[
https://issues.apache.org/jira/browse/CASSANDRA-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Folke Behrens updated CASSANDRA-1237:
-------------------------------------
Attachment: simple-JAASAuthenticator.patch.txt
Attached patch shows a simple IAuthenticator for JAAS. With JAAS you can
configure LoginModules for Unix users or PAM, for LDAP or Kerberos and you can
also write your own LoginModule reading passwd.properties files or even column
families. In fact, I have a SimpleLoginModule (similar to SimpleAuthenticator)
half ready.
This authenticator is also not finished, yet. I submitted it because I hope
it's not too late to urge you to make/keep IAuthenticator as lightweight as
possible.
The proposed defaultUser() would make IAuthenticators somewhat stateful. Not
good.
If you're interested I can open a new issue and submit my JAAS classes there
including sample config files and a programmatic JAAS configuration.
> Store AccessLevels externally to IAuthenticator
> -----------------------------------------------
>
> Key: CASSANDRA-1237
> URL: https://issues.apache.org/jira/browse/CASSANDRA-1237
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Reporter: Stu Hood
> Assignee: Stu Hood
> Fix For: 0.7.0
>
> Attachments:
> 0001-Consolidate-KSMetaData-mutations-into-copy-methods.patch,
> 0002-Thrift-and-Avro-interface-changes.patch,
> 0003-Add-user-and-group-access-maps-to-Keyspace-metadata.patch,
> 0004-Remove-AccessLevel-return-value-from-login-and-retur.patch,
> 0005-Move-per-thread-state-into-a-ClientState-object-1-pe.patch,
> 0006-Apply-access.properties-to-keyspaces-during-an-upgra.patch,
> sample-usage.patch, simple-JAASAuthenticator.patch.txt
>
>
> Currently, the concept of authentication (proving the identity of a user) is
> mixed up with permissions (determining whether a user is able to
> create/read/write databases). Rather than determining the permissions that a
> user has, the IAuthenticator should only be capable of authenticating a user,
> and permissions (specifically, an AccessLevel) should be stored consistently
> by Cassandra.
> The primary goal of this ticket is to separate AccessLevels from
> IAuthenticators, and to persist a map of User->AccessLevel along with:
> * EDIT: Separating the addition of 'global scope' permissions into a separate
> ticket
> * each keyspace, where the AccessLevel continues to have its current meaning
> ----
> In separate tickets, we would like to improve the AccessLevel structure so
> that it can store role/permission bits independently, rather than being level
> based.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
