Hi Yuki, Jeremiah & Christopher, Thank you very much for the feedback.
Regarding removing superuser check for adding/removing identities, I have relaxed that check and added permissions check instead. With this change only users with appropriate permissions to add/drop identities can perform that action. About extending `Create Role` cqlsh statement, we have a couple of reasons for not doing that. We designed the mTLS authenticator in such a way that a single role can be associated with multiple identities, EX: there can be several identities which are read_only users. Also, having a separate cqlsh statement for identities makes it more pluggable and independent. If we still think that extending the create role statement would be a convenient feature, we can add it as required in the followup patches. Christopher, I will be acting upon your feedback regarding having identity in the cassandra.yaml optionally configurable. Thanks, Jyothsna Konisa. On Thu, Jul 6, 2023 at 5:30 PM Dinesh Joshi <djo...@apache.org> wrote: > > On Jun 30, 2023, at 1:09 PM, Jeremiah Jordan <jerem...@datastax.com> > wrote: > > > > I don’t think users necessarily need to be able to update their own > identities. I just don’t want to have to use the super user role. The > super user role has all power over all things in the data base. I don’t > want to have to give that much power to the person who manages identities, > I just want to give them the power to manage identities. > > Makes sense. I think Jyothsna already pushed an update to the PR to relax > the restriction. Please feel free to take a look at it. > > Dinesh > > > >
