You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Alexandre Linte (JIRA)" <ji...@apache.org> on 2016/03/04 15:04:40 UTC
[jira] [Created] (CASSANDRA-11305) Customization of the auto
granting process
Alexandre Linte created CASSANDRA-11305:
-------------------------------------------
Summary: Customization of the auto granting process
Key: CASSANDRA-11305
URL: https://issues.apache.org/jira/browse/CASSANDRA-11305
Project: Cassandra
Issue Type: New Feature
Components: CQL
Environment: Apache Cassandra 3.3, cqlsh 5.0.1, CQL spec 3.4.0
Reporter: Alexandre Linte
Priority: Minor
Fix For: 3.3
Hello,
By default, Cassandra implements an auto granting process which is applied when a USER | ROLE does a CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTION, CREATE AGGREGATE or CREATE ROLE statement. The creator is automatically granted all applicable permissions on the new resource.
For example, the ROLE "toto_user" is created and has CREATE permission on its personal KEYSPACE "toto_keyspace". Today when toto_user create a TABLE, he is automatically granted the following rights:
* ALTER
* DROP
* SELECT
* MODIFY
* AUTHORIZE
Moreover if you want to REVOKE a permission for "toto_user" on a table, this table must exist.
The idea of the issue is to improve the auto granting process. I thought about a modification of the REVOKE and GRANT SQL commands. You can find below the syntax part:
{noformat}
<grant-permission-stmt> ::= GRANT ( ALL ( PERMISSIONS )? | <permission> ( PERMISSION )? ) ON <resource> TO <identifier>
<permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE | EXECUTE
<resource> ::= ALL KEYSPACES
| KEYSPACE <identifier>
| ( TABLE )? <tablename>
| ALL ROLES
| ROLE <identifier>
| ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
| FUNCTION <functionname>
<automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
{noformat}
{noformat}
<revoke-permission-stmt> ::= REVOKE ( ALL ( PERMISSIONS )? | <permission> ( PERMISSION )? ) ON <resource> FROM <identifier>
<permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE | EXECUTE
<resource> ::= ALL KEYSPACES
| KEYSPACE <identifier>
| ( TABLE )? <tablename>
| ALL ROLES
| ROLE <identifier>
| ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
| FUNCTION <functionname>
<automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
{noformat}
And now multiple the samples part:
{noformat}
GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user;
=> default functioning, when toto_user creates a table he will be automatically granted all permissions.
GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
=> grant all permissions to the resource (table) created by toto_user on the keyspace toto_keyspace.
GRANT SELECT ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
=> grant select permission to the resource (table) created by toto_user on the keyspace toto_keyspace.
REVOKE ALL PERMISSIONS ON KEYSPACE toto_keyspace FROM toto_user;
=> default functioning, toto_user will not be able to do something on the keyspace toto_keyspace.
REVOKE AUTHORIZE PERMISSION ON KEYSPACE toto_keyspace FROM toto_user WHEN CREATE TABLE;
=> revoke authorize permission to the resource (table) created by toto_user on the keyspace toto_keyspace.
REVOKE DROP PERMISSION ALL KEYSPACES FROM toto_user WHEN CREATE ROLE;
=> revoke drop permission to the resource (role) created by toto_user on the keyspace toto_keyspace.
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)