org.apache.cassandra.auth.AuthenticatedUser Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of cassandra-all Show documentation
Show all versions of cassandra-all Show documentation
The Apache Cassandra Project develops a highly scalable second-generation distributed database, bringing together Dynamo's fully distributed design and Bigtable's ColumnFamily-based data model.
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.cassandra.auth;
import java.util.Set;
import com.google.common.base.Objects;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.dht.Datacenters;
/**
* Returned from IAuthenticator#authenticate(), represents an authenticated user everywhere internally.
*
* Holds the name of the user and the roles that have been granted to the user. The roles will be cached
* for roles_validity_in_ms.
*/
public class AuthenticatedUser
{
public static final String SYSTEM_USERNAME = "system";
public static final AuthenticatedUser SYSTEM_USER = new AuthenticatedUser(SYSTEM_USERNAME);
public static final String ANONYMOUS_USERNAME = "anonymous";
public static final AuthenticatedUser ANONYMOUS_USER = new AuthenticatedUser(ANONYMOUS_USERNAME);
// User-level permissions cache.
private static final PermissionsCache permissionsCache = new PermissionsCache(DatabaseDescriptor.getAuthorizer());
private static final NetworkAuthCache networkAuthCache = new NetworkAuthCache(DatabaseDescriptor.getNetworkAuthorizer());
private final String name;
// primary Role of the logged in user
private final RoleResource role;
public AuthenticatedUser(String name)
{
this.name = name;
this.role = RoleResource.role(name);
}
public String getName()
{
return name;
}
public RoleResource getPrimaryRole()
{
return role;
}
/**
* Checks the user's superuser status.
* Only a superuser is allowed to perform CREATE USER and DROP USER queries.
* Im most cased, though not necessarily, a superuser will have Permission.ALL on every resource
* (depends on IAuthorizer implementation).
*/
public boolean isSuper()
{
return !isAnonymous() && Roles.hasSuperuserStatus(role);
}
/**
* If IAuthenticator doesn't require authentication, this method may return true.
*/
public boolean isAnonymous()
{
return this == ANONYMOUS_USER;
}
/**
* Some internal operations are performed on behalf of Cassandra itself, in those cases
* the system user should be used where an identity is required
* see CreateRoleStatement#execute() and overrides of AlterSchemaStatement#createdResources()
*/
public boolean isSystem()
{
return this == SYSTEM_USER;
}
/**
* Get the roles that have been granted to the user via the IRoleManager
*
* @return a set of identifiers for the roles that have been granted to the user
*/
public Set getRoles()
{
return Roles.getRoles(role);
}
/**
* Get the detailed info on roles granted to the user via IRoleManager
*
* @return a set of Role objects detailing the roles granted to the user
*/
public Set getRoleDetails()
{
return Roles.getRoleDetails(role);
}
public Set getPermissions(IResource resource)
{
return permissionsCache.getPermissions(this, resource);
}
/**
* Check whether this user has login privileges.
* LOGIN is not inherited from granted roles, so must be directly granted to the primary role for this user
*
* @return true if the user is permitted to login, false otherwise.
*/
public boolean canLogin()
{
return Roles.canLogin(getPrimaryRole());
}
/**
* Verify that there is not DC level restriction on this user accessing this node.
* Further extends the login privilege check by verifying that the primary role for this user is permitted
* to perform operations in the local (to this node) datacenter. Like LOGIN, this is not inherited from
* granted roles.
* @return true if the user is permitted to access nodes in this node's datacenter, false otherwise
*/
public boolean hasLocalAccess()
{
return networkAuthCache.get(this.getPrimaryRole()).canAccess(Datacenters.thisDatacenter());
}
@Override
public String toString()
{
return String.format("#", name);
}
@Override
public boolean equals(Object o)
{
if (this == o)
return true;
if (!(o instanceof AuthenticatedUser))
return false;
AuthenticatedUser u = (AuthenticatedUser) o;
return Objects.equal(name, u.name);
}
@Override
public int hashCode()
{
return Objects.hashCode(name);
}
}
© 2015 - 2024 Weber Informatics LLC | Privacy Policy