You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Shailaja Koppu (Jira)" <ji...@apache.org> on 2022/11/04 17:45:00 UTC

[jira] [Created] (CASSANDRA-18018) List permissions output for superuser after grant command is not correct

Shailaja Koppu created CASSANDRA-18018:
------------------------------------------

             Summary: List permissions output for superuser after grant command is not correct 
                 Key: CASSANDRA-18018
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18018
             Project: Cassandra
          Issue Type: Bug
          Components: Feature/Authorization
            Reporter: Shailaja Koppu


Running local Cassandra with below config:
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
role_manager: CassandraRoleManager
network_authorizer: CassandraNetworkAuthorizer

Created a super user and then ran *Grant select* command on a keyspace. 
shaadmin1@cqlsh> CREATE USER 'shaadmin1c1' WITH PASSWORD 'shaadmin1c1' SUPERUSER;

shaadmin1@cqlsh:system_auth> grant select on testk1.t1 to shaadmin1c1;

shaadmin1@cqlsh:system_auth> alter role shaadmin1c1 with access to all datacenters;
 

After this, list permissions command showing only select permission for that role on the resource.
shaadmin1c1@cqlsh> list all permissions of shaadmin1c1;

 role        | username    | resource          | permission
-------------+-------------+-------------------+------------
 shaadmin1c1 | shaadmin1c1 | <table testk1.t1> |     SELECT

Row in role_permissions table:
 role        | resource          | permissions
-------------+-------------------+--------------------------------------------------------------
 shaadmin1c1 |    data/testk1/t1 |                                                   \{'SELECT'}

But insert command by that role on the resource is successful because role is a super user
shaadmin1c1@cqlsh> insert into testk1.t1 (c1, c2) values ('a', 1);
shaadmin1c1@cqlsh> select * from testk1.t1 ;

 c1 | c2
----+----
  a |  1

(1 rows)


The problem is, output of list permissions command, which indicates only select permission on the resource is misleading. I think list command need to be fixed to show all permissions super user has on the resource. Also grant command for a super user can be either a no-op or throw error, because the role already have requested permissions.

 

Documentation also misleading:
{quote}True automatically grants AUTHORIZE, CREATE and DROP permission on ALL ROLES.
Superusers can only manage roles by default. To manage other resources, {color:#FF0000}you must grant the permission set to that resource. ** {color}For example, to allow access management for all keyspaces: {{GRANT ALL PERMISSIONS ON ALL KEYSPACES TO }}{{{}*role_name*{}}}.{quote}
 

 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org