cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Evans (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CASSANDRA-1237) Store AccessLevels externally to IAuthenticator
Date Thu, 29 Jul 2010 19:45:17 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12893794#action_12893794
] 

Eric Evans commented on CASSANDRA-1237:
---------------------------------------

{quote}
> If authorization should be pluggable (I've argued that is should be)
I'd be interested in seeing the reasons for making permissions pluggable, if you know where
I can find the thread.
{quote}

Directory services like LDAP and Active Directory seem like prominent examples of existing
systems that people might want to integrate with for authorization, (as well as authentication).
And, I'm sure there are plenty of people with existing databases, web services, etc that would
appreciate the opportunity to integrate instead of duplicating that information.

> Store AccessLevels externally to IAuthenticator
> -----------------------------------------------
>
>                 Key: CASSANDRA-1237
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-1237
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Core
>            Reporter: Stu Hood
>            Assignee: Stu Hood
>             Fix For: 0.7 beta 1
>
>         Attachments: 0001-Consolidate-KSMetaData-mutations-into-copy-methods.patch, 0002-Thrift-and-Avro-interface-changes.patch,
0003-Add-user-and-group-access-maps-to-Keyspace-metadata.patch, 0004-Remove-AccessLevel-return-value-from-login-and-retur.patch,
0005-Move-per-thread-state-into-a-ClientState-object-1-pe.patch, 0006-Apply-access.properties-to-keyspaces-during-an-upgra.patch,
sample-usage.patch, simple-jaas-authenticator.patch
>
>
> Currently, the concept of authentication (proving the identity of a user) is mixed up
with permissions (determining whether a user is able to create/read/write databases). Rather
than determining the permissions that a user has, the IAuthenticator should only be capable
of authenticating a user, and permissions (specifically, an AccessLevel) should be stored
consistently by Cassandra.
> The primary goal of this ticket is to separate AccessLevels from IAuthenticators, and
to persist a map of User->AccessLevel along with:
> * EDIT: Separating the addition of 'global scope' permissions into a separate ticket
> * each keyspace, where the AccessLevel continues to have its current meaning
> ----
> In separate tickets, we would like to improve the AccessLevel structure so that it can
store role/permission bits independently, rather than being level based.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message