From b2a9f7a0d43c25fc325168e2cf41fc05a9b31a18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=CC=81s=20de=20la=20Pen=CC=83a?= Date: Tue, 31 Jan 2023 15:44:32 +0000 Subject: [PATCH 1/2] Update auth tests for UNMASK permission --- auth_test.py | 88 ++++++++++++++++++++++----------------- cqlsh_tests/test_cqlsh.py | 15 ++++++- 2 files changed, 64 insertions(+), 39 deletions(-) diff --git a/auth_test.py b/auth_test.py index 3d1aa10c0c..2caad32673 100644 --- a/auth_test.py +++ b/auth_test.py @@ -34,6 +34,31 @@ def role_creator_permissions(self, creator, role): permissions = ('ALTER', 'DROP', 'DESCRIBE') return [(creator, role, perm) for perm in permissions] + def cluster_version_has_unmask_permission(self): + return self.cluster.version() >= LooseVersion('4.2') + + def data_resource_creator_permissions(self, creator, resource): + """ + Assemble a list of all permissions needed to create data on a given resource + @param creator User who needs permissions + @param resource The resource to grant permissions on + @return A list of permissions for creator on resource + """ + permissions = [] + for perm in 'SELECT', 'MODIFY', 'ALTER', 'DROP', 'AUTHORIZE': + permissions.append((creator, resource, perm)) + + if self.cluster_version_has_unmask_permission(): + permissions.append((creator, resource, 'UNMASK')) + + if resource.startswith("' % keyspace, perm)) + return permissions + class TestAuth(AbstractTestAuth): @@ -947,9 +972,9 @@ def test_list_permissions(self): # CASSANDRA-7216 automatically grants permissions on a role to its creator if self.cluster.cassandra_version() >= '2.2.0': - all_permissions.extend(data_resource_creator_permissions('cassandra', '')) - all_permissions.extend(data_resource_creator_permissions('cassandra', '')) - all_permissions.extend(data_resource_creator_permissions('cassandra', '
')) + all_permissions.extend(self.data_resource_creator_permissions('cassandra', '')) + all_permissions.extend(self.data_resource_creator_permissions('cassandra', '
')) + all_permissions.extend(self.data_resource_creator_permissions('cassandra', '
')) all_permissions.extend(self.role_creator_permissions('cassandra', '')) all_permissions.extend(self.role_creator_permissions('cassandra', '')) @@ -962,7 +987,7 @@ def test_list_permissions(self): expected_permissions = [('cathy', '
', 'MODIFY'), ('bob', '
', 'DROP')] if self.cluster.cassandra_version() >= '2.2.0': - expected_permissions.extend(data_resource_creator_permissions('cassandra', '
')) + expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '
')) self.assertPermissionsListed(expected_permissions, cassandra, "LIST ALL PERMISSIONS ON ks.cf NORECURSIVE") expected_permissions = [('cathy', '
', 'SELECT')] @@ -1136,25 +1161,6 @@ def assertPermissionsListed(self, expected, session, query): assert sorted(expected) == sorted(perms) -def data_resource_creator_permissions(creator, resource): - """ - Assemble a list of all permissions needed to create data on a given resource - @param creator User who needs permissions - @param resource The resource to grant permissions on - @return A list of permissions for creator on resource - """ - permissions = [] - for perm in 'SELECT', 'MODIFY', 'ALTER', 'DROP', 'AUTHORIZE': - permissions.append((creator, resource, perm)) - if resource.startswith("' % keyspace, perm)) - return permissions - - @since('2.2') class TestAuthRoles(AbstractTestAuth): @@ -1385,8 +1391,8 @@ def test_creator_of_db_resource_granted_all_permissions(self): mike_permissions = [('mike', '', 'CREATE'), ('mike', '', 'CREATE')] mike_permissions.extend(self.role_creator_permissions('mike', '')) - mike_permissions.extend(data_resource_creator_permissions('mike', '')) - mike_permissions.extend(data_resource_creator_permissions('mike', '
')) + mike_permissions.extend(self.data_resource_creator_permissions('mike', '')) + mike_permissions.extend(self.data_resource_creator_permissions('mike', '
')) mike_permissions.extend(function_resource_creator_permissions('mike', '')) mike_permissions.extend(function_resource_creator_permissions('mike', '')) @@ -1671,23 +1677,29 @@ def test_filter_granted_permissions_by_resource_type(self): # GRANT ALL ON KEYSPACE grants Permission.ALL_DATA self.superuser.execute("GRANT ALL ON KEYSPACE ks TO mike") - self.assert_permissions_listed([("mike", "", "CREATE"), - ("mike", "", "ALTER"), - ("mike", "", "DROP"), - ("mike", "", "SELECT"), - ("mike", "", "MODIFY"), - ("mike", "", "AUTHORIZE")], + permissions = [("mike", "", "CREATE"), + ("mike", "", "ALTER"), + ("mike", "", "DROP"), + ("mike", "", "SELECT"), + ("mike", "", "MODIFY"), + ("mike", "", "AUTHORIZE")] + if self.cluster_version_has_unmask_permission(): + permissions.append(("mike", "", "UNMASK")) + self.assert_permissions_listed(permissions, self.superuser, "LIST ALL PERMISSIONS OF mike") self.superuser.execute("REVOKE ALL ON KEYSPACE ks FROM mike") # GRANT ALL ON TABLE does not include CREATE (because the table must already be created before the GRANT) self.superuser.execute("GRANT ALL ON ks.cf TO MIKE") - self.assert_permissions_listed([("mike", "
", "ALTER"), - ("mike", "
