// 'of' can be null - in that case everyone's permissions have been requested. Otherwise only // single user's. // If the user requesting 'LIST PERMISSIONS' is not a superuser OR his username doesn't match // 'of', we // throw UnauthorizedException. So only a superuser can view everybody's permissions. Regular // users are only // allowed to see their own permissions. public Set<PermissionDetails> list( AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException { if (!performer.isSuper() && !performer.getName().equals(of)) throw new UnauthorizedException( String.format( "You are not authorized to view %s's permissions", of == null ? "everyone" : of)); Set<PermissionDetails> details = new HashSet<PermissionDetails>(); for (UntypedResultSet.Row row : process(buildListQuery(resource, of))) { if (row.has(PERMISSIONS)) { for (String p : row.getSet(PERMISSIONS, UTF8Type.instance)) { Permission permission = Permission.valueOf(p); if (permissions.contains(permission)) details.add( new PermissionDetails( row.getString(USERNAME), DataResource.fromName(row.getString(RESOURCE)), permission)); } } } return details; }
/** * Translates new-style authorize() method call to the old-style (including permissions and the * hierarchy). */ @Override public Set<Permission> authorize(AuthenticatedUser user, IResource resource) { if (!(resource instanceof DataResource)) throw new IllegalArgumentException( String.format("%s resource is not supported by LegacyAuthorizer", resource.getName())); DataResource dr = (DataResource) resource; List<Object> legacyResource = new ArrayList<Object>(); legacyResource.add(Resources.ROOT); legacyResource.add(Resources.KEYSPACES); if (!dr.isRootLevel()) legacyResource.add(dr.getKeyspace()); if (dr.isColumnFamilyLevel()) legacyResource.add(dr.getColumnFamily()); Set<Permission> permissions = authorize(user, legacyResource); if (permissions.contains(Permission.READ)) permissions.add(Permission.SELECT); if (permissions.contains(Permission.WRITE)) permissions.addAll( EnumSet.of(Permission.CREATE, Permission.ALTER, Permission.DROP, Permission.MODIFY)); return permissions; }
public Set<DataResource> protectedResources() { return ImmutableSet.of(DataResource.columnFamily(Auth.AUTH_KS, PERMISSIONS_CF)); }