[jira] Commented: (CASSANDRA-547) authentication and authorization functions (stage 1)

Mon, 04 Jan 2010 07:50:19 -0800 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12796219#action_12796219
 ] 

Ted Zlatanov commented on CASSANDRA-547:
----------------------------------------

External authentication like LDAP can authenticate a user name/password 
combination, but it doesn't tell us what's authorized.  So we need a way to 
authorize user/keyspace combinations.  If not in storage-conf.xml, we'll need 
to essentially duplicate the Keyspaces section like this:

Keyspaces:
AllowUser A

Keyspace X:
AllowUser B
DisallowUser A

This means user A has access to everything but X and user B can only access X 
(DisallowUser trumps AllowUser).

This scheme should not be backend-specific.  Every IAuthenticationBackend 
should use this same authorization scheme (user-implemented ones can choose not 
to in order to accomodate more complex infrastructure, but the simple stuff 
Cassandra includes should use it).  This will simplify the implementation of 
authentication backends and make them easier to configure.

If we agree on the authorization grants format, I will start work on the simple 
password backend and implement authorizations as described, plus a simple 
password storage mechanism.

> authentication and authorization functions (stage 1)
> ----------------------------------------------------
>
>                 Key: CASSANDRA-547
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-547
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Core
>            Reporter: Ted Zlatanov
>            Assignee: Ted Zlatanov
>         Attachments: CASSANDRA-547-auth.patch, CASSANDRA-547-thrift.patch, 
> libthrift-r893324.jar
>
>
> Add functions to login() and setKeyspace().  Check against 
> authentication+authorization backends whether those calls should succeed or 
> fail.
> Create file-based and LDAP backends to implement authentication and 
> authorization.
> Create AllowAll backend to allow all access.
> Add configuration stanza to specify the auth backend.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to