You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Laxmikant Upadhyay <la...@gmail.com> on 2019/05/09 06:31:37 UTC
What is the safest way to enable authorization?
Let's say I have a 3 node cluster on 3.11.4 on which authentication is
enabled but authorization is disabled. It has one non-super login user
'user1' and default super user 'cassandra'
In cassandra.yaml
authenticator: PasswordAuthenticator
authorizer: AllowAllAuthorizer
So to enable authorization we change the cassandra.yaml of a node 'node1'
from
authorizer: AllowAllAuthorizer
TO
authorizer: CassandraAuthorizer
You client application db operations on the node1 starts failing as soon as
the cassandra restarts on that nodewith below error until you run GRANT
operation for user1 after connecting with cassandra user:
UnauthorizedException: User user1 has no SELECT permission on <table
testtable>
Is there a way to avoid this error at all in the above situation?
--
regards,
Laxmikant Upadhyay
Re: What is the safest way to enable authorization?
Posted by Laxmikant Upadhyay <la...@gmail.com>.
One trick could be :
Before enabling authorization
1. Give user1 superuser permission temporarily by logging in with
cassandra suer
ALTER ROLE user1 with SUPERUSER=true;
2. Enable authorization and grant permission to user1 for specific operation
GRANT SELECT ON ALL KEYSPACES TO user1;
4. Now remove superuser permission from user1
ALTER ROLE user1 with SUPERUSER=false;
On Thu, May 9, 2019 at 12:34 PM Laxmikant Upadhyay <la...@gmail.com>
wrote:
> I think you will get below exception while executing GRANT with
> AllowAllAuthorizer
> ServerError: java.lang.UnsupportedOperationException: GRANT operation is
> not supported by AllowAllAuthorizer
>
>
>
> On Thu, May 9, 2019 at 12:07 PM Devaki, Srinivas <me...@eightnoteight.space>
> wrote:
>
>> Hi,
>>
>> before changing the configuration from `AllowAllAuthorizer` to
>> `CassandraAuthorizer`, you need to grant enough permissions to the user
>> that allow all the accessed tables by that user. I think that should fix
>> the problem.
>>
>> Thanks
>>
>> On Thu, May 9, 2019 at 12:02 PM Laxmikant Upadhyay <
>> laxmikant.hcl@gmail.com> wrote:
>>
>>> Let's say I have a 3 node cluster on 3.11.4 on which authentication is
>>> enabled but authorization is disabled. It has one non-super login user
>>> 'user1' and default super user 'cassandra'
>>> In cassandra.yaml
>>> authenticator: PasswordAuthenticator
>>> authorizer: AllowAllAuthorizer
>>>
>>> So to enable authorization we change the cassandra.yaml of a node
>>> 'node1' from
>>> authorizer: AllowAllAuthorizer
>>> TO
>>> authorizer: CassandraAuthorizer
>>>
>>> You client application db operations on the node1 starts failing as soon
>>> as the cassandra restarts on that nodewith below error until you run GRANT
>>> operation for user1 after connecting with cassandra user:
>>> UnauthorizedException: User user1 has no SELECT permission on <table
>>> testtable>
>>>
>>> Is there a way to avoid this error at all in the above situation?
>>>
>>> --
>>>
>>> regards,
>>> Laxmikant Upadhyay
>>>
>>>
>
> --
>
> regards,
> Laxmikant Upadhyay
>
>
--
regards,
Laxmikant Upadhyay
Re: What is the safest way to enable authorization?
Posted by Laxmikant Upadhyay <la...@gmail.com>.
I think you will get below exception while executing GRANT with
AllowAllAuthorizer
ServerError: java.lang.UnsupportedOperationException: GRANT operation is
not supported by AllowAllAuthorizer
On Thu, May 9, 2019 at 12:07 PM Devaki, Srinivas <me...@eightnoteight.space>
wrote:
> Hi,
>
> before changing the configuration from `AllowAllAuthorizer` to
> `CassandraAuthorizer`, you need to grant enough permissions to the user
> that allow all the accessed tables by that user. I think that should fix
> the problem.
>
> Thanks
>
> On Thu, May 9, 2019 at 12:02 PM Laxmikant Upadhyay <
> laxmikant.hcl@gmail.com> wrote:
>
>> Let's say I have a 3 node cluster on 3.11.4 on which authentication is
>> enabled but authorization is disabled. It has one non-super login user
>> 'user1' and default super user 'cassandra'
>> In cassandra.yaml
>> authenticator: PasswordAuthenticator
>> authorizer: AllowAllAuthorizer
>>
>> So to enable authorization we change the cassandra.yaml of a node 'node1'
>> from
>> authorizer: AllowAllAuthorizer
>> TO
>> authorizer: CassandraAuthorizer
>>
>> You client application db operations on the node1 starts failing as soon
>> as the cassandra restarts on that nodewith below error until you run GRANT
>> operation for user1 after connecting with cassandra user:
>> UnauthorizedException: User user1 has no SELECT permission on <table
>> testtable>
>>
>> Is there a way to avoid this error at all in the above situation?
>>
>> --
>>
>> regards,
>> Laxmikant Upadhyay
>>
>>
--
regards,
Laxmikant Upadhyay
Re: What is the safest way to enable authorization?
Posted by "Devaki, Srinivas" <me...@eightnoteight.space>.
Hi,
before changing the configuration from `AllowAllAuthorizer` to
`CassandraAuthorizer`, you need to grant enough permissions to the user
that allow all the accessed tables by that user. I think that should fix
the problem.
Thanks
On Thu, May 9, 2019 at 12:02 PM Laxmikant Upadhyay <la...@gmail.com>
wrote:
> Let's say I have a 3 node cluster on 3.11.4 on which authentication is
> enabled but authorization is disabled. It has one non-super login user
> 'user1' and default super user 'cassandra'
> In cassandra.yaml
> authenticator: PasswordAuthenticator
> authorizer: AllowAllAuthorizer
>
> So to enable authorization we change the cassandra.yaml of a node 'node1'
> from
> authorizer: AllowAllAuthorizer
> TO
> authorizer: CassandraAuthorizer
>
> You client application db operations on the node1 starts failing as soon
> as the cassandra restarts on that nodewith below error until you run GRANT
> operation for user1 after connecting with cassandra user:
> UnauthorizedException: User user1 has no SELECT permission on <table
> testtable>
>
> Is there a way to avoid this error at all in the above situation?
>
> --
>
> regards,
> Laxmikant Upadhyay
>
>