Return-Path: Delivered-To: apmail-incubator-cassandra-user-archive@minotaur.apache.org Received: (qmail 84790 invoked from network); 12 Nov 2009 16:21:23 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 12 Nov 2009 16:21:23 -0000 Received: (qmail 6508 invoked by uid 500); 12 Nov 2009 16:21:22 -0000 Delivered-To: apmail-incubator-cassandra-user-archive@incubator.apache.org Received: (qmail 6494 invoked by uid 500); 12 Nov 2009 16:21:22 -0000 Mailing-List: contact cassandra-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cassandra-user@incubator.apache.org Delivered-To: mailing list cassandra-user@incubator.apache.org Received: (qmail 6485 invoked by uid 99); 12 Nov 2009 16:21:22 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Nov 2009 16:21:22 +0000 X-ASF-Spam-Status: No, hits=2.6 required=10.0 tests=RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of gcdcu-cassandra-user@m.gmane.org designates 80.91.229.12 as permitted sender) Received: from [80.91.229.12] (HELO lo.gmane.org) (80.91.229.12) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Nov 2009 16:21:13 +0000 Received: from list by lo.gmane.org with local (Exim 4.50) id 1N8cPe-0006VK-R0 for cassandra-user@incubator.apache.org; Thu, 12 Nov 2009 17:20:46 +0100 Received: from 38.98.147.130 ([38.98.147.130]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 12 Nov 2009 17:20:46 +0100 Received: from tzz by 38.98.147.130 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 12 Nov 2009 17:20:46 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: cassandra-user@incubator.apache.org From: Ted Zlatanov Subject: Re: Cassandra access control Date: Thu, 12 Nov 2009 10:20:14 -0600 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Lines: 53 Message-ID: <87639fr9z5.fsf@lifelogs.com> References: <87eio6p7pb.fsf@lifelogs.com> <87hbt1nnur.fsf@lifelogs.com> <764B352CF55C514F816B4B14BD2450D803DBB97B@bcs-mail04.internal.cacheflow.com> <9c50e66d0911111429n1f23c01ct7a0d3afef3d0a6f6@mail.gmail.com> <13FB79D2-F083-46D0-BD2A-02F915144322@joestump.net> <20091112001409.GC12953@alumni.caltech.edu> <878webssu6.fsf_-_@lifelogs.com> <87iqdfrba9.fsf@lifelogs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 38.98.147.130 X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1.50 (gnu/linux) Cancel-Lock: sha1:4ryENM0oIPxZpMeWDURY2tY1WOQ= Sender: news X-Virus-Checked: Checked by ClamAV on apache.org On Thu, 12 Nov 2009 10:06:02 -0600 Jonathan Ellis wrote: JE> 2009/11/12 Ted Zlatanov : JE> The default should definitely be, "don't break people who don't need JE> the new feature more than necessary." �So the default should be JE> "accept any client to any keyspace." >> >> Hmm, I thought we were going to limit access to a single keyspace upon >> login. �You want to keep allowing multiple keyspaces? �That would leave >> the existing API intact (only adding a login function) but requires an >> extra authorization check every time a keyspace is given. �Do we expire >> authorizations after a certain time? JE> If this is going to 0.5 we should keep the existing API intact since JE> we are very late in the 0.5 cycle (so, it's up to you if you need this JE> in 0.5). But ultimately we want to drop the keyspace args in which JE> case the no-auth-configured behavior is that you still send an auth JE> method call but the auth accepts whatever it is given. I see. So I'm adding a login() in 0.5 but keeping the Keyspace parameters everywhere. If the user has authenticated via login(), the Keyspace logged in will be checked against the specified Keyspace (and exceptions thrown if they don't match). Otherwise, no check is done. This keeps the current API and behavior intact but adds the desired functionality. The exception will point the user to the problem immediately. For versions after 0.5, the current API calls with the Keyspace parameter will be removed in favor of versions without it. login() will be required to specify the Keyspace regardless of whether authentication is done or not. The only expected security exception here comes from login(). Once you're authorized, the grant doesn't expire. If you're OK with all this I'll put together a full proposal in the Jira ticket and start working on a patch to: - add the login() method - add an authentication+authorization interface called in the right places in 0.5 - implement that interface: provide a XML backend and a LDAP backend (no JAAS). Also, a AllowAll backend will be provided. - add the configuration file stanza to point to the authentication+authorization module to be used. Make AllowAll the default auth backend there. - document all the changes Thanks Ted