You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Mikhail Stepura (JIRA)" <ji...@apache.org> on 2013/10/29 18:58:28 UTC
[jira] [Commented] (CASSANDRA-6266) Keyspace definition is leaked
to users without SELECT permissions
[ https://issues.apache.org/jira/browse/CASSANDRA-6266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13808238#comment-13808238 ]
Mikhail Stepura commented on CASSANDRA-6266:
--------------------------------------------
@bensykes what is the output of {{LIST ALL PERMISSIONS OF bob;}} ?
> Keyspace definition is leaked to users without SELECT permissions
> -----------------------------------------------------------------
>
> Key: CASSANDRA-6266
> URL: https://issues.apache.org/jira/browse/CASSANDRA-6266
> Project: Cassandra
> Issue Type: Bug
> Environment: cqlsh 4.0.1 | Cassandra 2.0.1 | CQL spec 3.1.1 | Thrift protocol 19.37.0
> java version "1.6.0_43"
> Python 2.7.3
> Reporter: Ben Sykes
>
> From CQLSH, a user without permissions on keyspaces can see a list of all keyspaces and get the keyspace definition.
> {code}
> $ ./cqlsh -u bob -p restricted
> Connected to Test Cluster at localhost:9160.
> [cqlsh 4.0.1 | Cassandra 2.0.1 | CQL spec 3.1.1 | Thrift protocol 19.37.0]
> Use HELP for help.
> cqlsh> DESC KEYSPACES;
> stress system schema1 customer_a test system_auth system_traces
> cqlsh> DESC KEYSPACE test;
> CREATE KEYSPACE test WITH replication = {
> 'class': 'SimpleStrategy',
> 'replication_factor': '1'
> };
> USE test;
> CREATE TABLE data (
> assetid int,
> year int,
> field text,
> time bigint,
> value double,
> PRIMARY KEY ((assetid, year, field), time)
> ) WITH
> bloom_filter_fp_chance=0.010000 AND
> caching='KEYS_ONLY' AND
> comment='' AND
> dclocal_read_repair_chance=0.000000 AND
> gc_grace_seconds=864000 AND
> index_interval=128 AND
> read_repair_chance=0.100000 AND
> replicate_on_write='true' AND
> populate_io_cache_on_flush='false' AND
> default_time_to_live=0 AND
> speculative_retry='NONE' AND
> memtable_flush_period_in_ms=0 AND
> compaction={'class': 'SizeTieredCompactionStrategy'} AND
> compression={'sstable_compression': 'LZ4Compressor'};
> cqlsh> USE test;
> cqlsh:test> SELECT * FROM data LIMIT 10;
> Bad Request: User bob has no SELECT permission on <table test.data> or any of its parents
> cqlsh:test>
> {code}
--
This message was sent by Atlassian JIRA
(v6.1#6144)