cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-7653) Add role based access control to Cassandra
Date Mon, 12 Jan 2015 11:58:35 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-7653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14273521#comment-14273521
] 

Sam Tunnicliffe commented on CASSANDRA-7653:
--------------------------------------------

{quote}
PermissionsCacheMBean
	nobody’s using this functionality (the previous mbean wasn’t registered), so we can drop
it until someone actually requests it
{quote}

Done in CASSANDRA-8194

{quote}
AuthResponse
	in execute(), `authenticator` variable should be renamed to `negotiator`

ServerConnection
	saslAutneticator field and getAuthenticator() method should be renamed for consistency (to
saslNegotiator/getSaslNegotiator())

ClientState
	preventSystemKSSchemaModification() should move allowAlter/allowDrop to the class level statics
ALTERABLE_KEYSPACES/DROPPABLE_TABLES vs. allocating them every time

DataResource:
	should rename isColumnFamilyLevel() to isTableLevel(), while we are breaking the API anyway
(and getColumnFamily() to getTable()). Not something touched by the patch, but can sneak it
in here.

IAuthorizer
	grant()/revoke() should rename to/from arguments to grantee/revokee in consistency with IRoleManager
naming
	grant()/revoke() should have an AuthenticatedUser performer arg, like IAuthorizer does (or
both should drop it)

CassandraAuthorizer
	revokeAll() should use a logged batch for updating permissions+index tables

Cql.g
	now would be a good time to correct the initial design mistake and make role names/user names
strings, instead of identifiers
{quote}
Done

{quote}
ListPermissionsStatement
	resultset structure is part of the public API. Can’t just rename ‘username’ to ‘role’.
Should keep (but deprecate) username, and add ‘role’, as another column, with duplicate
value
{quote}

I don't quite agree with this one. I think it's probably acceptable for us to change metadata
like this in a major release, particularly as the semantics and structure of the resultset
is unchanged. If any changes are required on the client side, they will be trivial.

{quote}
Oh, one more thing.
Please include a NEWS.txt entry for the API change.
{quote}

Also done. Hopefully that ties up most of the loose ends.

> Add role based access control to Cassandra
> ------------------------------------------
>
>                 Key: CASSANDRA-7653
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-7653
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Core
>            Reporter: Mike Adamson
>            Assignee: Sam Tunnicliffe
>             Fix For: 3.0
>
>         Attachments: 7653.patch, CQLSmokeTest.java, cql_smoke_test.py
>
>
> The current authentication model supports granting permissions to individual users. While
this is OK for small or medium organizations wanting to implement authorization, it does not
work well in large organizations because of the overhead of having to maintain the permissions
for each user.
> Introducing roles into the authentication model would allow sets of permissions to be
controlled in one place as a role and then the role granted to users. Roles should also be
able to be granted to other roles to allow hierarchical sets of permissions to be built up.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message