create(anon, "admin", c).get0(), auth::role_already_exists);
|
||||
BOOST_REQUIRE_THROW(m->create("admin", c).get0(), auth::role_already_exists);
|
||||
});
|
||||
}
|
||||
|
||||
@@ -79,28 +78,28 @@ SEASTAR_TEST_CASE(drop_role) {
|
||||
// Create a role, then drop it, then verify it's gone.
|
||||
//
|
||||
|
||||
m->create(anon, "lord", auth::role_config()).get();
|
||||
m->drop(anon, "lord").get();
|
||||
m->create("lord", auth::role_config()).get();
|
||||
m->drop("lord").get();
|
||||
BOOST_REQUIRE_EQUAL(m->exists("lord").get0(), false);
|
||||
|
||||
//
|
||||
// Dropping a role revokes it from other roles and revokes other roles from it.
|
||||
//
|
||||
|
||||
m->create(anon, "peasant", auth::role_config()).get0();
|
||||
m->create(anon, "lord", auth::role_config()).get0();
|
||||
m->create(anon, "king", auth::role_config()).get0();
|
||||
m->create("peasant", auth::role_config()).get0();
|
||||
m->create("lord", auth::role_config()).get0();
|
||||
m->create("king", auth::role_config()).get0();
|
||||
|
||||
auth::role_config tim_config;
|
||||
tim_config.is_superuser = false;
|
||||
tim_config.can_login = true;
|
||||
m->create(anon, "tim", tim_config).get0();
|
||||
m->create("tim", tim_config).get0();
|
||||
|
||||
m->grant(anon, "lord", "peasant").get0();
|
||||
m->grant(anon, "king", "lord").get0();
|
||||
m->grant(anon, "tim", "lord").get0();
|
||||
m->grant("lord", "peasant").get0();
|
||||
m->grant("king", "lord").get0();
|
||||
m->grant("tim", "lord").get0();
|
||||
|
||||
m->drop(anon, "lord").get0();
|
||||
m->drop("lord").get0();
|
||||
|
||||
BOOST_REQUIRE_EQUAL(
|
||||
m->query_granted("tim", auth::recursive_role_query::yes).get0(),
|
||||
@@ -114,7 +113,7 @@ SEASTAR_TEST_CASE(drop_role) {
|
||||
// Dropping a role that does not exist is an error.
|
||||
//
|
||||
|
||||
BOOST_REQUIRE_THROW(m->drop(anon, "emperor").get0(), auth::nonexistant_role);
|
||||
BOOST_REQUIRE_THROW(m->drop("emperor").get0(), auth::nonexistant_role);
|
||||
});
|
||||
}
|
||||
|
||||
@@ -128,17 +127,17 @@ SEASTAR_TEST_CASE(grant_role) {
|
||||
auth::role_config jsnow_config;
|
||||
jsnow_config.is_superuser = false;
|
||||
jsnow_config.can_login = true;
|
||||
m->create(anon, "jsnow", jsnow_config).get0();
|
||||
m->create("jsnow", jsnow_config).get0();
|
||||
|
||||
m->create(anon, "lord", auth::role_config()).get0();
|
||||
m->create(anon, "king", auth::role_config()).get0();
|
||||
m->create("lord", auth::role_config()).get0();
|
||||
m->create("king", auth::role_config()).get0();
|
||||
|
||||
//
|
||||
// All kings have the rights of lords, and 'jsnow' is a king.
|
||||
//
|
||||
|
||||
m->grant(anon, "king", "lord").get0();
|
||||
m->grant(anon, "jsnow", "king").get0();
|
||||
m->grant("king", "lord").get0();
|
||||
m->grant("jsnow", "king").get0();
|
||||
|
||||
BOOST_REQUIRE_EQUAL(
|
||||
m->query_granted("king", auth::recursive_role_query::yes).get0(),
|
||||
@@ -153,10 +152,10 @@ SEASTAR_TEST_CASE(grant_role) {
|
||||
(std::unordered_set<sstring>{"jsnow", "king", "lord"}));
|
||||
|
||||
// A non-existing role cannot be granted.
|
||||
BOOST_REQUIRE_THROW(m->grant(anon, "jsnow", "doctor").get0(), auth::nonexistant_role);
|
||||
BOOST_REQUIRE_THROW(m->grant("jsnow", "doctor").get0(), auth::nonexistant_role);
|
||||
|
||||
// A role cannot be granted to a non-existing role.
