You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Aaron Ploetz <aa...@gmail.com> on 2022/06/23 18:50:05 UTC
Guardrails in Cassandra 4.1 Alpha
So I'm trying to test out the guardrails in 4.1-alpha. I've set
allow_filtering_enabled: false, but it doesn't seem to care (I can still
use it).
> SELECT release_version FROM system.local;
release_version
---------------------
4.1-alpha1-SNAPSHOT
(1 rows)
> SELECT * FROM system_views.settings WHERE name='allow_filtering_enabled';
name | value
-------------------------+-------
allow_filtering_enabled | false
(1 rows)
> SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW
FILTERING;
id | genre | title
------+--------------------+-----------------
1396 | Crime|Drama|Sci-Fi | Sneakers (1992)
(1 rows)
Is there like some main "guardrails enabled" setting that I missed?
Thanks,
Aaron
Re: Guardrails in Cassandra 4.1 Alpha
Posted by Laxmikant Upadhyay <la...@gmail.com>.
This feature should have been introduced long ago and ideally to 3.x ..
Many times we spent a lot of time investigating the issue for slow cluster
becoz some developer ran some adhoc bad query which caused the issue .
On Thu, Jun 23, 2022 at 8:56 PM Durity, Sean R <SE...@homedepot.com>
wrote:
> I’m not afraid to admit that I LOVE this feature. Exactly what a data
> engine should be able to do – stop bad behavior.
>
>
>
> Sean R. Durity
>
>
>
> *From:* Aaron Ploetz <aa...@gmail.com>
> *Sent:* Thursday, June 23, 2022 3:22 PM
> *To:* user@cassandra.apache.org
> *Subject:* [EXTERNAL] Re: Guardrails in Cassandra 4.1 Alpha
>
>
>
> Ahh...yes, my default "aaron" user is indeed a SUPERUSER.
>
>
>
> Ok, so I created a new, non-superuser and tried again...
>
>
>
> > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW
> FILTERING;
> InvalidRequest: Error from server: code=2200 [Invalid query]
> message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING
> is not allowed"
>
>
>
> Thank you for the quick response, Andres!
>
>
>
> On Thu, Jun 23, 2022 at 2:14 PM Andrés de la Peña <ad...@apache.org>
> wrote:
>
> Hi Aaron,
>
>
>
> Guardrails are not applied to superusers. The default user is a superuser,
> so to see guardrails in action you need to create and use a user that is
> not a superuser.
>
>
>
> You can do that by setting, for example, these properties on
> cassandra.yaml:
>
>
>
> authenticator: PasswordAuthenticator
>
> authorizer: CassandraAuthorizer
>
>
>
> Then you can login with cqlsh using the default superuser and create a
> regular user with the adequate permissions. For example:
>
>
>
> bin/cqlsh -u cassandra -p cassandra
> > CREATE USER test WITH PASSWORD 'test';
> > GRANT SELECT ON ALL KEYSPACES TO test;
> bin/cqlsh -u test -p test
>
> > SELECT * FROM stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW
> FILTERING;
>
> InvalidRequest: Error from server: code=2200 [Invalid query]
> message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING
> is not allowed"
>
>
>
> Finally, that particular guardrail isn't applied to system tables, so it
> would still allow filtering on the system.local and system_views.settings
> tables, but not in stackoverflow.movies.
>
> I hope this helps.
>
>
>
> On Thu, 23 Jun 2022 at 19:51, Aaron Ploetz <aa...@gmail.com> wrote:
>
> So I'm trying to test out the guardrails in 4.1-alpha. I've set
> allow_filtering_enabled: false, but it doesn't seem to care (I can still
> use it).
>
>
> > SELECT release_version FROM system.local;
> release_version
> ---------------------
> 4.1-alpha1-SNAPSHOT
>
> (1 rows)
>
>
>
> > SELECT * FROM system_views.settings WHERE name='allow_filtering_enabled';
> name | value
> -------------------------+-------
> allow_filtering_enabled | false
>
> (1 rows)
>
> > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW
> FILTERING;
> id | genre | title
> ------+--------------------+-----------------
> 1396 | Crime|Drama|Sci-Fi | Sneakers (1992)
>
> (1 rows)
>
> Is there like some main "guardrails enabled" setting that I missed?
>
>
>
> Thanks,
>
>
> Aaron
>
>
>
>
>
> INTERNAL USE
>
>
--
regards,
Laxmikant Upadhyay
RE: Guardrails in Cassandra 4.1 Alpha
Posted by "Durity, Sean R" <SE...@homedepot.com>.
I'm not afraid to admit that I LOVE this feature. Exactly what a data engine should be able to do - stop bad behavior.
Sean R. Durity
From: Aaron Ploetz <aa...@gmail.com>
Sent: Thursday, June 23, 2022 3:22 PM
To: user@cassandra.apache.org
Subject: [EXTERNAL] Re: Guardrails in Cassandra 4.1 Alpha
Ahh...yes, my default "aaron" user is indeed a SUPERUSER.
Ok, so I created a new, non-superuser and tried again...
> SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW FILTERING;
InvalidRequest: Error from server: code=2200 [Invalid query] message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING is not allowed"
Thank you for the quick response, Andres!
On Thu, Jun 23, 2022 at 2:14 PM Andrés de la Peña <ad...@apache.org>> wrote:
Hi Aaron,
Guardrails are not applied to superusers. The default user is a superuser, so to see guardrails in action you need to create and use a user that is not a superuser.
