Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CASSANDRA-17940: CEP-20: Dynamic Data Masking #213

Open
wants to merge 1 commit into
base: trunk
Choose a base branch
from
Open

CASSANDRA-17940: CEP-20: Dynamic Data Masking #213

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 53 additions & 38 deletions auth_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,32 @@ def role_creator_permissions(self, creator, role):
permissions = ('ALTER', 'DROP', 'DESCRIBE')
return [(creator, role, perm) for perm in permissions]

def cluster_version_has_masking_permissions(self):
return self.cluster.version() >= LooseVersion('5.0')

def data_resource_creator_permissions(self, creator, resource):
"""
Assemble a list of all permissions needed to create data on a given resource
@param creator User who needs permissions
@param resource The resource to grant permissions on
@return A list of permissions for creator on resource
"""
permissions = []
for perm in 'SELECT', 'MODIFY', 'ALTER', 'DROP', 'AUTHORIZE':
permissions.append((creator, resource, perm))

if self.cluster_version_has_masking_permissions():
permissions.append((creator, resource, 'UNMASK'))
permissions.append((creator, resource, 'SELECT_MASKED'))

if resource.startswith("<keyspace "):
permissions.append((creator, resource, 'CREATE'))
keyspace = resource[10:-1]
# also grant the creator of a ks perms on functions in that ks
for perm in 'CREATE', 'ALTER', 'DROP', 'AUTHORIZE', 'EXECUTE':
permissions.append((creator, '<all functions in %s>' % keyspace, perm))
return permissions


class TestAuth(AbstractTestAuth):

Expand Down Expand Up @@ -947,9 +973,9 @@ def test_list_permissions(self):

# CASSANDRA-7216 automatically grants permissions on a role to its creator
if self.cluster.cassandra_version() >= '2.2.0':
all_permissions.extend(data_resource_creator_permissions('cassandra', '<keyspace ks>'))
all_permissions.extend(data_resource_creator_permissions('cassandra', '<table ks.cf>'))
all_permissions.extend(data_resource_creator_permissions('cassandra', '<table ks.cf2>'))
all_permissions.extend(self.data_resource_creator_permissions('cassandra', '<keyspace ks>'))
all_permissions.extend(self.data_resource_creator_permissions('cassandra', '<table ks.cf>'))
all_permissions.extend(self.data_resource_creator_permissions('cassandra', '<table ks.cf2>'))
all_permissions.extend(self.role_creator_permissions('cassandra', '<role bob>'))
all_permissions.extend(self.role_creator_permissions('cassandra', '<role cathy>'))

Expand All @@ -962,7 +988,7 @@ def test_list_permissions(self):

expected_permissions = [('cathy', '<table ks.cf>', 'MODIFY'), ('bob', '<table ks.cf>', 'DROP')]
if self.cluster.cassandra_version() >= '2.2.0':
expected_permissions.extend(data_resource_creator_permissions('cassandra', '<table ks.cf>'))
expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '<table ks.cf>'))
self.assertPermissionsListed(expected_permissions, cassandra, "LIST ALL PERMISSIONS ON ks.cf NORECURSIVE")

expected_permissions = [('cathy', '<table ks.cf2>', 'SELECT')]
Expand Down Expand Up @@ -1136,25 +1162,6 @@ def assertPermissionsListed(self, expected, session, query):
assert sorted(expected) == sorted(perms)


def data_resource_creator_permissions(creator, resource):
"""
Assemble a list of all permissions needed to create data on a given resource
@param creator User who needs permissions
@param resource The resource to grant permissions on
@return A list of permissions for creator on resource
"""
permissions = []
for perm in 'SELECT', 'MODIFY', 'ALTER', 'DROP', 'AUTHORIZE':
permissions.append((creator, resource, perm))
if resource.startswith("<keyspace "):
permissions.append((creator, resource, 'CREATE'))
keyspace = resource[10:-1]
# also grant the creator of a ks perms on functions in that ks
for perm in 'CREATE', 'ALTER', 'DROP', 'AUTHORIZE', 'EXECUTE':
permissions.append((creator, '<all functions in %s>' % keyspace, perm))
return permissions


@since('2.2')
class TestAuthRoles(AbstractTestAuth):

Expand Down Expand Up @@ -1385,8 +1392,8 @@ def test_creator_of_db_resource_granted_all_permissions(self):
mike_permissions = [('mike', '<all roles>', 'CREATE'),
('mike', '<all keyspaces>', 'CREATE')]
mike_permissions.extend(self.role_creator_permissions('mike', '<role role1>'))
mike_permissions.extend(data_resource_creator_permissions('mike', '<keyspace ks>'))
mike_permissions.extend(data_resource_creator_permissions('mike', '<table ks.cf>'))
mike_permissions.extend(self.data_resource_creator_permissions('mike', '<keyspace ks>'))
mike_permissions.extend(self.data_resource_creator_permissions('mike', '<table ks.cf>'))
mike_permissions.extend(function_resource_creator_permissions('mike', '<function ks.state_function_1(int, int)>'))
mike_permissions.extend(function_resource_creator_permissions('mike', '<function ks.simple_aggregate_1(int)>'))

