Update auth tests for UNMASK and SELECT_MASKED permissions

patch by Andrés de la Peña; reviewed by Benjamin Lerer and Berenguer Blasi for CASSANDRA-17940

auth_test.py

@@ -34,6 +34,32 @@ def role_creator_permissions(self, creator, role):
             permissions = ('ALTER', 'DROP', 'DESCRIBE')
         return [(creator, role, perm) for perm in permissions]
 
+    def cluster_version_has_masking_permissions(self):
+        return self.cluster.version() >= LooseVersion('5.0')
+
+    def data_resource_creator_permissions(self, creator, resource):
+        """
+        Assemble a list of all permissions needed to create data on a given resource
+        @param creator User who needs permissions
+        @param resource The resource to grant permissions on
+        @return A list of permissions for creator on resource
+        """
+        permissions = []
+        for perm in 'SELECT', 'MODIFY', 'ALTER', 'DROP', 'AUTHORIZE':
+            permissions.append((creator, resource, perm))
+
+        if self.cluster_version_has_masking_permissions():
+            permissions.append((creator, resource, 'UNMASK'))
+            permissions.append((creator, resource, 'SELECT_MASKED'))
+
+        if resource.startswith("<keyspace "):
+            permissions.append((creator, resource, 'CREATE'))
+            keyspace = resource[10:-1]
+            # also grant the creator of a ks perms on functions in that ks
+            for perm in 'CREATE', 'ALTER', 'DROP', 'AUTHORIZE', 'EXECUTE':
+                permissions.append((creator, '<all functions in %s>' % keyspace, perm))
+        return permissions
+
 
 class TestAuth(AbstractTestAuth):
 
@@ -947,9 +973,9 @@ def test_list_permissions(self):
 
         # CASSANDRA-7216 automatically grants permissions on a role to its creator
         if self.cluster.cassandra_version() >= '2.2.0':
-            all_permissions.extend(data_resource_creator_permissions('cassandra', '<keyspace ks>'))
-            all_permissions.extend(data_resource_creator_permissions('cassandra', '<table ks.cf>'))
-            all_permissions.extend(data_resource_creator_permissions('cassandra', '<table ks.cf2>'))
+            all_permissions.extend(self.data_resource_creator_permissions('cassandra', '<keyspace ks>'))
+            all_permissions.extend(self.data_resource_creator_permissions('cassandra', '<table ks.cf>'))
+            all_permissions.extend(self.data_resource_creator_permissions('cassandra', '<table ks.cf2>'))
             all_permissions.extend(self.role_creator_permissions('cassandra', '<role bob>'))
             all_permissions.extend(self.role_creator_permissions('cassandra', '<role cathy>'))
 
@@ -962,7 +988,7 @@ def test_list_permissions(self):
 
         expected_permissions = [('cathy', '<table ks.cf>', 'MODIFY'), ('bob', '<table ks.cf>', 'DROP')]
         if self.cluster.cassandra_version() >= '2.2.0':
-            expected_permissions.extend(data_resource_creator_permissions('cassandra', '<table ks.cf>'))
+            expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '<table ks.cf>'))
         self.assertPermissionsListed(expected_permissions, cassandra, "LIST ALL PERMISSIONS ON ks.cf NORECURSIVE")
 
         expected_permissions = [('cathy', '<table ks.cf2>', 'SELECT')]
@@ -1136,25 +1162,6 @@ def assertPermissionsListed(self, expected, session, query):
         assert sorted(expected) == sorted(perms)
 
 
-def data_resource_creator_permissions(creator, resource):
-    """
-    Assemble a list of all permissions needed to create data on a given resource
-    @param creator User who needs permissions
-    @param resource The resource to grant permissions on
-    @return A list of permissions for creator on resource
-    """
-    permissions = []
-    for perm in 'SELECT', 'MODIFY', 'ALTER', 'DROP', 'AUTHORIZE':
-        permissions.append((creator, resource, perm))
-    if resource.startswith("<keyspace "):
-        permissions.append((creator, resource, 'CREATE'))
-        keyspace = resource[10:-1]
-        # also grant the creator of a ks perms on functions in that ks
-        for perm in 'CREATE', 'ALTER', 'DROP', 'AUTHORIZE', 'EXECUTE':
-            permissions.append((creator, '<all functions in %s>' % keyspace, perm))
-    return permissions
-
-
 @since('2.2')
 class TestAuthRoles(AbstractTestAuth):
 
@@ -1385,8 +1392,8 @@ def test_creator_of_db_resource_granted_all_permissions(self):
         mike_permissions = [('mike', '<all roles>', 'CREATE'),
                             ('mike', '<all keyspaces>', 'CREATE')]
         mike_permissions.extend(self.role_creator_permissions('mike', '<role role1>'))
-        mike_permissions.extend(data_resource_creator_permissions('mike', '<keyspace ks>'))
-        mike_permissions.extend(data_resource_creator_permissions('mike', '<table ks.cf>'))
+        mike_permissions.extend(self.data_resource_creator_permissions('mike', '<keyspace ks>'))
+        mike_permissions.extend(self.data_resource_creator_permissions('mike', '<table ks.cf>'))
         mike_permissions.extend(function_resource_creator_permissions('mike', '<function ks.state_function_1(int, int)>'))
         mike_permissions.extend(function_resource_creator_permissions('mike', '<function ks.simple_aggregate_1(int)>'))
 
