[
https://issues.apache.org/jira/browse/CASSANDRA-7653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14273521#comment-14273521
]
Sam Tunnicliffe commented on CASSANDRA-7653:
--------------------------------------------
{quote}
PermissionsCacheMBean
nobody’s using this functionality (the previous mbean wasn’t
registered), so we can drop it until someone actually requests it
{quote}
Done in CASSANDRA-8194
{quote}
AuthResponse
in execute(), `authenticator` variable should be renamed to `negotiator`
ServerConnection
saslAutneticator field and getAuthenticator() method should be renamed
for consistency (to saslNegotiator/getSaslNegotiator())
ClientState
preventSystemKSSchemaModification() should move allowAlter/allowDrop to
the class level statics ALTERABLE_KEYSPACES/DROPPABLE_TABLES vs. allocating
them every time
DataResource:
should rename isColumnFamilyLevel() to isTableLevel(), while we are
breaking the API anyway (and getColumnFamily() to getTable()). Not something
touched by the patch, but can sneak it in here.
IAuthorizer
grant()/revoke() should rename to/from arguments to grantee/revokee in
consistency with IRoleManager naming
grant()/revoke() should have an AuthenticatedUser performer arg, like
IAuthorizer does (or both should drop it)
CassandraAuthorizer
revokeAll() should use a logged batch for updating permissions+index
tables
Cql.g
now would be a good time to correct the initial design mistake and make
role names/user names strings, instead of identifiers
{quote}
Done
{quote}
ListPermissionsStatement
resultset structure is part of the public API. Can’t just rename
‘username’ to ‘role’. Should keep (but deprecate) username, and add ‘role’, as
another column, with duplicate value
{quote}
I don't quite agree with this one. I think it's probably acceptable for us to
change metadata like this in a major release, particularly as the semantics and
structure of the resultset is unchanged. If any changes are required on the
client side, they will be trivial.
{quote}
Oh, one more thing.
Please include a NEWS.txt entry for the API change.
{quote}
Also done. Hopefully that ties up most of the loose ends.
> Add role based access control to Cassandra
> ------------------------------------------
>
> Key: CASSANDRA-7653
> URL: https://issues.apache.org/jira/browse/CASSANDRA-7653
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Mike Adamson
> Assignee: Sam Tunnicliffe
> Fix For: 3.0
>
> Attachments: 7653.patch, CQLSmokeTest.java, cql_smoke_test.py
>
>
> The current authentication model supports granting permissions to individual
> users. While this is OK for small or medium organizations wanting to
> implement authorization, it does not work well in large organizations because
> of the overhead of having to maintain the permissions for each user.
> Introducing roles into the authentication model would allow sets of
> permissions to be controlled in one place as a role and then the role granted
> to users. Roles should also be able to be granted to other roles to allow
> hierarchical sets of permissions to be built up.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
