[
https://issues.apache.org/jira/browse/CASSANDRA-7216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aleksey Yeschenko updated CASSANDRA-7216:
-----------------------------------------
Attachment: 7216-POC.txt
Attaching a POC-concept. Adds an overrideable
AuthenticatedUser#canManageUsers(), the output of which is used to decide if
the logged in user is allowed to perform ALTER USER/CREATE USER/DROP USER
queries.
So now you can write a custom IAuthenticator that would return an
AuthenticatedUser w/ an overridden canManageUsers(), based on some config file
or a hard-coded value. Coupled with automatic keyspace pre-creation and
granting all the rights, I think this pretty much covers your use case.
[~odpeer] [[email protected]] wdyt?
> Restricted superuser account request
> ------------------------------------
>
> Key: CASSANDRA-7216
> URL: https://issues.apache.org/jira/browse/CASSANDRA-7216
> Project: Cassandra
> Issue Type: Improvement
> Reporter: Oded Peer
> Assignee: Dave Brosius
> Priority: Minor
> Fix For: 3.0
>
> Attachments: 7216-POC.txt, 7216.txt
>
>
> I am developing a multi-tenant service.
> Every tenant has its own user, keyspace and can access only his keyspace.
> As new tenants are provisioned there is a need to create new users and
> keyspaces.
> Only a superuser can issue CREATE USER requests, so we must have a super user
> account in the system. On the other hand super users have access to all the
> keyspaces, which poses a security risk.
> For tenant provisioning I would like to have a restricted account which can
> only create new users, without read access to keyspaces.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
