Package org.apache.cassandra.auth

Interface IRoleManager

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Interface Description
      static class  IRoleManager.Option
      Supported options for CREATE ROLE/ALTER ROLE (and CREATE USER/ALTER USER, which are aliases provided for backwards compatibility).

    • Method Summary

      All Methods Instance Methods Abstract Methods Default Methods 
      Modifier and Type Method Description
      default void addIdentity​(java.lang.String identity, java.lang.String role)
      Adds a row (identity, role) to the identity_to_role table
      java.util.Set<IRoleManager.Option> alterableOptions()
      Subset of supportedOptions that users are allowed to alter when performing ALTER ROLE [themselves].
      void alterRole​(AuthenticatedUser performer, RoleResource role, RoleOptions options)
      Called during execution of ALTER ROLE statement.
      default java.util.Map<java.lang.String,​java.lang.String> authorizedIdentities()
      Returns all the authorized identities from the identity_to_role table
      boolean canLogin​(RoleResource role)
      Return true if there exists a Role with the given name which has login privileges.
      void createRole​(AuthenticatedUser performer, RoleResource role, RoleOptions options)
      Called during execution of a CREATE ROLE statement.
      default void dropIdentity​(java.lang.String identity)
      Called on the execution of DROP IDENTITY statement for removing a given identity from the identity_role table.
      void dropRole​(AuthenticatedUser performer, RoleResource role)
      Called during execution of DROP ROLE statement, as well we removing any main record of the role from the system this implies that we want to revoke this role from all other roles that it has been granted to.
      java.util.Set<RoleResource> getAllRoles()
      Called during the execution of an unqualified LIST ROLES query.
      java.util.Map<java.lang.String,​java.lang.String> getCustomOptions​(RoleResource role)
      Where an implementation supports OPTIONS in CREATE and ALTER operations this method should return the Map<String, String> representing the custom options associated with the role, as supplied to CREATE or ALTER.
      default java.util.Set<Role> getRoleDetails​(RoleResource grantee)
      Used to retrieve detailed role info on the full set of roles granted to a grantee.
      java.util.Set<RoleResource> getRoles​(RoleResource grantee, boolean includeInherited)
      Called during execution of a LIST ROLES query.
      void grantRole​(AuthenticatedUser performer, RoleResource role, RoleResource grantee)
      Called during execution of GRANT ROLE query.
      default boolean isExistingIdentity​(java.lang.String identity)
      Returns if an identity exists in the identity_to_role
      boolean isExistingRole​(RoleResource role)
      Return true is a Role with the given name exists in the system.
      boolean isSuper​(RoleResource role)
      Return true if there exists a Role with the given name that also has superuser status.
      java.util.Set<? extends IResource> protectedResources()
      Set of resources that should be made inaccessible to users and only accessible internally.
      void revokeRole​(AuthenticatedUser performer, RoleResource role, RoleResource revokee)
      Called during the execution of a REVOKE ROLE query.
      default java.lang.String roleForIdentity​(java.lang.String identity)
      Each valid identity is associated with a role in the identity_to_role table, this method returns role of a given identity
      void setup()
      Hook to perform implementation specific initialization, called once upon system startup.
      java.util.Set<IRoleManager.Option> supportedOptions()
      Set of options supported by CREATE ROLE and ALTER ROLE queries.
      void validateConfiguration()
      Hook to perform validation of an implementation's configuration (if supported).

    • Method Detail

      • supportedOptions

        java.util.Set<IRoleManager.Option> supportedOptions()
        Set of options supported by CREATE ROLE and ALTER ROLE queries. Should never return null - always return an empty set instead.

      • alterableOptions

        java.util.Set<IRoleManager.Option> alterableOptions()
        Subset of supportedOptions that users are allowed to alter when performing ALTER ROLE [themselves]. Should never return null - always return an empty set instead.

