From 7ef861b553f38d85f4ff541d1e092add144d564f Mon Sep 17 00:00:00 2001
From: Didi Kohen <kohen.d@gmail.com>
Date: Mon, 15 Oct 2018 18:06:03 +0300
Subject: [PATCH] Allow usage of non-superusers for cassandra connection
 (#5493)

---
 plugins/database/cassandra/connection_producer.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/plugins/database/cassandra/connection_producer.go b/plugins/database/cassandra/connection_producer.go
index 700f963fe2..4bbfbf953b 100644
--- a/plugins/database/cassandra/connection_producer.go
+++ b/plugins/database/cassandra/connection_producer.go
@@ -16,6 +16,7 @@ import (
 	"github.com/hashicorp/vault/helper/parseutil"
 	"github.com/hashicorp/vault/helper/tlsutil"
 	"github.com/hashicorp/vault/plugins/helper/database/connutil"
+	"github.com/hashicorp/vault/plugins/helper/database/dbutil"
 )
 
 // cassandraConnectionProducer implements ConnectionProducer and provides an
@@ -239,7 +240,15 @@ func (c *cassandraConnectionProducer) createSession() (*gocql.Session, error) {
 
 	// Verify the info
 	err = session.Query(`LIST ALL`).Exec()
-	if err != nil {
+	if err != nil && len(c.Username) != 0 && strings.Contains(err.Error(), "not authorized") {
+		rowNum := session.Query(dbutil.QueryHelper(`LIST CREATE ON ALL ROLES OF '{{username}}';`, map[string]string{
+			"username": c.Username,
+		})).Iter().NumRows()
+
+		if rowNum < 1 {
+			return nil, errwrap.Wrapf("error validating connection info: No role create permissions found, previous error: {{err}}", err)
+		}
+	} else if err != nil {
 		return nil, errwrap.Wrapf("error validating connection info: {{err}}", err)
 	}