You can do that by setting, for example, these properties on cassandra.yaml:
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
Then you can login with cqlsh using the default superuser and create a regular user with the adequate permissions. For example:
bin/cqlsh -u cassandra -p cassandra
> CREATE USER test WITH PASSWORD 'test';
> GRANT SELECT ON ALL KEYSPACES TO test;
bin/cqlsh -u test -p test
> SELECT * FROM stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW FILTERING;
InvalidRequest: Error from server: code=2200 [Invalid query] message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING is not allowed"
Finally, that particular guardrail isn't applied to system tables, so it would still allow filtering on the system.local and system_views.settings tables, but not in stackoverflow.movies.
I hope this helps.
On Thu, 23 Jun 2022 at 19:51, Aaron Ploetz <aa...@gmail.com>> wrote:
So I'm trying to test out the guardrails in 4.1-alpha. I've set allow_filtering_enabled: false, but it doesn't seem to care (I can still use it).
> SELECT release_version FROM system.local;
release_version
---------------------
4.1-alpha1-SNAPSHOT
(1 rows)
> SELECT * FROM system_views.settings WHERE name='allow_filtering_enabled';
name | value
-------------------------+-------
allow_filtering_enabled | false
(1 rows)
> SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW FILTERING;
id | genre | title
------+--------------------+-----------------
1396 | Crime|Drama|Sci-Fi | Sneakers (1992)
(1 rows)
Is there like some main "guardrails enabled" setting that I missed?
Thanks,
Aaron
INTERNAL USE
Re: Guardrails in Cassandra 4.1 Alpha
Posted by Aaron Ploetz <aa...@gmail.com>.
Ahh...yes, my default "aaron" user is indeed a SUPERUSER.
Ok, so I created a new, non-superuser and tried again...
> SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW
FILTERING;
InvalidRequest: Error from server: code=2200 [Invalid query]
message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING
is not allowed"
Thank you for the quick response, Andres!
On Thu, Jun 23, 2022 at 2:14 PM Andrés de la Peña <ad...@apache.org>
wrote:
> Hi Aaron,
>
> Guardrails are not applied to superusers. The default user is a superuser,
> so to see guardrails in action you need to create and use a user that is
> not a superuser.
>
> You can do that by setting, for example, these properties on
> cassandra.yaml:
>
> authenticator: PasswordAuthenticator
> authorizer: CassandraAuthorizer
>
> Then you can login with cqlsh using the default superuser and create a
> regular user with the adequate permissions. For example:
>
> bin/cqlsh -u cassandra -p cassandra
> > CREATE USER test WITH PASSWORD 'test';
> > GRANT SELECT ON ALL KEYSPACES TO test;
> bin/cqlsh -u test -p test
> > SELECT * FROM stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW
> FILTERING;
> InvalidRequest: Error from server: code=2200 [Invalid query]
> message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING
> is not allowed"
>
> Finally, that particular guardrail isn't applied to system tables, so it
> would still allow filtering on the system.local and system_views.settings
> tables, but not in stackoverflow.movies.
>
> I hope this helps.
>
> On Thu, 23 Jun 2022 at 19:51, Aaron Ploetz <aa...@gmail.com> wrote:
>
>> So I'm trying to test out the guardrails in 4.1-alpha. I've set
>> allow_filtering_enabled: false, but it doesn't seem to care (I can still
>> use it).
>>
>> > SELECT release_version FROM system.local;
>> release_version
>> ---------------------
>> 4.1-alpha1-SNAPSHOT
>>
>> (1 rows)
>>
>> > SELECT * FROM system_views.settings WHERE
>> name='allow_filtering_enabled';
>> name | value
>> -------------------------+-------
>> allow_filtering_enabled | false
>>
>> (1 rows)
>>
>> > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW
>> FILTERING;
>> id | genre | title
>> ------+--------------------+-----------------
>> 1396 | Crime|Drama|Sci-Fi | Sneakers (1992)
>>
>> (1 rows)
>>
>> Is there like some main "guardrails enabled" setting that I missed?
>>
>> Thanks,
>>
>> Aaron
>>
>>
Re: Guardrails in Cassandra 4.1 Alpha
Posted by Andrés de la Peña <ad...@apache.org>.
Hi Aaron,
Guardrails are not applied to superusers. The default user is a superuser,
so to see guardrails in action you need to create and use a user that is
not a superuser.
You can do that by setting, for example, these properties on cassandra.yaml:
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
Then you can login with cqlsh using the default superuser and create a
regular user with the adequate permissions. For example:
bin/cqlsh -u cassandra -p cassandra
> CREATE USER test WITH PASSWORD 'test';
> GRANT SELECT ON ALL KEYSPACES TO test;
bin/cqlsh -u test -p test
> SELECT * FROM stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW
FILTERING;
InvalidRequest: Error from server: code=2200 [Invalid query]
message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING
is not allowed"
Finally, that particular guardrail isn't applied to system tables, so it
would still allow filtering on the system.local and system_views.settings
tables, but not in stackoverflow.movies.
I hope this helps.
On Thu, 23 Jun 2022 at 19:51, Aaron Ploetz <aa...@gmail.com> wrote:
> So I'm trying to test out the guardrails in 4.1-alpha. I've set
> allow_filtering_enabled: false, but it doesn't seem to care (I can still
> use it).
>
> > SELECT release_version FROM system.local;
> release_version
> ---------------------
> 4.1-alpha1-SNAPSHOT
>
> (1 rows)
>
> > SELECT * FROM system_views.settings WHERE name='allow_filtering_enabled';
> name | value
> -------------------------+-------
> allow_filtering_enabled | false
>
> (1 rows)
>
> > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW
> FILTERING;
> id | genre | title
> ------+--------------------+-----------------
> 1396 | Crime|Drama|Sci-Fi | Sneakers (1992)
>
> (1 rows)
>
> Is there like some main "guardrails enabled" setting that I missed?
>
> Thanks,
>
> Aaron
>
>