From 7776508d222e8206417f8ca053a2e7859fc8602f Mon Sep 17 00:00:00 2001
From: Valery Baranov <klammrock@gmail.com>
Date: Mon, 1 Dec 2025 18:37:59 +0300
Subject: [PATCH 1/2] Add test for check permissions after authorize

---
 .../cassandra/auth/GrantAndRevokeTest.java    | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/test/unit/org/apache/cassandra/auth/GrantAndRevokeTest.java b/test/unit/org/apache/cassandra/auth/GrantAndRevokeTest.java
index 7b8a4cfb7777..9b4b744532b7 100644
--- a/test/unit/org/apache/cassandra/auth/GrantAndRevokeTest.java
+++ b/test/unit/org/apache/cassandra/auth/GrantAndRevokeTest.java
@@ -577,6 +577,42 @@ public void testGrantOnVirtualKeyspaces() throws Throwable
         executeNet(ProtocolVersion.CURRENT, format("REVOKE SELECT PERMISSION ON KEYSPACE system_views FROM %s", user));
     }
 
+    @Test
+    public void testCheckPermissionsAfterAuthorize() throws Throwable
+    {
+        useSuperUser();
+
+        executeNet("CREATE KEYSPACE check_permissions WITH replication = {'class': 'SimpleStrategy', 'replication_factor': '1'}");
+        executeNet("CREATE TABLE check_permissions.t1 (k int PRIMARY KEY)");
+        executeNet("INSERT INTO check_permissions.t1 (k) VALUES (1)");
+
+        executeNet(String.format("CREATE ROLE %s WITH LOGIN = TRUE AND password='%s'", user, pass));
+
+        final String idm_user = "idm_user";
+        executeNet(String.format("CREATE ROLE %s WITH LOGIN = TRUE AND password='%s'", idm_user, idm_user));
+        executeNet("GRANT AUTHORIZE ON check_permissions.t1 TO " + idm_user);
+
+        useUser(user, pass);
+        assertUnauthorizedQuery("User user has no SELECT permission on <table check_permissions.t1> or any of its parents",
+                                "SELECT * FROM check_permissions.t1");
+
+        useUser(idm_user, idm_user);
+        assertUnauthorizedQuery("User idm_user has no SELECT permission on <table check_permissions.t1> or any of its parents",
+                                "SELECT * FROM check_permissions.t1");
+        assertUnauthorizedQuery("User idm_user has no SELECT permission on <table check_permissions.t1> or any of its parents",
+                                "GRANT SELECT ON check_permissions.t1 TO " + user);
+
+        useSuperUser();
+        executeNet("GRANT SELECT ON check_permissions.t1 TO " + idm_user);
+
+        useUser(idm_user, idm_user);
+        executeNet("SELECT * FROM check_permissions.t1");
+        executeNet("GRANT SELECT ON check_permissions.t1 TO " + user);
+
+        useUser(user, pass);
+        executeNet("SELECT * FROM check_permissions.t1");
+    }
+
     private void maybeReadSystemTables(boolean superuser) throws Throwable
     {
         if (superuser)

From 23f1e7563060d867b7ee30ddad6de9ee45fe2038 Mon Sep 17 00:00:00 2001
From: Valery Baranov <klammrock@gmail.com>
Date: Tue, 2 Dec 2025 02:48:38 +0300
Subject: [PATCH 2/2] Rename idm user, add check permissions for user

---
 .../cassandra/auth/GrantAndRevokeTest.java    | 20 +++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/test/unit/org/apache/cassandra/auth/GrantAndRevokeTest.java b/test/unit/org/apache/cassandra/auth/GrantAndRevokeTest.java
index 9b4b744532b7..44abc7080588 100644
--- a/test/unit/org/apache/cassandra/auth/GrantAndRevokeTest.java
+++ b/test/unit/org/apache/cassandra/auth/GrantAndRevokeTest.java
@@ -588,24 +588,28 @@ public void testCheckPermissionsAfterAuthorize() throws Throwable
 
         executeNet(String.format("CREATE ROLE %s WITH LOGIN = TRUE AND password='%s'", user, pass));
 
-        final String idm_user = "idm_user";
-        executeNet(String.format("CREATE ROLE %s WITH LOGIN = TRUE AND password='%s'", idm_user, idm_user));
-        executeNet("GRANT AUTHORIZE ON check_permissions.t1 TO " + idm_user);
+        final String simple_user = "simple_user";
+        executeNet(String.format("CREATE ROLE %s WITH LOGIN = TRUE AND password='%s'", simple_user, simple_user));
+        executeNet("GRANT AUTHORIZE ON check_permissions.t1 TO " + simple_user);
 
         useUser(user, pass);
         assertUnauthorizedQuery("User user has no SELECT permission on <table check_permissions.t1> or any of its parents",
                                 "SELECT * FROM check_permissions.t1");
 
-        useUser(idm_user, idm_user);
-        assertUnauthorizedQuery("User idm_user has no SELECT permission on <table check_permissions.t1> or any of its parents",
+        useUser(simple_user, simple_user);
+        assertUnauthorizedQuery("User simple_user has no SELECT permission on <table check_permissions.t1> or any of its parents",
                                 "SELECT * FROM check_permissions.t1");
-        assertUnauthorizedQuery("User idm_user has no SELECT permission on <table check_permissions.t1> or any of its parents",
+        assertUnauthorizedQuery("User simple_user has no SELECT permission on <table check_permissions.t1> or any of its parents",
                                 "GRANT SELECT ON check_permissions.t1 TO " + user);
 
+        useUser(user, pass);
+        assertUnauthorizedQuery("User user has no SELECT permission on <table check_permissions.t1> or any of its parents",
+                                "SELECT * FROM check_permissions.t1");
+
         useSuperUser();
-        executeNet("GRANT SELECT ON check_permissions.t1 TO " + idm_user);
+        executeNet("GRANT SELECT ON check_permissions.t1 TO " + simple_user);
 
-        useUser(idm_user, idm_user);
+        useUser(simple_user, simple_user);
         executeNet("SELECT * FROM check_permissions.t1");
         executeNet("GRANT SELECT ON check_permissions.t1 TO " + user);