Mailing-List: contact cassandra-user-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: cassandra-user@incubator.apache.org
Received-SPF: pass (nike.apache.org: domain of jbellis@gmail.com designates
 209.85.218.210 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type:content-transfer-encoding;
        b=kNiboKz8AobbxMFebk0mjXcjki942bQzL6ORTZrZyxpJhcMJ5b+fFFtDB4qvXs2lY4
         8FrD3y8SMQV3pRDiGFvUwfVbRkymoGjFdz+zfa26oWBwpaDQqcc34JTk7mSZkjVavbwN
         WAE2hSKJ92NHzSmGl5tE32fYAs84U+Ld6DsN4=
MIME-Version: 1.0
In-Reply-To: <4AFC3C74.3080704@rightscale.com>
References: <87eio6p7pb.fsf@lifelogs.com>
 <e06563880911111455gc9f5c10g1863bbacdcead348@mail.gmail.com>
	<20091112001409.GC12953@alumni.caltech.edu> <878webssu6.fsf_-_@lifelogs.com>
	<e06563880911120712m75051e0bv9dfec31cb634dd95@mail.gmail.com>
	<87iqdfrba9.fsf@lifelogs.com>
 <e06563880911120806w70becf6eu50efef0efcd72a88@mail.gmail.com>
	<87639fr9z5.fsf@lifelogs.com>
 <93FD370D-A3BC-4EF4-AE52-6C9CB9C3B778@quagility.com>
	<4AFC3C74.3080704@rightscale.com>
From: Jonathan Ellis <jbellis@gmail.com>
Date: Thu, 12 Nov 2009 10:50:41 -0600
Message-ID: <e06563880911120850j169e72cau1d0e9b651cc3f37c@mail.gmail.com>
Subject: Re: Cassandra access control
To: cassandra-user@incubator.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

frameworks that do that should be shot.

On Thu, Nov 12, 2009 at 10:48 AM, Thorsten von Eicken
<tve@rightscale.com> wrote:
> +1
> It's not a lot of complexity and it doesn't throw sticks into frameworks
> that may model a conventional table as a keyspace.
> =A0 Thorsten
>
> Jonathan Mischo wrote:
>>
>> Conditional +1 here:
>>
>> +1
>> IF the Keyspace parameter is optional in 0.6 forward, but not completely
>> eliminated
>> AND IF login() has an optional param for keyspace
>> AND IF the backend stores a list of keyspaces you're authorized to acces=
s
>> once you're authenticated if you don't specify a single keyspace you're
>> authenticating to (this should be very simple and lightweight)
>>
>> Does that all make sense? =A0The second note above is probably not stric=
tly
>> necessary for 0.5, but it streamlines the third note, since in 90+% of
>> cases, you'll be working with a single keyspace and can save overhead by
>> just authenticating to that single keyspace.
>>
>> On Nov 12, 2009, at 10:20 AM, Ted Zlatanov wrote:
>>
>>> On Thu, 12 Nov 2009 10:06:02 -0600 Jonathan Ellis <jbellis@gmail.com>
>>> wrote:
>>>
>>> JE> 2009/11/12 Ted Zlatanov <tzz@lifelogs.com>:
>>> JE> The default should definitely be, "don't break people who don't nee=
d
>>> JE> the new feature more than necessary." =A0So the default should be
>>> JE> "accept any client to any keyspace."
>>>>>
>>>>> Hmm, I thought we were going to limit access to a single keyspace upo=
n
>>>>> login. =A0You want to keep allowing multiple keyspaces? =A0That would=
 leave
>>>>> the existing API intact (only adding a login function) but requires a=
n
>>>>> extra authorization check every time a keyspace is given. =A0Do we ex=
pire
>>>>> authorizations after a certain time?
>>>
>>> JE> If this is going to 0.5 we should keep the existing API intact sinc=
e
>>> JE> we are very late in the 0.5 cycle (so, it's up to you if you need
>>> this
>>> JE> in 0.5). =A0But ultimately we want to drop the keyspace args in whi=
ch
>>> JE> case the no-auth-configured behavior is that you still send an auth
>>> JE> method call but the auth accepts whatever it is given.
>>>
>>> I see.
>>>
>>> So I'm adding a login() in 0.5 but keeping the Keyspace parameters
>>> everywhere. =A0If the user has authenticated via login(), the Keyspace
>>> logged in will be checked against the specified Keyspace (and exception=
s
>>> thrown if they don't match). =A0Otherwise, no check is done. =A0This ke=
eps
>>> the current API and behavior intact but adds the desired functionality.
>>> The exception will point the user to the problem immediately.
>>>
>>> For versions after 0.5, the current API calls with the Keyspace
>>> parameter will be removed in favor of versions without it. =A0login() w=
ill
>>> be required to specify the Keyspace regardless of whether authenticatio=
n
>>> is done or not. =A0The only expected security exception here comes from
>>> login(). =A0Once you're authorized, the grant doesn't expire.
>>>
>>> If you're OK with all this I'll put together a full proposal in the Jir=
a
>>> ticket and start working on a patch to:
>>>
>>> - add the login() method
>>>
>>> - add an authentication+authorization interface called in the right
>>> =A0places in 0.5
>>>
>>> - implement that interface: provide a XML backend and a LDAP backend (n=
o
>>> =A0JAAS). =A0Also, a AllowAll backend will be provided.
>>>
>>> - add the configuration file stanza to point to the
>>> =A0authentication+authorization module to be used. =A0Make AllowAll the
>>> =A0default auth backend there.
>>>
>>> - document all the changes
>>>
>>> Thanks
>>> Ted
>>>
>>
>