Re: Guardrails in Cassandra 4.1 Alpha
This feature should have been introduced long ago and ideally to 3.x .. Many times we spent a lot of time investigating the issue for slow cluster becoz some developer ran some adhoc bad query which caused the issue . On Thu, Jun 23, 2022 at 8:56 PM Durity, Sean R wrote: > I’m not afraid to admit that I LOVE this feature. Exactly what a data > engine should be able to do – stop bad behavior. > > > > Sean R. Durity > > > > *From:* Aaron Ploetz > *Sent:* Thursday, June 23, 2022 3:22 PM > *To:* user@cassandra.apache.org > *Subject:* [EXTERNAL] Re: Guardrails in Cassandra 4.1 Alpha > > > > Ahh...yes, my default "aaron" user is indeed a SUPERUSER. > > > > Ok, so I created a new, non-superuser and tried again... > > > > > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; > InvalidRequest: Error from server: code=2200 [Invalid query] > message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING > is not allowed" > > > > Thank you for the quick response, Andres! > > > > On Thu, Jun 23, 2022 at 2:14 PM Andrés de la Peña > wrote: > > Hi Aaron, > > > > Guardrails are not applied to superusers. The default user is a superuser, > so to see guardrails in action you need to create and use a user that is > not a superuser. > > > > You can do that by setting, for example, these properties on > cassandra.yaml: > > > > authenticator: PasswordAuthenticator > > authorizer: CassandraAuthorizer > > > > Then you can login with cqlsh using the default superuser and create a > regular user with the adequate permissions. For example: > > > > bin/cqlsh -u cassandra -p cassandra > > CREATE USER test WITH PASSWORD 'test'; > > GRANT SELECT ON ALL KEYSPACES TO test; > bin/cqlsh -u test -p test > > > SELECT * FROM stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; > > InvalidRequest: Error from server: code=2200 [Invalid query] > message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING > is not allowed" > > > > Finally, that particular guardrail isn't applied to system tables, so it > would still allow filtering on the system.local and system_views.settings > tables, but not in stackoverflow.movies. > > I hope this helps. > > > > On Thu, 23 Jun 2022 at 19:51, Aaron Ploetz wrote: > > So I'm trying to test out the guardrails in 4.1-alpha. I've set > allow_filtering_enabled: false, but it doesn't seem to care (I can still > use it). > > > > SELECT release_version FROM system.local; > release_version > - > 4.1-alpha1-SNAPSHOT > > (1 rows) > > > > > SELECT * FROM system_views.settings WHERE name='allow_filtering_enabled'; > name| value > -+--- > allow_filtering_enabled | false > > (1 rows) > > > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; > id | genre | title > --++- > 1396 | Crime|Drama|Sci-Fi | Sneakers (1992) > > (1 rows) > > Is there like some main "guardrails enabled" setting that I missed? > > > > Thanks, > > > Aaron > > > > > > INTERNAL USE > > -- regards, Laxmikant Upadhyay
RE: Guardrails in Cassandra 4.1 Alpha
I'm not afraid to admit that I LOVE this feature. Exactly what a data engine should be able to do - stop bad behavior. Sean R. Durity From: Aaron Ploetz Sent: Thursday, June 23, 2022 3:22 PM To: user@cassandra.apache.org Subject: [EXTERNAL] Re: Guardrails in Cassandra 4.1 Alpha Ahh...yes, my default "aaron" user is indeed a SUPERUSER. Ok, so I created a new, non-superuser and tried again... > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; InvalidRequest: Error from server: code=2200 [Invalid query] message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING is not allowed" Thank you for the quick response, Andres! On Thu, Jun 23, 2022 at 2:14 PM Andrés de la Peña mailto:adelap...@apache.org>> wrote: Hi Aaron, Guardrails are not applied to superusers. The default user is a superuser, so to see guardrails in action you need to create and use a user that is not a superuser. You can do that by setting, for example, these properties on cassandra.yaml: authenticator: PasswordAuthenticator authorizer: CassandraAuthorizer Then you can login with cqlsh using the default superuser and create a regular user with the adequate permissions. For example: bin/cqlsh -u cassandra -p cassandra > CREATE USER test WITH PASSWORD 'test'; > GRANT SELECT ON ALL KEYSPACES TO test; bin/cqlsh -u test -p test > SELECT * FROM stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; InvalidRequest: Error from server: code=2200 [Invalid query] message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING is not allowed" Finally, that particular guardrail isn't applied to system tables, so it would still allow filtering on the system.local and system_views.settings tables, but not in stackoverflow.movies. I hope this helps. On Thu, 23 Jun 2022 at 19:51, Aaron Ploetz mailto:aaronplo...@gmail.com>> wrote: So I'm trying to test out the guardrails in 4.1-alpha. I've set allow_filtering_enabled: false, but it doesn't seem to care (I can still use it). > SELECT release_version FROM system.local; release_version - 4.1-alpha1-SNAPSHOT (1 rows) > SELECT * FROM system_views.settings WHERE name='allow_filtering_enabled'; name| value -+--- allow_filtering_enabled | false (1 rows) > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; id | genre | title --++- 1396 | Crime|Drama|Sci-Fi | Sneakers (1992) (1 rows) Is there like some main "guardrails enabled" setting that I missed? Thanks, Aaron INTERNAL USE
