You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Ted Zlatanov (JIRA)" <ji...@apache.org> on 2010/01/04 16:49:54 UTC

[jira] Commented: (CASSANDRA-547) authentication and authorization functions (stage 1)

    [ https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12796219#action_12796219 ] 

Ted Zlatanov commented on CASSANDRA-547:
----------------------------------------

External authentication like LDAP can authenticate a user name/password combination, but it doesn't tell us what's authorized.  So we need a way to authorize user/keyspace combinations.  If not in storage-conf.xml, we'll need to essentially duplicate the Keyspaces section like this:

Keyspaces:
AllowUser A

Keyspace X:
AllowUser B
DisallowUser A

This means user A has access to everything but X and user B can only access X (DisallowUser trumps AllowUser).

This scheme should not be backend-specific.  Every IAuthenticationBackend should use this same authorization scheme (user-implemented ones can choose not to in order to accomodate more complex infrastructure, but the simple stuff Cassandra includes should use it).  This will simplify the implementation of authentication backends and make them easier to configure.

If we agree on the authorization grants format, I will start work on the simple password backend and implement authorizations as described, plus a simple password storage mechanism.

> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
>                 Key: CASSANDRA-547
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-547
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Core
>            Reporter: Ted Zlatanov
>            Assignee: Ted Zlatanov
>         Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace().  Check against authentication+authorization backends whether those calls should succeed or fail.
> Create file-based and LDAP backends to implement authentication and authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.