cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laxmikant Upadhyay <laxmikant....@gmail.com>
Subject Re: What is the safest way to enable authorization?
Date Thu, 09 May 2019 07:33:00 GMT
One trick could be :

Before enabling authorization
1. Give user1 superuser permission temporarily  by logging in with
cassandra suer
        ALTER ROLE user1 with SUPERUSER=true;
2. Enable authorization and grant permission to user1 for specific operation

GRANT SELECT ON ALL KEYSPACES TO user1;

4. Now remove superuser permission from user1
          ALTER ROLE user1 with SUPERUSER=false;

On Thu, May 9, 2019 at 12:34 PM Laxmikant Upadhyay <laxmikant.hcl@gmail.com>
wrote:

> I think you will get  below exception while executing GRANT with
> AllowAllAuthorizer
> ServerError: java.lang.UnsupportedOperationException: GRANT operation is
> not supported by AllowAllAuthorizer
>
>
>
> On Thu, May 9, 2019 at 12:07 PM Devaki, Srinivas <me@eightnoteight.space>
> wrote:
>
>> Hi,
>>
>> before changing the configuration from `AllowAllAuthorizer` to
>> `CassandraAuthorizer`, you need to grant enough permissions to the user
>> that allow all the accessed tables by that user. I think that should fix
>> the problem.
>>
>> Thanks
>>
>> On Thu, May 9, 2019 at 12:02 PM Laxmikant Upadhyay <
>> laxmikant.hcl@gmail.com> wrote:
>>
>>> Let's say I have a 3 node cluster on 3.11.4  on which authentication is
>>> enabled but authorization is disabled. It has one non-super login user
>>> 'user1' and default super user 'cassandra'
>>> In cassandra.yaml
>>> authenticator: PasswordAuthenticator
>>> authorizer: AllowAllAuthorizer
>>>
>>> So to enable authorization we change the cassandra.yaml of a node
>>> 'node1' from
>>> authorizer: AllowAllAuthorizer
>>> TO
>>> authorizer: CassandraAuthorizer
>>>
>>> You client application db operations on the node1 starts failing as soon
>>> as the cassandra restarts on that  nodewith below error until you run GRANT
>>> operation for user1 after connecting with cassandra user:
>>> UnauthorizedException: User user1 has no SELECT permission on <table
>>> testtable>
>>>
>>> Is there a way to avoid this error at all  in the above situation?
>>>
>>> --
>>>
>>> regards,
>>> Laxmikant Upadhyay
>>>
>>>
>
> --
>
> regards,
> Laxmikant Upadhyay
>
>

-- 

regards,
Laxmikant Upadhyay

Mime
View raw message