Re: Guardrails in Cassandra 4.1 Alpha
Ahh...yes, my default "aaron" user is indeed a SUPERUSER. Ok, so I created a new, non-superuser and tried again... > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW FILTERING; InvalidRequest: Error from server: code=2200 [Invalid query] message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING is not allowed" Thank you for the quick response, Andres! On Thu, Jun 23, 2022 at 2:14 PM Andrés de la Peña wrote: > Hi Aaron, > > Guardrails are not applied to superusers. The default user is a superuser, > so to see guardrails in action you need to create and use a user that is > not a superuser. > > You can do that by setting, for example, these properties on > cassandra.yaml: > > authenticator: PasswordAuthenticator > authorizer: CassandraAuthorizer > > Then you can login with cqlsh using the default superuser and create a > regular user with the adequate permissions. For example: > > bin/cqlsh -u cassandra -p cassandra > > CREATE USER test WITH PASSWORD 'test'; > > GRANT SELECT ON ALL KEYSPACES TO test; > bin/cqlsh -u test -p test > > SELECT * FROM stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; > InvalidRequest: Error from server: code=2200 [Invalid query] > message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING > is not allowed" > > Finally, that particular guardrail isn't applied to system tables, so it > would still allow filtering on the system.local and system_views.settings > tables, but not in stackoverflow.movies. > > I hope this helps. > > On Thu, 23 Jun 2022 at 19:51, Aaron Ploetz wrote: > >> So I'm trying to test out the guardrails in 4.1-alpha. I've set >> allow_filtering_enabled: false, but it doesn't seem to care (I can still >> use it). >> >> > SELECT release_version FROM system.local; >> release_version >> - >> 4.1-alpha1-SNAPSHOT >> >> (1 rows) >> >> > SELECT * FROM system_views.settings WHERE >> name='allow_filtering_enabled'; >> name| value >> -+--- >> allow_filtering_enabled | false >> >> (1 rows) >> >> > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW >> FILTERING; >> id | genre | title >> --++- >> 1396 | Crime|Drama|Sci-Fi | Sneakers (1992) >> >> (1 rows) >> >> Is there like some main "guardrails enabled" setting that I missed? >> >> Thanks, >> >> Aaron >> >>
Re: Guardrails in Cassandra 4.1 Alpha
Hi Aaron, Guardrails are not applied to superusers. The default user is a superuser, so to see guardrails in action you need to create and use a user that is not a superuser. You can do that by setting, for example, these properties on cassandra.yaml: authenticator: PasswordAuthenticator authorizer: CassandraAuthorizer Then you can login with cqlsh using the default superuser and create a regular user with the adequate permissions. For example: bin/cqlsh -u cassandra -p cassandra > CREATE USER test WITH PASSWORD 'test'; > GRANT SELECT ON ALL KEYSPACES TO test; bin/cqlsh -u test -p test > SELECT * FROM stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW FILTERING; InvalidRequest: Error from server: code=2200 [Invalid query] message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING is not allowed" Finally, that particular guardrail isn't applied to system tables, so it would still allow filtering on the system.local and system_views.settings tables, but not in stackoverflow.movies. I hope this helps. On Thu, 23 Jun 2022 at 19:51, Aaron Ploetz wrote: > So I'm trying to test out the guardrails in 4.1-alpha. I've set > allow_filtering_enabled: false, but it doesn't seem to care (I can still > use it). > > > SELECT release_version FROM system.local; > release_version > - > 4.1-alpha1-SNAPSHOT > > (1 rows) > > > SELECT * FROM system_views.settings WHERE name='allow_filtering_enabled'; > name| value > -+--- > allow_filtering_enabled | false > > (1 rows) > > > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; > id | genre | title > --++- > 1396 | Crime|Drama|Sci-Fi | Sneakers (1992) > > (1 rows) > > Is there like some main "guardrails enabled" setting that I missed? > > Thanks, > > Aaron > >