cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Zlatanov <...@lifelogs.com>
Subject Cassandra access control (was: bandwidth limiting Cassandra's replication and access control)
Date Thu, 12 Nov 2009 15:46:19 GMT
On Wed, 11 Nov 2009 14:59:04 -0800 "Coe, Robin" <robin.coe@bluecoat.com> wrote: 

CR> Java's policy manager controls access to environment variables and
CR> code execution.  All a JAAS service provides is a hook to pass a
CR> user's principal to the security manager.  So, the only
CR> authorization you can provide at that level is code executed by the
CR> Principal.  This doesn't include access via the Thrift API, since
CR> that code is owned by the user who started the Cassandra service.

This is my understanding from the JAAS docs and tutorials: with the JNDI
JAAS module, you can pass a user name and a password as properties
instead of relying on the current user.  Then you can grant access to
various resources, not just the default set (file/process resources).
This is what I was hoping to use.  The Kerberos and Unix JAAS modules
are definitely not useful because they rely on the current user, yes.

If JAAS is not going to work, I'll just do an LDAP backend directly.  It
would cover over 95% of the setups out there and it's not too hard to
implement with JNDI calls.  I hope it's not necessary to go that route.
WDYT?

Ted


Mime
View raw message