", "DROP"), - ("mike", "
", "SELECT"), - ("mike", "
", "MODIFY"), - ("mike", "
", "AUTHORIZE")], + permissions = [("mike", "
", "ALTER"), + ("mike", "
", "DROP"), + ("mike", "
", "SELECT"), + ("mike", "
", "MODIFY"), + ("mike", "
", "AUTHORIZE")] + if self.cluster_version_has_unmask_permission(): + permissions.append(("mike", "
", "UNMASK")) + self.assert_permissions_listed(permissions, self.superuser, "LIST ALL PERMISSIONS OF mike") self.superuser.execute("REVOKE ALL ON ks.cf FROM mike") @@ -1788,8 +1800,8 @@ def test_list_permissions(self): ("role1", "
", "SELECT"), ("role2", "
", "ALTER"), ("role2", "", "ALTER")] - expected_permissions.extend(data_resource_creator_permissions('cassandra', '')) - expected_permissions.extend(data_resource_creator_permissions('cassandra', '
')) + expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '')) + expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '
')) expected_permissions.extend(self.role_creator_permissions('cassandra', '')) expected_permissions.extend(self.role_creator_permissions('cassandra', '')) expected_permissions.extend(self.role_creator_permissions('cassandra', '')) diff --git a/cqlsh_tests/test_cqlsh.py b/cqlsh_tests/test_cqlsh.py index 4f4d1b7577..06e0311cde 100644 --- a/cqlsh_tests/test_cqlsh.py +++ b/cqlsh_tests/test_cqlsh.py @@ -783,7 +783,20 @@ def test_list_queries(self): (2 rows) """) - if self.cluster.version() >= LooseVersion('2.2'): + if self.cluster.version() >= LooseVersion('4.2'): + self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """ + role | username | resource | permission +-------+----------+---------------+------------ + user1 | user1 |
| ALTER + user1 | user1 |
| DROP + user1 | user1 |
| SELECT + user1 | user1 |
| MODIFY + user1 | user1 |
| AUTHORIZE + user1 | user1 |
| UNMASK + +(6 rows) +""") + elif self.cluster.version() >= LooseVersion('2.2'): self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """ role | username | resource | permission -------+----------+---------------+------------ From af9669e7d4977ebe8b186ee3f1f1b58991aa8bfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=CC=81s=20de=20la=20Pen=CC=83a?= Date: Tue, 7 Feb 2023 14:30:51 +0000 Subject: [PATCH 2/2] Update auth tests for SELECT_MASKED permission --- auth_test.py | 11 +++++++---- cqlsh_tests/test_cqlsh.py | 19 ++++++++++--------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/auth_test.py b/auth_test.py index 2caad32673..f18f38e23a 100644 --- a/auth_test.py +++ b/auth_test.py @@ -34,7 +34,7 @@ def role_creator_permissions(self, creator, role): permissions = ('ALTER', 'DROP', 'DESCRIBE') return [(creator, role, perm) for perm in permissions] - def cluster_version_has_unmask_permission(self): + def cluster_version_has_masking_permissions(self): return self.cluster.version() >= LooseVersion('4.2') def data_resource_creator_permissions(self, creator, resource): @@ -48,8 +48,9 @@ def data_resource_creator_permissions(self, creator, resource): for perm in 'SELECT', 'MODIFY', 'ALTER', 'DROP', 'AUTHORIZE': permissions.append((creator, resource, perm)) - if self.cluster_version_has_unmask_permission(): + if self.cluster_version_has_masking_permissions(): permissions.append((creator, resource, 'UNMASK')) + permissions.append((creator, resource, 'SELECT_MASKED')) if resource.startswith("", "SELECT"), ("mike", "", "MODIFY"), ("mike", "", "AUTHORIZE")] - if self.cluster_version_has_unmask_permission(): + if self.cluster_version_has_masking_permissions(): permissions.append(("mike", "", "UNMASK")) + permissions.append(("mike", "", "SELECT_MASKED")) self.assert_permissions_listed(permissions, self.superuser, "LIST ALL PERMISSIONS OF mike") @@ -1697,8 +1699,9 @@ def test_filter_granted_permissions_by_resource_type(self): ("mike", "
", "SELECT"), ("mike", "
", "MODIFY"), ("mike", "
", "AUTHORIZE")] - if self.cluster_version_has_unmask_permission(): + if self.cluster_version_has_masking_permissions(): permissions.append(("mike", "
", "UNMASK")) + permissions.append(("mike", "
", "SELECT_MASKED")) self.assert_permissions_listed(permissions, self.superuser, "LIST ALL PERMISSIONS OF mike") diff --git a/cqlsh_tests/test_cqlsh.py b/cqlsh_tests/test_cqlsh.py index 06e0311cde..25f49cc22b 100644 --- a/cqlsh_tests/test_cqlsh.py +++ b/cqlsh_tests/test_cqlsh.py @@ -786,15 +786,16 @@ def test_list_queries(self): if self.cluster.version() >= LooseVersion('4.2'): self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """ role | username | resource | permission --------+----------+---------------+------------ - user1 | user1 |
| ALTER - user1 | user1 |
| DROP - user1 | user1 |
| SELECT - user1 | user1 |
| MODIFY - user1 | user1 |
| AUTHORIZE - user1 | user1 |
| UNMASK - -(6 rows) +-------+----------+---------------+--------------- + user1 | user1 |
| ALTER + user1 | user1 |
| DROP + user1 | user1 |
| SELECT + user1 | user1 |
| MODIFY + user1 | user1 |
| AUTHORIZE + user1 | user1 |
| UNMASK + user1 | user1 |
| SELECT_MASKED + +(7 rows) """) elif self.cluster.version() >= LooseVersion('2.2'): self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """