cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-7653) Add role based access control to Cassandra
Date Mon, 12 Jan 2015 11:58:35 GMT


Sam Tunnicliffe commented on CASSANDRA-7653:

	nobody’s using this functionality (the previous mbean wasn’t registered), so we can drop
it until someone actually requests it

Done in CASSANDRA-8194

	in execute(), `authenticator` variable should be renamed to `negotiator`

	saslAutneticator field and getAuthenticator() method should be renamed for consistency (to

	preventSystemKSSchemaModification() should move allowAlter/allowDrop to the class level statics
ALTERABLE_KEYSPACES/DROPPABLE_TABLES vs. allocating them every time

	should rename isColumnFamilyLevel() to isTableLevel(), while we are breaking the API anyway
(and getColumnFamily() to getTable()). Not something touched by the patch, but can sneak it
in here.

	grant()/revoke() should rename to/from arguments to grantee/revokee in consistency with IRoleManager
	grant()/revoke() should have an AuthenticatedUser performer arg, like IAuthorizer does (or
both should drop it)

	revokeAll() should use a logged batch for updating permissions+index tables

	now would be a good time to correct the initial design mistake and make role names/user names
strings, instead of identifiers

	resultset structure is part of the public API. Can’t just rename ‘username’ to ‘role’.
Should keep (but deprecate) username, and add ‘role’, as another column, with duplicate

I don't quite agree with this one. I think it's probably acceptable for us to change metadata
like this in a major release, particularly as the semantics and structure of the resultset
is unchanged. If any changes are required on the client side, they will be trivial.

Oh, one more thing.
Please include a NEWS.txt entry for the API change.

Also done. Hopefully that ties up most of the loose ends.

> Add role based access control to Cassandra
> ------------------------------------------
>                 Key: CASSANDRA-7653
>                 URL:
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Core
>            Reporter: Mike Adamson
>            Assignee: Sam Tunnicliffe
>             Fix For: 3.0
>         Attachments: 7653.patch,,
> The current authentication model supports granting permissions to individual users. While
this is OK for small or medium organizations wanting to implement authorization, it does not
work well in large organizations because of the overhead of having to maintain the permissions
for each user.
> Introducing roles into the authentication model would allow sets of permissions to be
controlled in one place as a role and then the role granted to users. Roles should also be
able to be granted to other roles to allow hierarchical sets of permissions to be built up.

This message was sent by Atlassian JIRA

View raw message