/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.cassandra.service;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.cassandra.auth.Action;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.auth.Resources;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.thrift.AuthenticationException;
import org.apache.cassandra.thrift.InvalidRequestException;
/**
* A container for per-client, thread-local state that Avro/Thrift threads must hold.
* TODO: Kill thrift exceptions
*/
public class ClientState
{
private static Logger logger = LoggerFactory.getLogger(ClientState.class);
// Current user for the session
private AuthenticatedUser user;
private String keyspace;
// Only for internal usage
private String qualifiedKeyspace;
private String prefix;
// Reusable array for authorization
private final List<Object> resource = new ArrayList<Object>();
/**
* Construct a new, empty ClientState: can be reused after logout() or reset().
*/
public ClientState()
{
reset();
}
public String getKeyspace()
{
return keyspace;
}
public void setKeyspace(String ks)
{
keyspace = ks;
setQualifiedKeyspace();
}
public String getSchedulingValue()
{
switch(DatabaseDescriptor.getRequestSchedulerId())
{
case keyspace: return keyspace;
}
return "default";
}
/**
* Attempts to login this client with the given credentials map.
*/
public void login(Map<? extends CharSequence,? extends CharSequence> credentials) throws AuthenticationException
{
AuthenticatedUser user = DatabaseDescriptor.getAuthenticator().authenticate(credentials);
if (logger.isDebugEnabled())
logger.debug("logged in: {}", user);
this.user = user;
setQualifiedKeyspace();
}
public void logout()
{
if (logger.isDebugEnabled())
logger.debug("logged out: {}", user);
reset();
}
private void resourceClear()
{
resource.clear();
resource.add(Resources.ROOT);
resource.add(Resources.KEYSPACES);
}
public void reset()
{
user = DatabaseDescriptor.getAuthenticator().defaultUser();
keyspace = null;
qualifiedKeyspace = null;
prefix = null;
resourceClear();
}
/**
* Confirms that the client thread has the given Permission for the Keyspace list.
*/
public void hasKeyspaceListAccess(Permission perm, Action action) throws InvalidRequestException
{
validateLogin();
resourceClear();
Set<Permission> perms = DatabaseDescriptor.getAuthority().authorize(user, resource, action);
hasAccess(user, perms, perm, resource);
}
/**
* Confirms that the client thread has the given Permission for the ColumnFamily list of
* the current keyspace.
*/
public void hasColumnFamilyListAccess(Permission perm, Action action) throws InvalidRequestException
{
validateLogin();
validateKeyspace();
resourceClear();
resource.add(keyspace);
Set<Permission> perms = DatabaseDescriptor.getAuthority().authorize(user, resource, action);
hasAccess(user, perms, perm, resource);
}
/**
* Confirms that the client thread has the given Permission in the context of the given
* ColumnFamily and the current keyspace.
*/
public void hasColumnFamilyAccess(String columnFamily, Permission perm, Action action) throws InvalidRequestException
{
validateLogin();
validateKeyspace();
resourceClear();
resource.add(keyspace);
resource.add(columnFamily);
Set<Permission> perms = DatabaseDescriptor.getAuthority().authorize(user, resource, action);
hasAccess(user, perms, perm, resource);
}
/**
* Returns the keyspace to be used for further Cassandra's operations
* If the current user has a keyspace qualified by his or her domain name, returns it. O.w. returns the original keyspace
*
* @return <String> the resolved keyspace name
*/
public String getResolvedKeyspace() {
return qualifiedKeyspace == null ? keyspace : qualifiedKeyspace;
}
/**
* Returns the keyspace's name to be used by internal Cassandra's operations
* The given keyspace's name is modified appropriately by prefixing it with the user's domain name to the keyspace
*
* @param keyspaceTobeResolved the original keyspace's name given by the client application
* @return <String> the resolved keyspace name
*/
public String resolveKeyspace(String keyspaceTobeResolved) {
return (prefix == null || keyspaceTobeResolved.startsWith(prefix)) ? keyspaceTobeResolved : (prefix + keyspaceTobeResolved);
}
/**
* Remove the domain name from the keyspace name if there is one
*
* @param keyspaceWithDomainName keyspace name with domain name attach
* @return the resolved keyspace name
*/
public String getDomainNameLessKeyspace(String keyspaceWithDomainName) {
return (prefix == null || !keyspaceWithDomainName.startsWith(prefix)) ? keyspaceWithDomainName :
keyspaceWithDomainName.substring(prefix.length());
}
private void validateLogin() throws InvalidRequestException
{
if (user == null)
throw new InvalidRequestException("You have not logged in");
}
private void validateKeyspace() throws InvalidRequestException
{
if (keyspace == null)
throw new InvalidRequestException("You have not set a keyspace for this session");
}
private static void hasAccess(AuthenticatedUser user, Set<Permission> perms, Permission perm, List<Object> resource) throws InvalidRequestException
{
if (perms.contains(perm))
return;
throw new InvalidRequestException(String.format("%s does not have permission %s for %s",
user,
perm,
Resources.toString(resource)));
}
private void setQualifiedKeyspace() {
if (user != null && user.domainName != null) {
if (prefix == null) {
prefix = user.domainName + "_";
prefix = prefix.replace(".", "_"); //TODO are there any other characters?
}
if (keyspace != null) {
qualifiedKeyspace = prefix + keyspace;
}
}
}
}