cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-11305) Customization of the auto granting process
Date Wed, 25 May 2016 11:58:12 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-11305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15299940#comment-15299940
] 

Sam Tunnicliffe commented on CASSANDRA-11305:
---------------------------------------------

bq. Instead of modifying the default CQL behaviour and its semantic (like I suggested before)
maybe this can be implemented throught cassandra.yaml?
maybe, but the Hive config lets you specify exactly which privileges to automatically grant.
I think this is fine for Hive as it only applies to Databases and Tables, which share the
same set of applicable privileges. This isn't the case in C* though with roles, functions,
aggregations and jmx resources (although the latter are not created in the same way as other
database objects). So if we were to adopt the Hive approach, you'd be specifying the superset
of privileges from which the applicable subset could be automatically granted and TBH, this
feels a bit messy to me. 

It might be more feasible to have a single toggle in the yaml to completely turn off auto
granting on a system-wide basis. I did wonder whether a keyspace level property could work,
but not all resources are keyspace-scoped (roles for instance). I'm not advocating for that
system-wide solution btw, just saying that it seems potentially more straightforward in implementation
and conceptual terms.

I don't see a huge demand for this feature either, so I would imagine it falling fairly low
on the list of priorities I'm afraid, but if you want to submit a patch for it, please do.

> Customization of the auto granting process
> ------------------------------------------
>
>                 Key: CASSANDRA-11305
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-11305
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: CQL
>         Environment: Apache Cassandra 3.3, cqlsh 5.0.1, CQL spec 3.4.0
>            Reporter: Alexandre Linte
>            Priority: Minor
>             Fix For: 3.3
>
>
> Hello,
> By default, Cassandra implements an auto granting process which is applied when a USER
| ROLE does a CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTION, CREATE AGGREGATE or CREATE ROLE
statement. The creator is automatically granted all applicable permissions on the new resource.
> For example, the ROLE "toto_user" is created and has CREATE permission on its personal
KEYSPACE "toto_keyspace". Today when toto_user create a TABLE, he is automatically granted
the following rights:
> * ALTER
> * DROP
> * SELECT
> * MODIFY
> * AUTHORIZE
> Moreover if you want to REVOKE a permission for "toto_user" on a table, this table must
exist.
> The idea of the issue is to improve the auto granting process. I thought about a modification
of the REVOKE and GRANT SQL commands. You can find below the syntax part:
> {noformat}
> <grant-permission-stmt> ::= GRANT ( ALL ( PERMISSIONS )? | <permission> (
PERMISSION )? ) ON <resource> TO <identifier>
> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE
| EXECUTE
> <resource> ::= ALL KEYSPACES
>               | KEYSPACE <identifier>
>               | ( TABLE )? <tablename>
>               | ALL ROLES
>               | ROLE <identifier>
>               | ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
>               | FUNCTION <functionname>
> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
> {noformat}
> {noformat}
> <revoke-permission-stmt> ::= REVOKE ( ALL ( PERMISSIONS )? | <permission>
( PERMISSION )? ) ON <resource> FROM <identifier>
> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE
| EXECUTE
> <resource> ::= ALL KEYSPACES
>               | KEYSPACE <identifier>
>               | ( TABLE )? <tablename>
>               | ALL ROLES
>               | ROLE <identifier>
>               | ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
>               | FUNCTION <functionname>
> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
> {noformat}
> And now multiple the samples part:
> {noformat}
> GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user;
> => default functioning, when toto_user creates a table he will be automatically granted
all permissions.
> GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
> => grant all permissions to the resource (table) created by toto_user on the keyspace
toto_keyspace.
> GRANT SELECT ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
> => grant select permission to the resource (table) created by toto_user on the keyspace
toto_keyspace.
> REVOKE ALL PERMISSIONS ON KEYSPACE toto_keyspace FROM toto_user;
> => default functioning, toto_user will not be able to do something on the keyspace
toto_keyspace.
> REVOKE AUTHORIZE PERMISSION ON KEYSPACE toto_keyspace FROM toto_user WHEN CREATE TABLE;
> => revoke authorize permission to the resource (table) created by toto_user on the
keyspace toto_keyspace.
> REVOKE DROP PERMISSION ALL KEYSPACES FROM toto_user WHEN CREATE ROLE;
> => revoke drop permission to the resource (role) created by toto_user on the keyspace
toto_keyspace.
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message