You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Alexandre Linte (JIRA)" <ji...@apache.org> on 2016/05/19 08:57:12 UTC
[jira] [Commented] (CASSANDRA-11305) Customization of the auto
granting process
[ https://issues.apache.org/jira/browse/CASSANDRA-11305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15290731#comment-15290731 ]
Alexandre Linte commented on CASSANDRA-11305:
---------------------------------------------
Nothing new about this JIRA?
> Customization of the auto granting process
> ------------------------------------------
>
> Key: CASSANDRA-11305
> URL: https://issues.apache.org/jira/browse/CASSANDRA-11305
> Project: Cassandra
> Issue Type: New Feature
> Components: CQL
> Environment: Apache Cassandra 3.3, cqlsh 5.0.1, CQL spec 3.4.0
> Reporter: Alexandre Linte
> Priority: Minor
> Fix For: 3.3
>
>
> Hello,
> By default, Cassandra implements an auto granting process which is applied when a USER | ROLE does a CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTION, CREATE AGGREGATE or CREATE ROLE statement. The creator is automatically granted all applicable permissions on the new resource.
> For example, the ROLE "toto_user" is created and has CREATE permission on its personal KEYSPACE "toto_keyspace". Today when toto_user create a TABLE, he is automatically granted the following rights:
> * ALTER
> * DROP
> * SELECT
> * MODIFY
> * AUTHORIZE
> Moreover if you want to REVOKE a permission for "toto_user" on a table, this table must exist.
> The idea of the issue is to improve the auto granting process. I thought about a modification of the REVOKE and GRANT SQL commands. You can find below the syntax part:
> {noformat}
> <grant-permission-stmt> ::= GRANT ( ALL ( PERMISSIONS )? | <permission> ( PERMISSION )? ) ON <resource> TO <identifier>
> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE | EXECUTE
> <resource> ::= ALL KEYSPACES
> | KEYSPACE <identifier>
> | ( TABLE )? <tablename>
> | ALL ROLES
> | ROLE <identifier>
> | ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
> | FUNCTION <functionname>
> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
> {noformat}
> {noformat}
> <revoke-permission-stmt> ::= REVOKE ( ALL ( PERMISSIONS )? | <permission> ( PERMISSION )? ) ON <resource> FROM <identifier>
> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE | EXECUTE
> <resource> ::= ALL KEYSPACES
> | KEYSPACE <identifier>
> | ( TABLE )? <tablename>
> | ALL ROLES
> | ROLE <identifier>
> | ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
> | FUNCTION <functionname>
> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
> {noformat}
> And now multiple the samples part:
> {noformat}
> GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user;
> => default functioning, when toto_user creates a table he will be automatically granted all permissions.
> GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
> => grant all permissions to the resource (table) created by toto_user on the keyspace toto_keyspace.
> GRANT SELECT ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
> => grant select permission to the resource (table) created by toto_user on the keyspace toto_keyspace.
> REVOKE ALL PERMISSIONS ON KEYSPACE toto_keyspace FROM toto_user;
> => default functioning, toto_user will not be able to do something on the keyspace toto_keyspace.
> REVOKE AUTHORIZE PERMISSION ON KEYSPACE toto_keyspace FROM toto_user WHEN CREATE TABLE;
> => revoke authorize permission to the resource (table) created by toto_user on the keyspace toto_keyspace.
> REVOKE DROP PERMISSION ALL KEYSPACES FROM toto_user WHEN CREATE ROLE;
> => revoke drop permission to the resource (role) created by toto_user on the keyspace toto_keyspace.
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)