[
https://issues.apache.org/jira/browse/CASSANDRA-11305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15297926#comment-15297926
]
Alexandre Linte edited comment on CASSANDRA-11305 at 5/24/16 8:55 AM:
----------------------------------------------------------------------
Hi [~beobal],
Thank you for the feedback. You're right, this is a kind of permission
customization.
The idea is to increase permission's granularity. HBase does something similar
to Cassandra. Hive is also similar but you can specify in the configuration
multiple properties:
- hive.security.authorization.enabled
- hive.security.authorization.manager
- hive.security.authorization.createtable.owner.grants
By default, the creator of a resource has not rights on it. You must set
"hive.security.authorization.createtable.owner.grants".
Instead of modifying the default CQL behaviour and its semantic (like I
suggested before) maybe this can be implemented throught cassandra.yaml?
was (Author: bigdataorange):
Hi [~beobal],
Thank you for the feedback. You're right, this is a kind of permission
customization.
The idea is to increase permission's granularity. HBase does something similar
to Cassandra. Hive is also similar but you can specify in the configuration
multiple properties:
- hive.security.authorization.enabled
- hive.security.authorization.manager
- hive.security.authorization.createtable.owner.grants
By default, the creator of a resource has not rights on it. You must set
"hive.security.authorization.createtable.owner.grants".
Instead of modifying the default CQL behaviour and its semantic (like I
suggested before) maybe this can be implemented throught cassandra.yaml?
> Customization of the auto granting process
> ------------------------------------------
>
> Key: CASSANDRA-11305
> URL: https://issues.apache.org/jira/browse/CASSANDRA-11305
> Project: Cassandra
> Issue Type: New Feature
> Components: CQL
> Environment: Apache Cassandra 3.3, cqlsh 5.0.1, CQL spec 3.4.0
> Reporter: Alexandre Linte
> Priority: Minor
> Fix For: 3.3
>
>
> Hello,
> By default, Cassandra implements an auto granting process which is applied
> when a USER | ROLE does a CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTION,
> CREATE AGGREGATE or CREATE ROLE statement. The creator is automatically
> granted all applicable permissions on the new resource.
> For example, the ROLE "toto_user" is created and has CREATE permission on its
> personal KEYSPACE "toto_keyspace". Today when toto_user create a TABLE, he is
> automatically granted the following rights:
> * ALTER
> * DROP
> * SELECT
> * MODIFY
> * AUTHORIZE
> Moreover if you want to REVOKE a permission for "toto_user" on a table, this
> table must exist.
> The idea of the issue is to improve the auto granting process. I thought
> about a modification of the REVOKE and GRANT SQL commands. You can find below
> the syntax part:
> {noformat}
> <grant-permission-stmt> ::= GRANT ( ALL ( PERMISSIONS )? | <permission> (
> PERMISSION )? ) ON <resource> TO <identifier>
> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE |
> DESRIBE | EXECUTE
> <resource> ::= ALL KEYSPACES
> | KEYSPACE <identifier>
> | ( TABLE )? <tablename>
> | ALL ROLES
> | ROLE <identifier>
> | ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
> | FUNCTION <functionname>
> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
> {noformat}
> {noformat}
> <revoke-permission-stmt> ::= REVOKE ( ALL ( PERMISSIONS )? | <permission> (
> PERMISSION )? ) ON <resource> FROM <identifier>
> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE |
> DESRIBE | EXECUTE
> <resource> ::= ALL KEYSPACES
> | KEYSPACE <identifier>
> | ( TABLE )? <tablename>
> | ALL ROLES
> | ROLE <identifier>
> | ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
> | FUNCTION <functionname>
> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
> {noformat}
> And now multiple the samples part:
> {noformat}
> GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user;
> => default functioning, when toto_user creates a table he will be
> automatically granted all permissions.
> GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE
> TABLE;
> => grant all permissions to the resource (table) created by toto_user on the
> keyspace toto_keyspace.
> GRANT SELECT ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
> => grant select permission to the resource (table) created by toto_user on
> the keyspace toto_keyspace.
> REVOKE ALL PERMISSIONS ON KEYSPACE toto_keyspace FROM toto_user;
> => default functioning, toto_user will not be able to do something on the
> keyspace toto_keyspace.
> REVOKE AUTHORIZE PERMISSION ON KEYSPACE toto_keyspace FROM toto_user WHEN
> CREATE TABLE;
> => revoke authorize permission to the resource (table) created by toto_user
> on the keyspace toto_keyspace.
> REVOKE DROP PERMISSION ALL KEYSPACES FROM toto_user WHEN CREATE ROLE;
> => revoke drop permission to the resource (role) created by toto_user on the
> keyspace toto_keyspace.
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
