[
https://issues.apache.org/jira/browse/CASSANDRA-11305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15296110#comment-15296110
]
Sam Tunnicliffe commented on CASSANDRA-11305:
---------------------------------------------
What's the use case you're trying to satisfy here? It seems like the goal is to
provide some sort of customisation to the automatic granting, so that you can
do things like only have certain permissions automatically granted. But I have
to say I'm not really a fan of this as it makes things harder to reason about
and that is generally something to be avoided in security.
I also think that working around/with the default behaviour (which we would
definitely want to preserve) makes things more problematic. For instance, if
you want to make it so {{toto_user}} only gets {{SELECT}} permissions on any
table that they create you'd need to execute all three statements (in the
correct order):
{code}
REVOKE ALL PERMISSIONS ON KEYSPACE toto_keyspace FROM toto_user;
GRANT CREATE ON KEYSPACE toto_keyspace TO toto_user; // so table creation is
possible
GRANT SELECT ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
{code}
which is itself quite unintuitive. To be honest, if you need to be able to have
the grants configurable on a per-user basis, that's probably something that
belongs externally, not in the core db functionality.
> Customization of the auto granting process
> ------------------------------------------
>
> Key: CASSANDRA-11305
> URL: https://issues.apache.org/jira/browse/CASSANDRA-11305
> Project: Cassandra
> Issue Type: New Feature
> Components: CQL
> Environment: Apache Cassandra 3.3, cqlsh 5.0.1, CQL spec 3.4.0
> Reporter: Alexandre Linte
> Priority: Minor
> Fix For: 3.3
>
>
> Hello,
> By default, Cassandra implements an auto granting process which is applied
> when a USER | ROLE does a CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTION,
> CREATE AGGREGATE or CREATE ROLE statement. The creator is automatically
> granted all applicable permissions on the new resource.
> For example, the ROLE "toto_user" is created and has CREATE permission on its
> personal KEYSPACE "toto_keyspace". Today when toto_user create a TABLE, he is
> automatically granted the following rights:
> * ALTER
> * DROP
> * SELECT
> * MODIFY
> * AUTHORIZE
> Moreover if you want to REVOKE a permission for "toto_user" on a table, this
> table must exist.
> The idea of the issue is to improve the auto granting process. I thought
> about a modification of the REVOKE and GRANT SQL commands. You can find below
> the syntax part:
> {noformat}
> <grant-permission-stmt> ::= GRANT ( ALL ( PERMISSIONS )? | <permission> (
> PERMISSION )? ) ON <resource> TO <identifier>
> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE |
> DESRIBE | EXECUTE
> <resource> ::= ALL KEYSPACES
> | KEYSPACE <identifier>
> | ( TABLE )? <tablename>
> | ALL ROLES
> | ROLE <identifier>
> | ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
> | FUNCTION <functionname>
> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
> {noformat}
> {noformat}
> <revoke-permission-stmt> ::= REVOKE ( ALL ( PERMISSIONS )? | <permission> (
> PERMISSION )? ) ON <resource> FROM <identifier>
> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE |
> DESRIBE | EXECUTE
> <resource> ::= ALL KEYSPACES
> | KEYSPACE <identifier>
> | ( TABLE )? <tablename>
> | ALL ROLES
> | ROLE <identifier>
> | ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
> | FUNCTION <functionname>
> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
> {noformat}
> And now multiple the samples part:
> {noformat}
> GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user;
> => default functioning, when toto_user creates a table he will be
> automatically granted all permissions.
> GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE
> TABLE;
> => grant all permissions to the resource (table) created by toto_user on the
> keyspace toto_keyspace.
> GRANT SELECT ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
> => grant select permission to the resource (table) created by toto_user on
> the keyspace toto_keyspace.
> REVOKE ALL PERMISSIONS ON KEYSPACE toto_keyspace FROM toto_user;
> => default functioning, toto_user will not be able to do something on the
> keyspace toto_keyspace.
> REVOKE AUTHORIZE PERMISSION ON KEYSPACE toto_keyspace FROM toto_user WHEN
> CREATE TABLE;
> => revoke authorize permission to the resource (table) created by toto_user
> on the keyspace toto_keyspace.
> REVOKE DROP PERMISSION ALL KEYSPACES FROM toto_user WHEN CREATE ROLE;
> => revoke drop permission to the resource (role) created by toto_user on the
> keyspace toto_keyspace.
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
