You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by sa...@apache.org on 2019/06/07 14:28:49 UTC
[cassandra] branch trunk updated: Add note regarding DROP ROLE and
connected sessions
This is an automated email from the ASF dual-hosted git repository.
samt pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra.git
The following commit(s) were added to refs/heads/trunk by this push:
new 6b9575a Add note regarding DROP ROLE and connected sessions
6b9575a is described below
commit 6b9575af7e244efe98943e5e7f92b33e252218a3
Author: Sam Tunnicliffe <sa...@beobal.com>
AuthorDate: Wed May 15 11:43:03 2019 +0100
Add note regarding DROP ROLE and connected sessions
patch by Sam Tunnicliffe; reviewed by Michael Shuler
---
doc/source/cql/security.rst | 8 ++++++++
doc/source/operating/security.rst | 4 ++++
2 files changed, 12 insertions(+)
diff --git a/doc/source/cql/security.rst b/doc/source/cql/security.rst
index 4abeb2d..429a1ef 100644
--- a/doc/source/cql/security.rst
+++ b/doc/source/cql/security.rst
@@ -148,6 +148,14 @@ status may ``DROP`` another ``SUPERUSER`` role.
Attempting to drop a role which does not exist results in an invalid query condition unless the ``IF EXISTS`` option is
used. If the option is used and the role does not exist the statement is a no-op.
+.. note:: DROP ROLE intentionally does not terminate any open user sessions. Currently connected sessions will remain
+ connected and will retain the ability to perform any database actions which do not require :ref:`authorization<authorization>`.
+ However, if authorization is enabled, :ref:`permissions<cql-permissions>` of the dropped role are also revoked,
+ subject to the :ref:`caching options<auth-caching>` configured in :ref:`cassandra.yaml<cassandra-yaml>`.
+ Should a dropped role be subsequently recreated and have new :ref:`permissions<grant-permission-statement>` or
+ :ref:`roles<grant-role-statement>` granted to it, any client sessions still connected will acquire the newly granted
+ permissions and roles.
+
.. _grant-role-statement:
GRANT ROLE
diff --git a/doc/source/operating/security.rst b/doc/source/operating/security.rst
index e229c7f..c2d8b79 100644
--- a/doc/source/operating/security.rst
+++ b/doc/source/operating/security.rst
@@ -182,6 +182,8 @@ See also: :ref:`setting-credentials-for-internal-authentication`, :ref:`CREATE R
:ref:`ALTER ROLE <alter-role-statement>`, :ref:`ALTER KEYSPACE <alter-keyspace-statement>` and :ref:`GRANT PERMISSION
<grant-permission-statement>`,
+.. _authorization:
+
Authorization
^^^^^^^^^^^^^
@@ -233,6 +235,8 @@ The following assumes that authentication has already been enabled via the proce
See also: :ref:`GRANT PERMISSION <grant-permission-statement>`, `GRANT ALL <grant-all>` and :ref:`REVOKE PERMISSION
<revoke-permission-statement>`
+.. _auth-caching:
+
Caching
^^^^^^^
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org