[
https://issues.apache.org/jira/browse/CASSANDRA-20171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17908702#comment-17908702
]
Tibor Repasi commented on CASSANDRA-20171:
------------------------------------------
As I understood the discussion in CASSANDRA-7622 it seems reasonable to not
list virtual keyspaces in {{system_schema.keyspaces}}, however, it seems
reasonable to me to allow GrantPermissionsStatement on virtual keyspaces.
To me this two approaches are outlined:
# Add virtual keyspaces to system_schema.keyspaces, which might have unwanted
side effects and may need some item to indicate these as virtual keyspaces, or
# add a rule to
[DataResource.exists()|https://github.com/apache/cassandra/blob/a88ff2046983f733a2b6ddf160f4578ae78add73/src/java/org/apache/cassandra/auth/DataResource.java#L244]
allowing to report a virtual keyspace as existing one.
> Grant permission on keyspaces system_views and system_virtual_schema not
> possible
> ---------------------------------------------------------------------------------
>
> Key: CASSANDRA-20171
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20171
> Project: Apache Cassandra
> Issue Type: Bug
> Reporter: Tibor Repasi
> Priority: Normal
>
> Trying to grant select permission on keyspace system_views or
> system_virtual_schema fails with an error message stating that these
> resources wouldn't exist.
> {code}
> cassandra@cqlsh> CREATE ROLE test WITH PASSWORD = 'test' AND LOGIN = true AND
> SUPERUSER = false ;
> cassandra@cqlsh> LIST USERS ;
> name | super | datacenters
> -----------+-------+-------------
> cassandra | True | ALL
> test | False | ALL
> (2 rows)
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system TO test;
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_schema TO test;
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_views TO test;
> InvalidRequest: Error from server: code=2200 [Invalid query]
> message="Resource <keyspace system_views> doesn't exist"
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_ TO test;
> system_auth system_distributed system_schema
> system_traces system_views system_virtual_schema
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_virtual_schema TO
> test;
> InvalidRequest: Error from server: code=2200 [Invalid query]
> message="Resource <keyspace system_virtual_schema> doesn't exist"
> {code}
> However, the above permission can be added by updating role_permissions
> directly
> {code}
> cassandra@cqlsh> UPDATE system_auth.role_permissions SET permissions =
> permissions + {'SELECT'} WHERE role = 'test' AND resource =
> 'data/system_views';
> cassandra@cqlsh> LIST ALL PERMISSIONS OF test;
> role | username | resource | permission
> ------+----------+--------------------------+------------
> test | test | <keyspace system> | SELECT
> test | test | <keyspace system_schema> | SELECT
> test | test | <keyspace system_views> | SELECT
> (3 rows)
> {code}
> Reading the code unveiled, that {{system_schema.keyspaces}} doesn't list
> those two keyspace, which causes the grant permission command to fail.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
