Return-Path: X-Original-To: apmail-cassandra-commits-archive@www.apache.org Delivered-To: apmail-cassandra-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BE77610AE2 for ; Tue, 6 Jan 2015 17:15:39 +0000 (UTC) Received: (qmail 87207 invoked by uid 500); 6 Jan 2015 17:15:35 -0000 Delivered-To: apmail-cassandra-commits-archive@cassandra.apache.org Received: (qmail 87171 invoked by uid 500); 6 Jan 2015 17:15:35 -0000 Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cassandra.apache.org Delivered-To: mailing list commits@cassandra.apache.org Received: (qmail 87160 invoked by uid 99); 6 Jan 2015 17:15:35 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Jan 2015 17:15:35 +0000 Date: Tue, 6 Jan 2015 17:15:35 +0000 (UTC) From: "Sam Tunnicliffe (JIRA)" To: commits@cassandra.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CASSANDRA-7653) Add role based access control to Cassandra MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CASSANDRA-7653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14266424#comment-14266424 ] Sam Tunnicliffe commented on CASSANDRA-7653: -------------------------------------------- I've been thinking about constuctInitialSaslToken too and it is truly unpleasant. It's there to support Thrift clients which could be sending arbitrary k/v pairs to a custom IAuthenticator via the login() call. So we have to support that somehow without changing the thrift interface. constructInitialSaslToken is one way to do it, but it sucks so my current plan is to replace it with a legacyAuthenticate() method which impls can decide whether to support or not (if they support Thrift and/or native protocol v1 authentication). On the second point, I think it's doable to support custom options using json syntax. Something like: {code} CREATE ROLE foo WITH PASSWORD 'bar' AND OPTIONS {'a' : 'aaa', 'b' : 1} NOSUPERUSER LOGIN; {code} > Add role based access control to Cassandra > ------------------------------------------ > > Key: CASSANDRA-7653 > URL: https://issues.apache.org/jira/browse/CASSANDRA-7653 > Project: Cassandra > Issue Type: New Feature > Components: Core > Reporter: Mike Adamson > Assignee: Sam Tunnicliffe > Fix For: 3.0 > > Attachments: 7653.patch, CQLSmokeTest.java, cql_smoke_test.py > > > The current authentication model supports granting permissions to individual users. While this is OK for small or medium organizations wanting to implement authorization, it does not work well in large organizations because of the overhead of having to maintain the permissions for each user. > Introducing roles into the authentication model would allow sets of permissions to be controlled in one place as a role and then the role granted to users. Roles should also be able to be granted to other roles to allow hierarchical sets of permissions to be built up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)