cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aleksey Yeschenko (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CASSANDRA-11305) Customization of the auto granting process
Date Mon, 27 Jun 2016 15:14:52 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-11305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Aleksey Yeschenko updated CASSANDRA-11305:
------------------------------------------
    Fix Version/s:     (was: 3.3)
                   3.x

> Customization of the auto granting process
> ------------------------------------------
>
>                 Key: CASSANDRA-11305
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-11305
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: CQL
>         Environment: Apache Cassandra 3.3, cqlsh 5.0.1, CQL spec 3.4.0
>            Reporter: Alexandre Linte
>            Priority: Minor
>             Fix For: 3.x
>
>
> Hello,
> By default, Cassandra implements an auto granting process which is applied when a USER
| ROLE does a CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTION, CREATE AGGREGATE or CREATE ROLE
statement. The creator is automatically granted all applicable permissions on the new resource.
> For example, the ROLE "toto_user" is created and has CREATE permission on its personal
KEYSPACE "toto_keyspace". Today when toto_user create a TABLE, he is automatically granted
the following rights:
> * ALTER
> * DROP
> * SELECT
> * MODIFY
> * AUTHORIZE
> Moreover if you want to REVOKE a permission for "toto_user" on a table, this table must
exist.
> The idea of the issue is to improve the auto granting process. I thought about a modification
of the REVOKE and GRANT SQL commands. You can find below the syntax part:
> {noformat}
> <grant-permission-stmt> ::= GRANT ( ALL ( PERMISSIONS )? | <permission> (
PERMISSION )? ) ON <resource> TO <identifier>
> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE
| EXECUTE
> <resource> ::= ALL KEYSPACES
>               | KEYSPACE <identifier>
>               | ( TABLE )? <tablename>
>               | ALL ROLES
>               | ROLE <identifier>
>               | ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
>               | FUNCTION <functionname>
> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
> {noformat}
> {noformat}
> <revoke-permission-stmt> ::= REVOKE ( ALL ( PERMISSIONS )? | <permission>
( PERMISSION )? ) ON <resource> FROM <identifier>
> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE
| EXECUTE
> <resource> ::= ALL KEYSPACES
>               | KEYSPACE <identifier>
>               | ( TABLE )? <tablename>
>               | ALL ROLES
>               | ROLE <identifier>
>               | ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
>               | FUNCTION <functionname>
> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
> {noformat}
> And now multiple the samples part:
> {noformat}
> GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user;
> => default functioning, when toto_user creates a table he will be automatically granted
all permissions.
> GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
> => grant all permissions to the resource (table) created by toto_user on the keyspace
toto_keyspace.
> GRANT SELECT ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
> => grant select permission to the resource (table) created by toto_user on the keyspace
toto_keyspace.
> REVOKE ALL PERMISSIONS ON KEYSPACE toto_keyspace FROM toto_user;
> => default functioning, toto_user will not be able to do something on the keyspace
toto_keyspace.
> REVOKE AUTHORIZE PERMISSION ON KEYSPACE toto_keyspace FROM toto_user WHEN CREATE TABLE;
> => revoke authorize permission to the resource (table) created by toto_user on the
keyspace toto_keyspace.
> REVOKE DROP PERMISSION ALL KEYSPACES FROM toto_user WHEN CREATE ROLE;
> => revoke drop permission to the resource (role) created by toto_user on the keyspace
toto_keyspace.
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message