cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-7557) User permissions for UDFs
Date Tue, 14 Apr 2015 15:23:13 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-7557?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14494249#comment-14494249
] 

Sam Tunnicliffe commented on CASSANDRA-7557:
--------------------------------------------

Thanks, none of the things you mention were covered so:

bq. Granting both root/ks-level permissions and individual function permissions, ensuring
that revoking one does not affect revoking the other

added {{function_resource_hierarchy_permissions_test}}

bq. Similar to drop_function_and_keyspace_cleans_up_udf_permissions_test, test that dropping
a keyspace drops function-level permissions for functions in that keyspace

added {{drop_keyspace_cleans_up_function_level_permissions_test}}

bq. Ensure granting permissions on a builtin function (e.g. system.now) errors nicely. Same
for REVOKE on builtins and granting EXECUTE on non-function objects.

added {{disallow_grant_execute_on_non_function_resources_test}} and {{disallow_grant_revoke_on_builtin_functions_test}}
(plus a minor change in {{PermissionsManagementStatement}} for the latter)

bq. Double granting/revoking is well-behaved (I'm not sure if it's supposed to error or succeed)

as grant and revoke are idempotent, the current behaviour (for all resources, not just functions)
is to silently succeed when both attemtping to grant an existing permission or revoke a non-existent
one.  I've added {{grant_revoke_are_idempotent_test}} to verify (right now it's only concerned
with function resources, but I'll generalise it when I refactor auth_test & auth_roles_test).

bq. Also, in the inheritance_of_udf_permissions_test, shouldn't the GRANT EXECUTE statement
be executed by the function_user role instead of cassandra?

Actually, the intent was to verify that the EXECUTE permission of function_user was inherited
when that role was granted, so that final DCL statement should be granting function_user to
mike. Fixed now, thanks.

I also noticed I'd left a todo in the test for granting/revoking/dropping with overloaded
functions, so I've added {{udf_with_overloads_permissions_test}}.

> User permissions for UDFs
> -------------------------
>
>                 Key: CASSANDRA-7557
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-7557
>             Project: Cassandra
>          Issue Type: Sub-task
>          Components: Core
>            Reporter: Tyler Hobbs
>            Assignee: Sam Tunnicliffe
>              Labels: client-impacting, cql, udf
>             Fix For: 3.0
>
>
> We probably want some new permissions for user defined functions.  Most RDBMSes split
function permissions roughly into {{EXECUTE}} and {{CREATE}}/{{ALTER}}/{{DROP}} permissions.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message