[jira] [Created] (CASSANDRA-20171) Grant permission on keyspaces system_views and system_virtual_schema not possible

Fri, 27 Dec 2024 14:47:26 -0800 

Tibor Repasi created CASSANDRA-20171:
----------------------------------------

             Summary: Grant permission on keyspaces system_views and 
system_virtual_schema not possible
                 Key: CASSANDRA-20171
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20171
             Project: Apache Cassandra
          Issue Type: Bug
            Reporter: Tibor Repasi


Trying to grant select permission on keyspace system_views or 
system_virtual_schema fails with an error message stating that these resources 
wouldn't exist.

{code}
cassandra@cqlsh> CREATE ROLE test WITH PASSWORD = 'test' AND LOGIN = true AND 
SUPERUSER = false ;
cassandra@cqlsh> LIST USERS ;

 name      | super | datacenters
-----------+-------+-------------
 cassandra |  True |         ALL
      test | False |         ALL

(2 rows)
cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system TO test;
cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_schema TO test;
cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_views TO test;
InvalidRequest: Error from server: code=2200 [Invalid query] message="Resource 
<keyspace system_views> doesn't exist"
cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_ TO test;
system_auth           system_distributed    system_schema         system_traces 
        system_views          system_virtual_schema
cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_virtual_schema TO 
test;
InvalidRequest: Error from server: code=2200 [Invalid query] message="Resource 
<keyspace system_virtual_schema> doesn't exist"
{code}

However, the above permission can be added by updating role_permissions directly

{code}
cassandra@cqlsh> UPDATE system_auth.role_permissions SET permissions = 
permissions + {'SELECT'} WHERE role = 'test' AND resource = 'data/system_views';
cassandra@cqlsh> LIST ALL PERMISSIONS OF test;

 role | username | resource                 | permission
------+----------+--------------------------+------------
 test |     test |        <keyspace system> |     SELECT
 test |     test | <keyspace system_schema> |     SELECT
 test |     test |  <keyspace system_views> |     SELECT

(3 rows)
{code}

Reading the code unveiled, that {{system_schema.keyspaces}} doesn't list those 
two keyspace, which causes the grant permission command to fail.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to