      • alterRole

        void alterRole​(AuthenticatedUser performer,
               RoleResource role,
               RoleOptions options)
        throws RequestValidationException,
               RequestExecutionException
        Called during execution of ALTER ROLE statement. options are always guaranteed to be a subset of supportedOptions(). Furthermore, if the actor performing the query is not a superuser and is altering themself, then options are guaranteed to be a subset of alterableOptions(). Keep the body of the method blank if your implementation doesn't support modification of any options.
        Parameters:
        performer - User issuing the alter role statement.
        role - Role that will be altered.
        options - Options to alter.
        Throws:
        RequestValidationException
        RequestExecutionException

      • getRoleDetails

        default java.util.Set<Role> getRoleDetails​(RoleResource grantee)
        Used to retrieve detailed role info on the full set of roles granted to a grantee. This method was not part of the V1 IRoleManager API, so a default impl is supplied which uses the V1 methods to retrieve the detailed role info for the grantee. This is essentially what clients of this interface would have to do themselves. Implementations can provide optimized versions of this method where the details can be retrieved more efficiently.
        Parameters:
        grantee - identifies the role whose granted roles are retrieved
        Returns:
        A set of Role objects detailing the roles granted to the grantee, either directly or through inheritance.

      • isSuper

        boolean isSuper​(RoleResource role)
        Return true if there exists a Role with the given name that also has superuser status. Superuser status may be inherited from another granted role, so this method should return true if either the named Role, or any other Role it is transitively granted has superuser status.
        Parameters:
        role - Role whose superuser status to verify
        Returns:
        true if the role exists and has superuser status, either directly or transitively, otherwise false.

      • canLogin

        boolean canLogin​(RoleResource role)
        Return true if there exists a Role with the given name which has login privileges. Such privileges is not inherited from other granted Roles and so must be directly granted to the named Role with the LOGIN option of CREATE ROLE or ALTER ROLE
        Parameters:
        role - Role whose login privileges to verify
        Returns:
        true if the role exists and is permitted to login, otherwise false

      • getCustomOptions

        java.util.Map<java.lang.String,​java.lang.String> getCustomOptions​(RoleResource role)
        Where an implementation supports OPTIONS in CREATE and ALTER operations this method should return the Map<String, String> representing the custom options associated with the role, as supplied to CREATE or ALTER. It should never return null; if the implementation does not support OPTIONS or if none were supplied then it should return an empty map.
        Parameters:
        role - Role whose custom options are required
        Returns:
        Key/Value pairs representing the custom options for the Role

      • isExistingRole

        boolean isExistingRole​(RoleResource role)
        Return true is a Role with the given name exists in the system.
        Parameters:
        role - Role whose existence to verify
        Returns:
        true if the name identifies an extant Role in the system, otherwise false

      • protectedResources

        java.util.Set<? extends IResource> protectedResources()
        Set of resources that should be made inaccessible to users and only accessible internally.
        Returns:
        Keyspaces and column families that will be unmodifiable by users; other resources.

      • setup

        void setup()
        Hook to perform implementation specific initialization, called once upon system startup. For example, use this method to create any required keyspaces/column families.

      • roleForIdentity

        default java.lang.String roleForIdentity​(java.lang.String identity)
        Each valid identity is associated with a role in the identity_to_role table, this method returns role of a given identity
        Parameters:
        identity - identity whose role to be retrieved
        Returns:
        role of the given identity

      • authorizedIdentities

        default java.util.Map<java.lang.String,​java.lang.String> authorizedIdentities()
        Returns all the authorized identities from the identity_to_role table
        Returns:
        Map of identity -> roles

      • addIdentity

        default void addIdentity​(java.lang.String identity,
                         java.lang.String role)
        Adds a row (identity, role) to the identity_to_role table
        Parameters:
        identity - identity to be added
        role - role that is associated with the identity

      • isExistingIdentity

        default boolean isExistingIdentity​(java.lang.String identity)
        Returns if an identity exists in the identity_to_role
        Parameters:
        identity - identity whose existence to verify
        Returns:

      • dropIdentity

        default void dropIdentity​(java.lang.String identity)
        Called on the execution of DROP IDENTITY statement for removing a given identity from the identity_role table. This implies we want to revoke the access for the given identity.
        Parameters:
        identity - identity that has to be removed from the table