[jira] [Commented] (CASSANDRA-16914) Implement Virtual Tables for Auth Caches

[Aleksei Zotov (Jira)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-16914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17417800#comment-17417800
 ] 

Aleksei Zotov commented on CASSANDRA-16914:
-------------------------------------------

I made a draft implementation here: 
[https://github.com/apache/cassandra/pull/1208]. It is based on _contents_ 
approach. Could you please check and let me know a preliminary feedback. Based 
on that I will either finalize the PR or re-do accordingly.

I have two questions:
 # I raised a PR-related question regarding exposing caches. You can find more 
details on the PR.
 # I feel these tables may raise some security concerns. As far as I 
understand, any user has access to VTs. These auth cache-related VTs make the 
list of users and their access available to everyone connected to the cluster.. 
basically there is no any critical information exposed, but anyway it is 
bothering me. Even if we follow _commands_ approach, a bunch of information 
still will be exposed, so it is not a solution. We could introduce some 
permissions to VTs.. Please, share your thoughts whether these table are a 
concern and what ideas you have to mitigate it.

 

> Implement Virtual Tables for Auth Caches
> ----------------------------------------
>
>                 Key: CASSANDRA-16914
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16914
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Feature/Authorization, Feature/Virtual Tables
>            Reporter: Aleksei Zotov
>            Assignee: Aleksei Zotov
>            Priority: Low
>             Fix For: 4.x
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> {{NodeTool}} commands for Auth Caches invalidation were implemented as a part 
> of CASSANDRA-16404 ticket. While discussing that ticket it was agreed that 
> there is a need to develop the same kind of functionality through Vitrual 
> Tables. Unfortunately, VT did not have {{TRUNCATE}} and {{DELETE}} support. 
> And CASSANDRA-16806 was created for that reason. Once it is completed, 
> further work can be started.
> The goal of this ticket is to create VTs for the following caches:
>  * {{CredentialsCache}}
>  * {{JmxPermissionsCache}}
>  * {{NetworkPermissionsCache}}
>  * {{PermissionsCache}}
>  * {{RolesCache}}
> The VTs should support reading from and modification of the in the Auth 
> Caches.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org