Class CassandraRoleManager

  • All Implemented Interfaces:
    IRoleManager

    public class CassandraRoleManager
    extends java.lang.Object
    implements IRoleManager
    Responsible for the creation, maintenance and deletion of roles for the purposes of authentication and authorization. Role data is stored internally, using the roles and role_members tables in the system_auth keyspace. Additionally, if org.apache.cassandra.auth.PasswordAuthenticator is used, encrypted passwords are also stored in the system_auth.roles table. This coupling between the IAuthenticator and IRoleManager implementations exists because setting a role's password via CQL is done with a CREATE ROLE or ALTER ROLE statement, the processing of which is handled by IRoleManager. As IAuthenticator is concerned only with credentials checking and has no means to modify passwords, PasswordAuthenticator depends on CassandraRoleManager for those functions. Alternative IAuthenticator implementations may be used in conjunction with CassandraRoleManager, but WITH PASSWORD = 'password' will not be supported in CREATE/ALTER ROLE statements. Such a configuration could be implemented using a custom IRoleManager that extends CassandraRoleManager and which includes Option.PASSWORD in the Set<Option> returned from supportedOptions/alterableOptions. Any additional processing of the password itself (such as storing it in an alternative location) would be added in overridden createRole and alterRole implementations.
    • Field Detail

      • GENSALT_LOG2_ROUNDS_PROPERTY

        public static final java.lang.String GENSALT_LOG2_ROUNDS_PROPERTY
        See Also:
        Constant Field Values
    • Constructor Detail

      • CassandraRoleManager

        public CassandraRoleManager()
    • Method Detail

      • setup

        public void setup()
        Description copied from interface: IRoleManager
        Hook to perform implementation specific initialization, called once upon system startup. For example, use this method to create any required keyspaces/column families.
        Specified by:
        setup in interface IRoleManager
      • supportedOptions

        public java.util.Set<IRoleManager.Option> supportedOptions()
        Description copied from interface: IRoleManager
        Set of options supported by CREATE ROLE and ALTER ROLE queries. Should never return null - always return an empty set instead.
        Specified by:
        supportedOptions in interface IRoleManager
      • alterableOptions

        public java.util.Set<IRoleManager.Option> alterableOptions()
        Description copied from interface: IRoleManager
        Subset of supportedOptions that users are allowed to alter when performing ALTER ROLE [themselves]. Should never return null - always return an empty set instead.
        Specified by:
        alterableOptions in interface IRoleManager
      • alterRole

        public void alterRole​(AuthenticatedUser performer,
                              RoleResource role,
                              RoleOptions options)
        Description copied from interface: IRoleManager
        Called during execution of ALTER ROLE statement. options are always guaranteed to be a subset of supportedOptions(). Furthermore, if the actor performing the query is not a superuser and is altering themself, then options are guaranteed to be a subset of alterableOptions(). Keep the body of the method blank if your implementation doesn't support modification of any options.
        Specified by:
        alterRole in interface IRoleManager
        Parameters:
        performer - User issuing the alter role statement.
        role - Role that will be altered.
        options - Options to alter.
      • getRoleDetails

        public java.util.Set<Role> getRoleDetails​(RoleResource grantee)
        Description copied from interface: IRoleManager
        Used to retrieve detailed role info on the full set of roles granted to a grantee. This method was not part of the V1 IRoleManager API, so a default impl is supplied which uses the V1 methods to retrieve the detailed role info for the grantee. This is essentially what clients of this interface would have to do themselves. Implementations can provide optimized versions of this method where the details can be retrieved more efficiently.
        Specified by:
        getRoleDetails in interface IRoleManager
        Parameters:
        grantee - identifies the role whose granted roles are retrieved
        Returns:
        A set of Role objects detailing the roles granted to the grantee, either directly or through inheritance.
      • isSuper

        public boolean isSuper​(RoleResource role)
        Description copied from interface: IRoleManager
        Return true if there exists a Role with the given name that also has superuser status. Superuser status may be inherited from another granted role, so this method should return true if either the named Role, or any other Role it is transitively granted has superuser status.
        Specified by:
        isSuper in interface IRoleManager
        Parameters:
        role - Role whose superuser status to verify
        Returns:
        true if the role exists and has superuser status, either directly or transitively, otherwise false.
      • canLogin

        public boolean canLogin​(RoleResource role)
        Description copied from interface: IRoleManager
        Return true if there exists a Role with the given name which has login privileges. Such privileges is not inherited from other granted Roles and so must be directly granted to the named Role with the LOGIN option of CREATE ROLE or ALTER ROLE
        Specified by:
        canLogin in interface IRoleManager
        Parameters:
        role - Role whose login privileges to verify
        Returns:
        true if the role exists and is permitted to login, otherwise false
      • getCustomOptions

        public java.util.Map<java.lang.String,​java.lang.String> getCustomOptions​(RoleResource role)
        Description copied from interface: IRoleManager
        Where an implementation supports OPTIONS in CREATE and ALTER operations this method should return the Map<String, String> representing the custom options associated with the role, as supplied to CREATE or ALTER. It should never return null; if the implementation does not support OPTIONS or if none were supplied then it should return an empty map.
        Specified by:
        getCustomOptions in interface IRoleManager
        Parameters:
        role - Role whose custom options are required
        Returns:
        Key/Value pairs representing the custom options for the Role
      • isExistingRole

        public boolean isExistingRole​(RoleResource role)
        Description copied from interface: IRoleManager
        Return true is a Role with the given name exists in the system.
        Specified by:
        isExistingRole in interface IRoleManager
        Parameters:
        role - Role whose existence to verify
        Returns:
        true if the name identifies an extant Role in the system, otherwise false
      • protectedResources

        public java.util.Set<? extends IResource> protectedResources()
        Description copied from interface: IRoleManager
        Set of resources that should be made inaccessible to users and only accessible internally.
        Specified by:
        protectedResources in interface IRoleManager
        Returns:
        Keyspaces and column families that will be unmodifiable by users; other resources.
      • scheduleSetupTask

        protected void scheduleSetupTask​(java.util.concurrent.Callable<java.lang.Void> setupTask)
      • consistencyForRole

        protected static ConsistencyLevel consistencyForRole​(java.lang.String role)