You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@cassandra.apache.org by Jonathan Koppenhofer <jo...@koppedomain.com> on 2021/06/08 18:58:20 UTC

Turn off automatic granting

Hi,

In a highly managed environment "automatics granting" (
https://cassandra.apache.org/doc/latest/cql/security.html#automatic-granting)
may not always be desirable. Is there any way to turn this off? Or what
have people done to work around cases where they don't want this.

Some use cases:
- We may have a user that can create schema, but don't want that user to
allow authorization to that resource
- the user already has keyspace permissions, and we don't want it
duplicated at the table level if they create a table.

Thanks

Re: Turn off automatic granting

Posted by Jonathan Koppenhofer <jo...@koppedomain.com>.

Looks like this is already logged at CASSANDRA-11305
<https://issues.apache.org/jira/browse/CASSANDRA-11305>. I will comment
there. I'd be interested if others have feedback.

On Wed, Jun 9, 2021 at 9:32 AM Jonathan Koppenhofer <jo...@koppedomain.com>
wrote:

> Thanks!
>
> I'll put in a Jira to make this configurable. Maybe submit a patch if I
> can find time.
>
> On Tue, Jun 8, 2021, 6:49 PM Erick Ramirez <er...@datastax.com>
> wrote:
>
>> There's definitely a case for separation of duties. For example, admin
>> roles who have DDL permissions should not have DML access. To achieve this,
>> you'll need to manage the permissions at a granular level and revoke
>> permissions from the role. Cheers!
>>
>>>

Re: Turn off automatic granting

Posted by Jonathan Koppenhofer <jo...@koppedomain.com>.

Thanks!

I'll put in a Jira to make this configurable. Maybe submit a patch if I can
find time.

On Tue, Jun 8, 2021, 6:49 PM Erick Ramirez <er...@datastax.com>
wrote:

> There's definitely a case for separation of duties. For example, admin
> roles who have DDL permissions should not have DML access. To achieve this,
> you'll need to manage the permissions at a granular level and revoke
> permissions from the role. Cheers!
>
>>

Re: Turn off automatic granting

Posted by Erick Ramirez <er...@datastax.com>.

There's definitely a case for separation of duties. For example, admin
roles who have DDL permissions should not have DML access. To achieve this,
you'll need to manage the permissions at a granular level and revoke
permissions from the role. Cheers!

>