From ea30627b2ee5f67cf2ca2afff4a0c0b492683baf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=CC=81s=20de=20la=20Pen=CC=83a?= Date: Tue, 31 Jan 2023 15:44:32 +0000 Subject: [PATCH] Update auth tests for UNMASK and SELECT_MASKED permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit patch by Andrés de la Peña; reviewed by Benjamin Lerer and Berenguer Blasi for CASSANDRA-17940 --- auth_test.py | 91 +++++++++++++++++++++++---------------- cqlsh_tests/test_cqlsh.py | 16 ++++++- 2 files changed, 68 insertions(+), 39 deletions(-) diff --git a/auth_test.py b/auth_test.py index 3d1aa10c0c..ea1ad31aef 100644 --- a/auth_test.py +++ b/auth_test.py @@ -34,6 +34,32 @@ def role_creator_permissions(self, creator, role): permissions = ('ALTER', 'DROP', 'DESCRIBE') return [(creator, role, perm) for perm in permissions] + def cluster_version_has_masking_permissions(self): + return self.cluster.version() >= LooseVersion('5.0') + + def data_resource_creator_permissions(self, creator, resource): + """ + Assemble a list of all permissions needed to create data on a given resource + @param creator User who needs permissions + @param resource The resource to grant permissions on + @return A list of permissions for creator on resource + """ + permissions = [] + for perm in 'SELECT', 'MODIFY', 'ALTER', 'DROP', 'AUTHORIZE': + permissions.append((creator, resource, perm)) + + if self.cluster_version_has_masking_permissions(): + permissions.append((creator, resource, 'UNMASK')) + permissions.append((creator, resource, 'SELECT_MASKED')) + + if resource.startswith("' % keyspace, perm)) + return permissions + class TestAuth(AbstractTestAuth): @@ -947,9 +973,9 @@ def test_list_permissions(self): # CASSANDRA-7216 automatically grants permissions on a role to its creator if self.cluster.cassandra_version() >= '2.2.0': - all_permissions.extend(data_resource_creator_permissions('cassandra', '')) - all_permissions.extend(data_resource_creator_permissions('cassandra', '')) - all_permissions.extend(data_resource_creator_permissions('cassandra', '
')) + all_permissions.extend(self.data_resource_creator_permissions('cassandra', '')) + all_permissions.extend(self.data_resource_creator_permissions('cassandra', '
')) + all_permissions.extend(self.data_resource_creator_permissions('cassandra', '
')) all_permissions.extend(self.role_creator_permissions('cassandra', '')) all_permissions.extend(self.role_creator_permissions('cassandra', '')) @@ -962,7 +988,7 @@ def test_list_permissions(self): expected_permissions = [('cathy', '
', 'MODIFY'), ('bob', '
', 'DROP')] if self.cluster.cassandra_version() >= '2.2.0': - expected_permissions.extend(data_resource_creator_permissions('cassandra', '
')) + expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '
')) self.assertPermissionsListed(expected_permissions, cassandra, "LIST ALL PERMISSIONS ON ks.cf NORECURSIVE") expected_permissions = [('cathy', '
', 'SELECT')] @@ -1136,25 +1162,6 @@ def assertPermissionsListed(self, expected, session, query): assert sorted(expected) == sorted(perms) -def data_resource_creator_permissions(creator, resource): - """ - Assemble a list of all permissions needed to create data on a given resource - @param creator User who needs permissions - @param resource The resource to grant permissions on - @return A list of permissions for creator on resource - """ - permissions = [] - for perm in 'SELECT', 'MODIFY', 'ALTER', 'DROP', 'AUTHORIZE': - permissions.append((creator, resource, perm)) - if resource.startswith("' % keyspace, perm)) - return permissions - - @since('2.2') class TestAuthRoles(AbstractTestAuth): @@ -1385,8 +1392,8 @@ def test_creator_of_db_resource_granted_all_permissions(self): mike_permissions = [('mike', '', 'CREATE'), ('mike', '', 'CREATE')] mike_permissions.extend(self.role_creator_permissions('mike', '')) - mike_permissions.extend(data_resource_creator_permissions('mike', '')) - mike_permissions.extend(data_resource_creator_permissions('mike', '
