cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-13985) Support restricting reads and writes to specific datacenters on a per user basis
Date Wed, 08 Nov 2017 15:14:00 GMT


Sam Tunnicliffe commented on CASSANDRA-13985:

Postgres has something vaguely similar in its {{pg_hba.conf}}, which lets you restrict whether
clients can connect based on various criteria such as user, host, ip range, etc. To block
a user/role entirely you would just remove all of its entries in the config file. It's not
directly analogous as postgres also supports multiple authn methods and obviously isn't distributed
so the restrictions apply to the single db server, but it is separating the access to the
service itself from the specifics of auth(n|z).

> Support restricting reads and writes to specific datacenters on a per user basis
> --------------------------------------------------------------------------------
>                 Key: CASSANDRA-13985
>                 URL:
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Blake Eggleston
>            Assignee: Blake Eggleston
>            Priority: Minor
> There are a few use cases where it makes sense to restrict the operations a given user
can perform in specific data centers. The obvious use case is the production/analytics datacenter
configuration. You don’t want the production user to be reading/or writing to the analytics
datacenter, and you don’t want the analytics user to be reading from the production datacenter.
> Although we expect users to get this right on that application level, we should also
be able to enforce this at the database level. The first approach that comes to mind would
be to support an optional DC parameter when granting select and modify permissions to roles.
Something like {{GRANT SELECT ON some_keyspace TO that_user IN DC dc1}}, statements that omit
the dc would implicitly be granting permission to all dcs. However, I’m not married to this

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message