[
https://issues.apache.org/jira/browse/CASSANDRA-4295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13413649#comment-13413649
]
Sylvain Lebresne commented on CASSANDRA-4295:
---------------------------------------------
The current {{IAuthority}} API is:
{noformat}
public EnumSet<Permission> authorize(AuthenticatedUser user, List<Object>
resource);
{noformat}
What about changing that to something like:
{noformat}
public interface PermissionToken {}
public Pair<EnumSet<Permission>, PermissionToken> authorize(AuthenticatedUser
user, List<Object> resource);
public boolean isStillValid(PermissionToken token);
{noformat}
The semantic being that authorize would give us a token (every implementation
could make that be whatever they want) and {{isStillValid}} would validate
whether the authorization that returned the token is still valid at the time of
the call to {{isStillValid}}.
Implementations that don't want to get fancy could just return null as the
token and have {{isStillValid}} return either:
- always true if an authorization is valid indefinitely
- always false to force redoing an authorization every time
And more fancier policy (like authorization is valid for X minutes only, ...)
can be easily implemented too.
Then in CQL we would call authorize during preparation and keep the token
around, and during execution we would check the validity of the token and redo
the authorization only if it's not valid anymore. It does complicate think a
bit, but not too much either.
Or we just leave things like they are and consider that caching the result of
authorize should be the business of the {{IAuthority}} (I'm personally not
against that). But the more I think about it, the more I'm convince that
forcing users and their access rights to be immutable is A Bad Idea.
> move checkaccess into statement.prepare
> ---------------------------------------
>
> Key: CASSANDRA-4295
> URL: https://issues.apache.org/jira/browse/CASSANDRA-4295
> Project: Cassandra
> Issue Type: Improvement
> Components: API
> Affects Versions: 1.1.0
> Reporter: Jonathan Ellis
> Assignee: Pavel Yaskevich
> Priority: Minor
> Fix For: 1.1.3
>
> Attachments: CASSANDRA-4295.patch
>
>
> there's no need to redo this every execution since the schema, tables, and
> users involved should all be immutable
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
