org.apache.cassandra.auth
Interface IAuthorizer

All Known Implementing Classes:

AllowAllAuthorizer, LegacyAuthorizer

public interface IAuthorizer

Primary Cassandra authorization interface.

Method Summary

java.util.Set<Permission>	authorize(AuthenticatedUser user, IResource resource) The primary IAuthorizer method.
void	grant(AuthenticatedUser performer, java.util.Set<Permission> permissions, IResource resource, java.lang.String to) Grants a set of permissions on a resource to a user.
java.util.Set<PermissionDetails>	list(AuthenticatedUser performer, java.util.Set<Permission> permissions, IResource resource, java.lang.String of) Returns a list of permissions on a resource of a user.
java.util.Set<? extends IResource>	protectedResources() Set of resources that should be made inaccessible to users and only accessible internally.
void	revoke(AuthenticatedUser performer, java.util.Set<Permission> permissions, IResource resource, java.lang.String from) Revokes a set of permissions on a resource from a user.
void	revokeAll(IResource droppedResource) This method is called after a resource is removed (i.e.
void	revokeAll(java.lang.String droppedUser) This method is called before deleting a user with DROP USER query so that a new user with the same name wouldn't inherit permissions of the deleted user in the future.
void	setup() Setup is called once upon system startup to initialize the IAuthorizer.
void	validateConfiguration() Validates configuration of IAuthorizer implementation (if configurable).

Method Detail

authorize

java.util.Set<Permission> authorize(AuthenticatedUser user,
                                    IResource resource)

The primary IAuthorizer method. Returns a set of permissions of a user on a resource.

Parameters:

user - Authenticated user requesting authorization.

resource - Resource for which the authorization is being requested. @see DataResource.

Returns:

Set of permissions of the user on the resource. Should never return null. Use Permission.NONE instead.

grant

void grant(AuthenticatedUser performer,
           java.util.Set<Permission> permissions,
           IResource resource,
           java.lang.String to)
           throws UnauthorizedException,
                  InvalidRequestException

Grants a set of permissions on a resource to a user. The opposite of revoke().

Parameters:

performer - User who grants the permissions.

permissions - Set of permissions to grant.

to - Grantee of the permissions.

resource - Resource on which to grant the permissions.

Throws:

UnauthorizedException - if the granting user isn't allowed to grant (and revoke) the permissions on the resource.

InvalidRequestException - upon parameter misconfiguration or internal error.

revoke

void revoke(AuthenticatedUser performer,
            java.util.Set<Permission> permissions,
            IResource resource,
            java.lang.String from)
            throws UnauthorizedException,
                   InvalidRequestException

Revokes a set of permissions on a resource from a user. The opposite of grant().

Parameters:

performer - User who revokes the permissions.

permissions - Set of permissions to revoke.

from - Revokee of the permissions.

resource - Resource on which to revoke the permissions.

Throws:

UnauthorizedException - if the revoking user isn't allowed to revoke the permissions on the resource.

InvalidRequestException - upon parameter misconfiguration or internal error.

list

java.util.Set<PermissionDetails> list(AuthenticatedUser performer,
                                      java.util.Set<Permission> permissions,
                                      IResource resource,
                                      java.lang.String of)
                                      throws UnauthorizedException,
                                             InvalidRequestException

Returns a list of permissions on a resource of a user.

Parameters:

performer - User who wants to see the permissions.

permissions - Set of Permission values the user is interested in. The result should only include the matching ones.

resource - The resource on which permissions are requested. Can be null, in which case permissions on all resources should be returned.

of - The user whose permissions are requested. Can be null, in which case permissions of every user should be returned.

Returns:

All of the matching permission that the requesting user is authorized to know about.

Throws:

UnauthorizedException - if the user isn't allowed to view the requested permissions.

InvalidRequestException - upon parameter misconfiguration or internal error.

revokeAll

void revokeAll(java.lang.String droppedUser)

This method is called before deleting a user with DROP USER query so that a new user with the same name wouldn't inherit permissions of the deleted user in the future.

Parameters:

droppedUser - The user to revoke all permissions from.

revokeAll

void revokeAll(IResource droppedResource)

This method is called after a resource is removed (i.e. keyspace or a table is dropped).

Parameters:

droppedResource - The resource to revoke all permissions on.

protectedResources

java.util.Set<? extends IResource> protectedResources()

Set of resources that should be made inaccessible to users and only accessible internally.

Returns:

Keyspaces, column families that will be unreadable and unmodifiable by users; other resources.

validateConfiguration

void validateConfiguration()
                           throws ConfigurationException

Validates configuration of IAuthorizer implementation (if configurable).

Throws:

ConfigurationException - when there is a configuration error.

setup

void setup()

Setup is called once upon system startup to initialize the IAuthorizer. For example, use this method to create any required keyspaces/column families.