Return-Path: Delivered-To: apmail-incubator-cassandra-user-archive@minotaur.apache.org Received: (qmail 62708 invoked from network); 2 Dec 2009 14:53:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 2 Dec 2009 14:53:39 -0000 Received: (qmail 44230 invoked by uid 500); 2 Dec 2009 14:53:39 -0000 Delivered-To: apmail-incubator-cassandra-user-archive@incubator.apache.org Received: (qmail 44199 invoked by uid 500); 2 Dec 2009 14:53:38 -0000 Mailing-List: contact cassandra-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cassandra-user@incubator.apache.org Delivered-To: mailing list cassandra-user@incubator.apache.org Received: (qmail 44190 invoked by uid 99); 2 Dec 2009 14:53:38 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Dec 2009 14:53:38 +0000 X-ASF-Spam-Status: No, hits=2.6 required=10.0 tests=RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of gcdcu-cassandra-user@m.gmane.org designates 80.91.229.12 as permitted sender) Received: from [80.91.229.12] (HELO lo.gmane.org) (80.91.229.12) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Dec 2009 14:53:28 +0000 Received: from list by lo.gmane.org with local (Exim 4.50) id 1NFqZm-0006vt-3P for cassandra-user@incubator.apache.org; Wed, 02 Dec 2009 15:53:06 +0100 Received: from 38.98.147.130 ([38.98.147.130]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 02 Dec 2009 15:53:06 +0100 Received: from tzz by 38.98.147.130 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 02 Dec 2009 15:53:06 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: cassandra-user@incubator.apache.org From: Ted Zlatanov Subject: Re: Cassandra access control Date: Wed, 02 Dec 2009 08:52:41 -0600 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Lines: 42 Message-ID: <87638pl96u.fsf@lifelogs.com> References: <87eio6p7pb.fsf@lifelogs.com> <20091112001409.GC12953@alumni.caltech.edu> <878webssu6.fsf_-_@lifelogs.com> <87iqdfrba9.fsf@lifelogs.com> <5B7ECCB8-BF96-4EA1-AAB7-B8C27B824FDF@quagility.com> <87fx8jptkn.fsf@lifelogs.com> <874oozpqcw.fsf@lifelogs.com> <87einfr6a8.fsf@lifelogs.com> <1259699027.19220.37.camel@achilles> <87fx7ul6id.fsf@lifelogs.com> <1259708330.19220.59.camel@achilles> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 38.98.147.130 X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1.50 (gnu/linux) Cancel-Lock: sha1:XwKp5q7h0PTDfJfIOi3JxxWKepY= Sender: news X-Virus-Checked: Checked by ClamAV on apache.org On Tue, 01 Dec 2009 16:58:50 -0600 Eric Evans wrote: EE> On Tue, 2009-12-01 at 15:38 -0600, Ted Zlatanov wrote: >> I disagree, why would you want to forbid switching the keyspace? That's >> turning off a currently working feature. Also, connections are not >> free, especially across WAN links. EE> Because it makes a mess out of an API that already confuses people. And EE> again, I posit that this is a corner case, something that very few EE> people will actually want to do. We should be optimizing for the common EE> case. On Tue, 1 Dec 2009 17:13:24 -0600 Jonathan Ellis wrote: JE> It's a currently working feature that (a) only exists in the first JE> place because it was less bad than postponing 0.4 until we could add JE> something like this auth feature, and (b) is of entirely theoretical JE> benefit in the sense that nobody who wants to keep it actually has an JE> app using it, to the best of my knowledge. JE> Let's correct our error, and only add functionality that we know is JE> really needed -- and even then, only if the benefit outweighs the JE> complexity price -- rather than waving our hands and saying "maybe JE> someone will need it, someday." That way leads to clutter and bloat. OK. So what should the API be? Just one method, as Robin suggested? void login( Map credentials, String keyspace ) throws AuthenticationException, AuthorizationException In this model the backend would still have login() and setKeyspace()/getKeyspace() separately to distinguish between authentication and authorization but the frontend API would merge them. This means the keyspace parameter will be removed from all the current Thrift API calls and application will need to remember what keyspace they requested. It will definitely not make 0.5. Let me know if this is OK and I'll prepare a new patch. Thanks Ted