|
||||
BOOST_REQUIRE_THROW(m->grant(anon, "hpotter", "lord").get0(), auth::nonexistant_role);
|
||||
BOOST_REQUIRE_THROW(m->grant("hpotter", "lord").get0(), auth::nonexistant_role);
|
||||
});
|
||||
}
|
||||
|
||||
@@ -170,32 +169,32 @@ SEASTAR_TEST_CASE(revoke_role) {
|
||||
auth::role_config rrat_config;
|
||||
rrat_config.is_superuser = false;
|
||||
rrat_config.can_login = true;
|
||||
m->create(anon, "rrat", rrat_config).get0();
|
||||
m->create("rrat", rrat_config).get0();
|
||||
|
||||
m->create(anon, "chef", auth::role_config()).get0();
|
||||
m->create(anon, "sous_chef", auth::role_config()).get0();
|
||||
m->create("chef", auth::role_config()).get0();
|
||||
m->create("sous_chef", auth::role_config()).get0();
|
||||
|
||||
m->grant(anon, "chef", "sous_chef").get0();
|
||||
m->grant(anon, "rrat", "chef").get0();
|
||||
m->grant("chef", "sous_chef").get0();
|
||||
m->grant("rrat", "chef").get0();
|
||||
|
||||
m->revoke(anon, "chef", "sous_chef").get0();
|
||||
m->revoke("chef", "sous_chef").get0();
|
||||
BOOST_REQUIRE_EQUAL(
|
||||
m->query_granted("rrat", auth::recursive_role_query::yes).get0(),
|
||||
(std::unordered_set<sstring>{"chef", "rrat"}));
|
||||
|
||||
m->revoke(anon, "rrat", "chef").get0();
|
||||
m->revoke("rrat", "chef").get0();
|
||||
BOOST_REQUIRE_EQUAL(
|
||||
m->query_granted("rrat", auth::recursive_role_query::yes).get0(),
|
||||
std::unordered_set<sstring>{"rrat"});
|
||||
|
||||
// A non-existing role cannot be revoked.
|
||||
BOOST_REQUIRE_THROW(m->revoke(anon, "rrat", "taster").get0(), auth::nonexistant_role);
|
||||
BOOST_REQUIRE_THROW(m->revoke("rrat", "taster").get0(), auth::nonexistant_role);
|
||||
|
||||
// A role cannot be revoked from a non-existing role.
|
||||
BOOST_REQUIRE_THROW(m->revoke(anon, "ccasper", "chef").get0(), auth::nonexistant_role);
|
||||
BOOST_REQUIRE_THROW(m->revoke("ccasper", "chef").get0(), auth::nonexistant_role);
|
||||
|
||||
// Revoking a role not granted is an error.
|
||||
BOOST_REQUIRE_THROW(m->revoke(anon, "rrat", "sous_chef").get0(), auth::revoke_ungranted_role);
|
||||
BOOST_REQUIRE_THROW(m->revoke("rrat", "sous_chef").get0(), auth::revoke_ungranted_role);
|
||||
});
|
||||
}
|
||||
|
||||
@@ -209,17 +208,17 @@ SEASTAR_TEST_CASE(alter_role) {
|
||||
auth::role_config tsmith_config;
|
||||
tsmith_config.is_superuser = true;
|
||||
tsmith_config.can_login = true;
|
||||
m->create(anon, "tsmith", tsmith_config).get0();
|
||||
m->create("tsmith", tsmith_config).get0();
|
||||
|
||||
auth::role_config_update u;
|
||||
u.can_login = false;
|
||||
|
||||
m->alter(anon, "tsmith", u).get0();
|
||||
m->alter("tsmith", u).get0();
|
||||
|
||||
BOOST_REQUIRE_EQUAL(m->is_superuser("tsmith").get0(), true);
|
||||
BOOST_REQUIRE_EQUAL(m->can_login("tsmith").get0(), false);
|
||||
|
||||
// Altering a non-existing role is an error.
|
||||
BOOST_REQUIRE_THROW(m->alter(anon, "hjones", u).get0(), auth::nonexistant_role);
|
||||
BOOST_REQUIRE_THROW(m->alter("hjones", u).get0(), auth::nonexistant_role);
|
||||
});
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user