You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Mikhail Stepura (JIRA)" <ji...@apache.org> on 2013/10/29 18:58:28 UTC

[jira] [Commented] (CASSANDRA-6266) Keyspace definition is leaked to users without SELECT permissions

    [ https://issues.apache.org/jira/browse/CASSANDRA-6266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13808238#comment-13808238 ] 

Mikhail Stepura commented on CASSANDRA-6266:
--------------------------------------------

@bensykes what is the output of {{LIST ALL PERMISSIONS OF bob;}} ?




> Keyspace definition is leaked to users without SELECT permissions
> -----------------------------------------------------------------
>
>                 Key: CASSANDRA-6266
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-6266
>             Project: Cassandra
>          Issue Type: Bug
>         Environment: cqlsh 4.0.1 | Cassandra 2.0.1 | CQL spec 3.1.1 | Thrift protocol 19.37.0
> java version "1.6.0_43"
> Python 2.7.3
>            Reporter: Ben Sykes
>
> From CQLSH, a user without permissions on keyspaces can see a list of all keyspaces and get the keyspace definition.
> {code}
> $ ./cqlsh -u bob -p restricted
> Connected to Test Cluster at localhost:9160.
> [cqlsh 4.0.1 | Cassandra 2.0.1 | CQL spec 3.1.1 | Thrift protocol 19.37.0]
> Use HELP for help.
> cqlsh> DESC KEYSPACES;
> stress  system  schema1  customer_a  test  system_auth  system_traces
> cqlsh> DESC KEYSPACE test;
> CREATE KEYSPACE test WITH replication = {
>   'class': 'SimpleStrategy',
>   'replication_factor': '1'
> };
> USE test;
> CREATE TABLE data (
>   assetid int,
>   year int,
>   field text,
>   time bigint,
>   value double,
>   PRIMARY KEY ((assetid, year, field), time)
> ) WITH
>   bloom_filter_fp_chance=0.010000 AND
>   caching='KEYS_ONLY' AND
>   comment='' AND
>   dclocal_read_repair_chance=0.000000 AND
>   gc_grace_seconds=864000 AND
>   index_interval=128 AND
>   read_repair_chance=0.100000 AND
>   replicate_on_write='true' AND
>   populate_io_cache_on_flush='false' AND
>   default_time_to_live=0 AND
>   speculative_retry='NONE' AND
>   memtable_flush_period_in_ms=0 AND
>   compaction={'class': 'SizeTieredCompactionStrategy'} AND
>   compression={'sstable_compression': 'LZ4Compressor'};
> cqlsh> USE test;
> cqlsh:test> SELECT * FROM data LIMIT 10;
> Bad Request: User bob has no SELECT permission on <table test.data> or any of its parents
> cqlsh:test>
> {code}



--
This message was sent by Atlassian JIRA
(v6.1#6144)