cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Ellis (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-4874) Possible authorizaton handling impovements
Date Wed, 31 Oct 2012 19:06:11 GMT


Jonathan Ellis commented on CASSANDRA-4874:

bq. Should be P.DELETE in Thrift and CQL3? 


bq. If so, then what do you think about requiring both P.UPDATE and P.DELETE for inserts/updates
with TTL set?

Yes, we should.  (This is why I'm not 100% sure it makes sense to distinguish between UPDATE
and DELETE at all, but "require both for ttl" is probably the best compromise.)
> Possible authorizaton handling impovements
> ------------------------------------------
>                 Key: CASSANDRA-4874
>                 URL:
>             Project: Cassandra
>          Issue Type: Improvement
>    Affects Versions: 1.1.6, 1.2.0 beta 1
>            Reporter: Aleksey Yeschenko
>            Assignee: Aleksey Yeschenko
>              Labels: security
> I'll create another issue with my suggestions about fixing/improving IAuthority interfaces.
This one lists possible improvements that aren't related to grant/revoke methods.
> Inconsistencies:
> - CREATE COLUMNFAMILY: P.CREATE on the KS in CQL2 vs. P.CREATE on the CF in CQL3 and
> - BATCH: P.UPDATE or P.DELETE on CF in CQL2 vs. P.UPDATE in CQL3 and Thrift (despite
remove* in Thrift asking for P.DELETE)
> - DELETE: P.DELETE in CQL2 and Thrift vs. P.UPDATE in CQL3
> - DROP INDEX: no checks in CQL2 vs. P.ALTER on the CF in CQL3
> Other issues/suggestions
> - CQL2 DROP INDEX should require authorization
> - current permission checks are inconsistent since they are performed separately by CQL2
query processor, Thrift CassandraServer and CQL3 statement classes.
> We should move it to one place. SomeClassWithABetterName.authorize(Operation, KS, CF,
User), where operation would be a enum
> - we don't respect the hierarchy when checking for permissions, or, to be more specific,
we are doing it wrong. take  CQL3 INSERT as an example:
> we require P.UPDATE on the CF or FULL_ACCESS on either KS or CF. However, having P.UPDATE
on the KS won't allow you to perform the statement, only FULL_ACCESS will do.
> I doubt this was intentional, and if it was, I say it's wrong. P.UPDATE on the KS should
allow you to do updates on KS's cfs.
> Examples in
point to it being a bug, since REVOKE UPDATE ON ks FROM omega is there.
> - currently we lack a way to set permission on cassandra/keyspaces resource. I think
we should be able to do it. See the following point on why.
> - currently to create a keyspace you must have a P.CREATE permission on that keyspace
THAT DOESN'T EVEN EXIST YET. So only a superuser can create a keyspace,
> or a superuser must first grant you a permission to create it. Which doesn't look right
to me. P.CREATE on cassandra/keyspaces should allow you to create new
> keyspaces without an explicit permission for each of them.
> - same goes for CREATE TABLE. you need P.CREATE on that not-yet-existing CF of FULL_ACCESS
on the whole KS. P.CREATE on the KS won't do. this is wrong.
> - since permissions don't map directly to statements, we should describe clearly in the
documentation what permissions are required by what cql statement/thrift method.
> Full list of current permission requirements:

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message