[
https://issues.apache.org/jira/browse/CASSANDRA-13985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244121#comment-16244121
]
Sam Tunnicliffe commented on CASSANDRA-13985:
---------------------------------------------
Postgres has something vaguely similar in its {{pg_hba.conf}}, which lets you
restrict whether clients can connect based on various criteria such as user,
host, ip range, etc. To block a user/role entirely you would just remove all of
its entries in the config file. It's not directly analogous as postgres also
supports multiple authn methods and obviously isn't distributed so the
restrictions apply to the single db server, but it is separating the access to
the service itself from the specifics of auth(n|z).
> Support restricting reads and writes to specific datacenters on a per user
> basis
> --------------------------------------------------------------------------------
>
> Key: CASSANDRA-13985
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13985
> Project: Cassandra
> Issue Type: Bug
> Reporter: Blake Eggleston
> Assignee: Blake Eggleston
> Priority: Minor
>
> There are a few use cases where it makes sense to restrict the operations a
> given user can perform in specific data centers. The obvious use case is the
> production/analytics datacenter configuration. You don’t want the production
> user to be reading/or writing to the analytics datacenter, and you don’t want
> the analytics user to be reading from the production datacenter.
> Although we expect users to get this right on that application level, we
> should also be able to enforce this at the database level. The first approach
> that comes to mind would be to support an optional DC parameter when granting
> select and modify permissions to roles. Something like {{GRANT SELECT ON
> some_keyspace TO that_user IN DC dc1}}, statements that omit the dc would
> implicitly be granting permission to all dcs. However, I’m not married to
> this approach.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]