@@ -1671,23 +1678,31 @@ def test_filter_granted_permissions_by_resource_type(self):
 
         # GRANT ALL ON KEYSPACE grants Permission.ALL_DATA
         self.superuser.execute("GRANT ALL ON KEYSPACE ks TO mike")
-        self.assert_permissions_listed([("mike", "<keyspace ks>", "CREATE"),
-                                        ("mike", "<keyspace ks>", "ALTER"),
-                                        ("mike", "<keyspace ks>", "DROP"),
-                                        ("mike", "<keyspace ks>", "SELECT"),
-                                        ("mike", "<keyspace ks>", "MODIFY"),
-                                        ("mike", "<keyspace ks>", "AUTHORIZE")],
+        permissions = [("mike", "<keyspace ks>", "CREATE"),
+                       ("mike", "<keyspace ks>", "ALTER"),
+                       ("mike", "<keyspace ks>", "DROP"),
+                       ("mike", "<keyspace ks>", "SELECT"),
+                       ("mike", "<keyspace ks>", "MODIFY"),
+                       ("mike", "<keyspace ks>", "AUTHORIZE")]
+        if self.cluster_version_has_masking_permissions():
+            permissions.append(("mike", "<keyspace ks>", "UNMASK"))
+            permissions.append(("mike", "<keyspace ks>", "SELECT_MASKED"))
+        self.assert_permissions_listed(permissions,
                                        self.superuser,
                                        "LIST ALL PERMISSIONS OF mike")
         self.superuser.execute("REVOKE ALL ON KEYSPACE ks FROM mike")
 
         # GRANT ALL ON TABLE does not include CREATE (because the table must already be created before the GRANT)
         self.superuser.execute("GRANT ALL ON ks.cf TO MIKE")
-        self.assert_permissions_listed([("mike", "<table ks.cf>", "ALTER"),
-                                        ("mike", "<table ks.cf>", "DROP"),
-                                        ("mike", "<table ks.cf>", "SELECT"),
-                                        ("mike", "<table ks.cf>", "MODIFY"),
-                                        ("mike", "<table ks.cf>", "AUTHORIZE")],
+        permissions = [("mike", "<table ks.cf>", "ALTER"),
+                       ("mike", "<table ks.cf>", "DROP"),
+                       ("mike", "<table ks.cf>", "SELECT"),
+                       ("mike", "<table ks.cf>", "MODIFY"),
+                       ("mike", "<table ks.cf>", "AUTHORIZE")]
+        if self.cluster_version_has_masking_permissions():
+            permissions.append(("mike", "<table ks.cf>", "UNMASK"))
+            permissions.append(("mike", "<table ks.cf>", "SELECT_MASKED"))
+        self.assert_permissions_listed(permissions,
                                        self.superuser,
                                        "LIST ALL PERMISSIONS OF mike")
         self.superuser.execute("REVOKE ALL ON ks.cf FROM mike")
@@ -1788,8 +1803,8 @@ def test_list_permissions(self):
                                 ("role1", "<table ks.cf>", "SELECT"),
                                 ("role2", "<table ks.cf>", "ALTER"),
                                 ("role2", "<role role1>", "ALTER")]
-        expected_permissions.extend(data_resource_creator_permissions('cassandra', '<keyspace ks>'))
-        expected_permissions.extend(data_resource_creator_permissions('cassandra', '<table ks.cf>'))
+        expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '<keyspace ks>'))
+        expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '<table ks.cf>'))
         expected_permissions.extend(self.role_creator_permissions('cassandra', '<role mike>'))
         expected_permissions.extend(self.role_creator_permissions('cassandra', '<role role1>'))
         expected_permissions.extend(self.role_creator_permissions('cassandra', '<role role2>'))

cqlsh_tests/test_cqlsh.py

@@ -783,7 +783,21 @@ def test_list_queries(self):
 (2 rows)
 """)
 
-        if self.cluster.version() >= LooseVersion('2.2'):
+        if self.cluster.version() >= LooseVersion('5.0'):
+            self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """
+ role  | username | resource      | permission
+-------+----------+---------------+---------------
+ user1 |    user1 | <table ks.t1> |         ALTER
+ user1 |    user1 | <table ks.t1> |          DROP
+ user1 |    user1 | <table ks.t1> |        SELECT
+ user1 |    user1 | <table ks.t1> |        MODIFY
+ user1 |    user1 | <table ks.t1> |     AUTHORIZE
+ user1 |    user1 | <table ks.t1> |        UNMASK
+ user1 |    user1 | <table ks.t1> | SELECT_MASKED
+
+(7 rows)
+""")
+        elif self.cluster.version() >= LooseVersion('2.2'):
             self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """
  role  | username | resource      | permission
 -------+----------+---------------+------------