Expand Down Expand Up @@ -1671,23 +1678,31 @@ def test_filter_granted_permissions_by_resource_type(self):

# GRANT ALL ON KEYSPACE grants Permission.ALL_DATA
self.superuser.execute("GRANT ALL ON KEYSPACE ks TO mike")
self.assert_permissions_listed([("mike", "<keyspace ks>", "CREATE"),
("mike", "<keyspace ks>", "ALTER"),
("mike", "<keyspace ks>", "DROP"),
("mike", "<keyspace ks>", "SELECT"),
("mike", "<keyspace ks>", "MODIFY"),
("mike", "<keyspace ks>", "AUTHORIZE")],
permissions = [("mike", "<keyspace ks>", "CREATE"),
("mike", "<keyspace ks>", "ALTER"),
("mike", "<keyspace ks>", "DROP"),
("mike", "<keyspace ks>", "SELECT"),
("mike", "<keyspace ks>", "MODIFY"),
("mike", "<keyspace ks>", "AUTHORIZE")]
if self.cluster_version_has_masking_permissions():
permissions.append(("mike", "<keyspace ks>", "UNMASK"))
permissions.append(("mike", "<keyspace ks>", "SELECT_MASKED"))
self.assert_permissions_listed(permissions,
self.superuser,
"LIST ALL PERMISSIONS OF mike")
self.superuser.execute("REVOKE ALL ON KEYSPACE ks FROM mike")

# GRANT ALL ON TABLE does not include CREATE (because the table must already be created before the GRANT)
self.superuser.execute("GRANT ALL ON ks.cf TO MIKE")
self.assert_permissions_listed([("mike", "<table ks.cf>", "ALTER"),
("mike", "<table ks.cf>", "DROP"),
("mike", "<table ks.cf>", "SELECT"),
("mike", "<table ks.cf>", "MODIFY"),
("mike", "<table ks.cf>", "AUTHORIZE")],
permissions = [("mike", "<table ks.cf>", "ALTER"),
("mike", "<table ks.cf>", "DROP"),
("mike", "<table ks.cf>", "SELECT"),
("mike", "<table ks.cf>", "MODIFY"),
("mike", "<table ks.cf>", "AUTHORIZE")]
if self.cluster_version_has_masking_permissions():
permissions.append(("mike", "<table ks.cf>", "UNMASK"))
permissions.append(("mike", "<table ks.cf>", "SELECT_MASKED"))
self.assert_permissions_listed(permissions,
self.superuser,
"LIST ALL PERMISSIONS OF mike")
self.superuser.execute("REVOKE ALL ON ks.cf FROM mike")
Expand Down Expand Up @@ -1788,8 +1803,8 @@ def test_list_permissions(self):
("role1", "<table ks.cf>", "SELECT"),
("role2", "<table ks.cf>", "ALTER"),
("role2", "<role role1>", "ALTER")]
expected_permissions.extend(data_resource_creator_permissions('cassandra', '<keyspace ks>'))
expected_permissions.extend(data_resource_creator_permissions('cassandra', '<table ks.cf>'))
expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '<keyspace ks>'))
expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '<table ks.cf>'))
expected_permissions.extend(self.role_creator_permissions('cassandra', '<role mike>'))
expected_permissions.extend(self.role_creator_permissions('cassandra', '<role role1>'))
expected_permissions.extend(self.role_creator_permissions('cassandra', '<role role2>'))
Expand Down
16 changes: 15 additions & 1 deletion cqlsh_tests/test_cqlsh.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -783,7 +783,21 @@ def test_list_queries(self):
(2 rows)
""")

if self.cluster.version() >= LooseVersion('2.2'):
if self.cluster.version() >= LooseVersion('5.0'):
self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """
role | username | resource | permission
-------+----------+---------------+---------------
user1 | user1 | <table ks.t1> | ALTER
user1 | user1 | <table ks.t1> | DROP
user1 | user1 | <table ks.t1> | SELECT
user1 | user1 | <table ks.t1> | MODIFY
user1 | user1 | <table ks.t1> | AUTHORIZE
user1 | user1 | <table ks.t1> | UNMASK
user1 | user1 | <table ks.t1> | SELECT_MASKED

(7 rows)
""")
elif self.cluster.version() >= LooseVersion('2.2'):
self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """
role | username | resource | permission
-------+----------+---------------+------------
Expand Down