')) + mike_permissions.extend(self.data_resource_creator_permissions('mike', '')) + mike_permissions.extend(self.data_resource_creator_permissions('mike', '
')) mike_permissions.extend(function_resource_creator_permissions('mike', '')) mike_permissions.extend(function_resource_creator_permissions('mike', '')) @@ -1671,23 +1678,31 @@ def test_filter_granted_permissions_by_resource_type(self): # GRANT ALL ON KEYSPACE grants Permission.ALL_DATA self.superuser.execute("GRANT ALL ON KEYSPACE ks TO mike") - self.assert_permissions_listed([("mike", "", "CREATE"), - ("mike", "", "ALTER"), - ("mike", "", "DROP"), - ("mike", "", "SELECT"), - ("mike", "", "MODIFY"), - ("mike", "", "AUTHORIZE")], + permissions = [("mike", "", "CREATE"), + ("mike", "", "ALTER"), + ("mike", "", "DROP"), + ("mike", "", "SELECT"), + ("mike", "", "MODIFY"), + ("mike", "", "AUTHORIZE")] + if self.cluster_version_has_masking_permissions(): + permissions.append(("mike", "", "UNMASK")) + permissions.append(("mike", "", "SELECT_MASKED")) + self.assert_permissions_listed(permissions, self.superuser, "LIST ALL PERMISSIONS OF mike") self.superuser.execute("REVOKE ALL ON KEYSPACE ks FROM mike") # GRANT ALL ON TABLE does not include CREATE (because the table must already be created before the GRANT) self.superuser.execute("GRANT ALL ON ks.cf TO MIKE") - self.assert_permissions_listed([("mike", "
", "ALTER"), - ("mike", "
", "DROP"), - ("mike", "
", "SELECT"), - ("mike", "
", "MODIFY"), - ("mike", "
", "AUTHORIZE")], + permissions = [("mike", "
", "ALTER"), + ("mike", "
", "DROP"), + ("mike", "
", "SELECT"), + ("mike", "
", "MODIFY"), + ("mike", "
", "AUTHORIZE")] + if self.cluster_version_has_masking_permissions(): + permissions.append(("mike", "
", "UNMASK")) + permissions.append(("mike", "
", "SELECT_MASKED")) + self.assert_permissions_listed(permissions, self.superuser, "LIST ALL PERMISSIONS OF mike") self.superuser.execute("REVOKE ALL ON ks.cf FROM mike") @@ -1788,8 +1803,8 @@ def test_list_permissions(self): ("role1", "
", "SELECT"), ("role2", "
", "ALTER"), ("role2", "", "ALTER")] - expected_permissions.extend(data_resource_creator_permissions('cassandra', '')) - expected_permissions.extend(data_resource_creator_permissions('cassandra', '
')) + expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '')) + expected_permissions.extend(self.data_resource_creator_permissions('cassandra', '
')) expected_permissions.extend(self.role_creator_permissions('cassandra', '')) expected_permissions.extend(self.role_creator_permissions('cassandra', '')) expected_permissions.extend(self.role_creator_permissions('cassandra', '')) diff --git a/cqlsh_tests/test_cqlsh.py b/cqlsh_tests/test_cqlsh.py index 1f5c37674d..dd59ee0807 100644 --- a/cqlsh_tests/test_cqlsh.py +++ b/cqlsh_tests/test_cqlsh.py @@ -783,7 +783,21 @@ def test_list_queries(self): (2 rows) """) - if self.cluster.version() >= LooseVersion('2.2'): + if self.cluster.version() >= LooseVersion('5.0'): + self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """ + role | username | resource | permission +-------+----------+---------------+--------------- + user1 | user1 |
| ALTER + user1 | user1 |
| DROP + user1 | user1 |
| SELECT + user1 | user1 |
| MODIFY + user1 | user1 |
| AUTHORIZE + user1 | user1 |
| UNMASK + user1 | user1 |
| SELECT_MASKED + +(7 rows) +""") + elif self.cluster.version() >= LooseVersion('2.2'): self.verify_output("LIST ALL PERMISSIONS OF user1", node1, """ role | username | resource | permission -------+----------+---------------+------------