cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-7653) Add role based access control to Cassandra
Date Tue, 06 Jan 2015 17:15:35 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-7653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14266424#comment-14266424
] 

Sam Tunnicliffe commented on CASSANDRA-7653:
--------------------------------------------

I've been thinking about constuctInitialSaslToken too and it is truly unpleasant. It's there
to support Thrift clients which could be sending arbitrary k/v pairs to a custom IAuthenticator
via the login() call. So we have to support that somehow without changing the thrift interface.
constructInitialSaslToken is one way to do it, but it sucks so my current plan is to replace
it with a legacyAuthenticate() method which impls can decide whether to support or not (if
they support Thrift and/or native protocol v1 authentication).

On the second point, I think it's doable to support custom options using json syntax. Something
like:

{code}
CREATE ROLE foo WITH PASSWORD 'bar' AND OPTIONS {'a' : 'aaa', 'b' : 1} NOSUPERUSER LOGIN;
{code}


> Add role based access control to Cassandra
> ------------------------------------------
>
>                 Key: CASSANDRA-7653
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-7653
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Core
>            Reporter: Mike Adamson
>            Assignee: Sam Tunnicliffe
>             Fix For: 3.0
>
>         Attachments: 7653.patch, CQLSmokeTest.java, cql_smoke_test.py
>
>
> The current authentication model supports granting permissions to individual users. While
this is OK for small or medium organizations wanting to implement authorization, it does not
work well in large organizations because of the overhead of having to maintain the permissions
for each user.
> Introducing roles into the authentication model would allow sets of permissions to be
controlled in one place as a role and then the role granted to users. Roles should also be
able to be granted to other roles to allow hierarchical sets of permissions to be built up.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message