You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Brandon Williams (Jira)" <ji...@apache.org> on 2021/09/02 12:38:00 UTC
[jira] [Updated] (CASSANDRA-16910) DROP permission behavior does
not match documentation
[ https://issues.apache.org/jira/browse/CASSANDRA-16910?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brandon Williams updated CASSANDRA-16910:
-----------------------------------------
Bug Category: Parent values: Documentation(13562)
Complexity: Normal
Component/s: Legacy/Documentation and Website
Discovered By: User Report
Severity: Low
Status: Open (was: Triage Needed)
> DROP permission behavior does not match documentation
> -----------------------------------------------------
>
> Key: CASSANDRA-16910
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16910
> Project: Cassandra
> Issue Type: Bug
> Components: Legacy/Documentation and Website
> Reporter: James Brown
> Priority: Normal
>
> There seems to be a mismatch between the documentation and reality with respect to the DROP permission.
> Specifically, the matrix in [the documentation|https://cassandra.apache.org/doc/4.0/cassandra/cql/cql_singlefile.html#permissions] says that you can only {{DROP KEYSPACE}} if you have the {{DROP}} permission on {{ALL KEYSPACES}}; however, in testing, it appears that you can drop a keyspace if you merely have the {{DROP}} permission on that keyspace itself.
> I believe this is a documentation error; for example, having {{ALTER}} permission on a keyspace is documented to let a role alter the keyspace itself in addition to altering tables within it. I don't particularly like this behavior and would prefer to have a way to grant roles the ability to alter/drop/create all objects within a keyspace without altering the keyspace itself.
> Demo on a stock cassandra.yaml with the only changes being setting {{authenticator}} to {{PasswordAuthenticator}} and {{authorizer}} to {{CassandraAuthorizer}}:
> {code}
> $ ./bin/cqlsh -u cassandra -p cassandra
> Connected to Bug Report Cluster at 127.0.0.1:9042
> [cqlsh 6.0.0 | Cassandra 4.0.0 | CQL spec 3.4.5 | Native protocol v5]
> Use HELP for help.
> cassandra@cqlsh> CREATE KEYSPACE demo_keyspace WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1};
> cassandra@cqlsh> CREATE ROLE nonsuper WITH PASSWORD='nonsuper' AND LOGIN=true;
> cassandra@cqlsh> GRANT DROP on KEYSPACE demo_keyspace TO nonsuper;
> cassandra@cqlsh>
> $ ./bin/cqlsh -u nonsuper -p nonsuper
> Connected to Bug Report Cluster at 127.0.0.1:9042
> [cqlsh 6.0.0 | Cassandra 4.0.0 | CQL spec 3.4.5 | Native protocol v5]
> Use HELP for help.
> nonsuper@cqlsh> DROP KEYSPACE demo_keyspace;
> nonsuper@cqlsh> CREATE KEYSPACE foo WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1};
> Unauthorized: Error from server: code=2100 [Unauthorized] message="User nonsuper has no CREATE permission on <all keyspaces> or any of its parents"
> nonsuper@cqlsh> DROP KEYSPACE foo;
> Unauthorized: Error from server: code=2100 [Unauthorized] message="User nonsuper has no DROP permission on <keyspace foo> or any of its parents"
> nonsuper@cqlsh>
> {code}
> Given the documented state that {{DROP KEYSPACE}} requires the {{DROP}} permission on {{ALL KEYSPACES}}, I would expect the cal to {{DROP KEYSPACE demo_keyspace}} to fail with a 2100 error.
> Two things that seem like action item to me:
> * The documentation should be updated to indicate that having the {{DROP}} permission on a keyspace allows you to {{DROP KEYSPACE}} and {{DROP TABLE in <keyspace>}}
> * It sure would be swell if one could do something like {{GRANT DROP ON ALL TABLES IN KEYSPACE <ks> TO <role>}} in order to avoid this whole issue (the way we can already grant on {{ALL FUNCTIONS IN KEYSPACE <ks>}})...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org