Cassandra
  1. Cassandra
  2. CASSANDRA-1237

Store AccessLevels externally to IAuthenticator

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Fix Version/s: 0.7 beta 2
    • Component/s: None
    • Labels:
      None

      Description

      Currently, the concept of authentication (proving the identity of a user) is mixed up with permissions (determining whether a user is able to create/read/write databases). Rather than determining the permissions that a user has, the IAuthenticator should only be capable of authenticating a user, and permissions (specifically, an AccessLevel) should be stored consistently by Cassandra.

      EDIT: Adding summary


      In summary, there appear to be 3 distinct options for how to move forward with authorization. Remember that this ticket is about disconnecting authorization (permissions) from authentication (user/group identification), and its goal is to leave authentication pluggable.

      Options:

      1. Leave authentication and authorization in the same interface. If we choose this option, this ticket is invalid, and CASSANDRA-1271 and CASSANDRA-1320 will add-to/improve IAuthenticator
        • Pros:
          • Least change
        • Cons:
          • Very little actually implemented by Cassandra: burden is on the backend implementors
          • Each combination of authz and authc backends would require a new implementation (PAM for authc + permissions keyspace for authz, for instance), causing an explosion of implementations
      2. Separate out a pluggable IAuthority interface to implement authorization
        1. IAuthenticator interface would be called at login time to determine user/groups membership
        2. IAuthority would be called at operation time with the user/groups determined earlier, and the required permission for the operation
        • Pros:
          • Provides the cleanest separation of concerns
          • Allows plugability for permissions
        • Cons:
          • Pluggability of permissions gains limited benefit
          • IAuthority would need to support callbacks for keyspace/cf creation and removal to keep existing keyspaces in sync with their permissions (although technically, option 1 suffers from this as well)
      3. Separate authorization, but do not make it pluggable
        • This option is implemented by the existing patchset by attaching permissions to metadata, but could have an alternative implementation that stores permissions in a permissions keyspace.
        • Pros:
          • Cassandra controls the scalability of authorization, and can ensure it does not become a bottleneck
        • Cons:
          • Would need to support callbacks for user creation and removal to keep existing users in sync with their permissions

        Issue Links

          Activity

          Stu Hood created issue -
          Stu Hood made changes -
          Field Original Value New Value
          Link This issue is blocked by CASSANDRA-1186 [ CASSANDRA-1186 ]
          Stu Hood made changes -
          Description Currently, the concept of authentication (proving the identity of a user) is mixed up with permissions (determining whether a user is able to create/read/write databases). Rather than determining the permissions that a user has, the IAuthenticator should only be capable of authenticating a user, and permissions (specifically, an AuthLevel) should be stored consistently by Cassandra.

          The primary goal of this ticket is to separate AuthLevels from IAuthenticators, and to persist a map of User->AuthLevel along with:
          * the global scope, where the AuthLevel refers to permission to read/write to the list of keyspaces
          * each keyspace, where the AuthLevel continues to have its current meaning

          ----

          In separate tickets, we would like to improve the AuthLevel structure so that it can store role/permission bits independently, rather than being level based.
          Currently, the concept of authentication (proving the identity of a user) is mixed up with permissions (determining whether a user is able to create/read/write databases). Rather than determining the permissions that a user has, the IAuthenticator should only be capable of authenticating a user, and permissions (specifically, an AccessLevel) should be stored consistently by Cassandra.

          The primary goal of this ticket is to separate AccessLevels from IAuthenticators, and to persist a map of User->AccessLevel along with:
          * the global scope, where the AccessLevel refers to permission to read/write to the list of keyspaces
          * each keyspace, where the AccessLevel continues to have its current meaning

          ----

          In separate tickets, we would like to improve the AccessLevel structure so that it can store role/permission bits independently, rather than being level based.
          Summary Store AuthLevels externally to IAuthenticator Store AccessLevels externally to IAuthenticator
          Stu Hood made changes -
          Description Currently, the concept of authentication (proving the identity of a user) is mixed up with permissions (determining whether a user is able to create/read/write databases). Rather than determining the permissions that a user has, the IAuthenticator should only be capable of authenticating a user, and permissions (specifically, an AccessLevel) should be stored consistently by Cassandra.

          The primary goal of this ticket is to separate AccessLevels from IAuthenticators, and to persist a map of User->AccessLevel along with:
          * the global scope, where the AccessLevel refers to permission to read/write to the list of keyspaces
          * each keyspace, where the AccessLevel continues to have its current meaning

          ----

          In separate tickets, we would like to improve the AccessLevel structure so that it can store role/permission bits independently, rather than being level based.
          Currently, the concept of authentication (proving the identity of a user) is mixed up with permissions (determining whether a user is able to create/read/write databases). Rather than determining the permissions that a user has, the IAuthenticator should only be capable of authenticating a user, and permissions (specifically, an AccessLevel) should be stored consistently by Cassandra.

          The primary goal of this ticket is to separate AccessLevels from IAuthenticators, and to persist a map of User->AccessLevel along with:
          * EDIT: Separating the addition of 'global scope' permissions into a separate ticket
          * each keyspace, where the AccessLevel continues to have its current meaning

          ----

          In separate tickets, we would like to improve the AccessLevel structure so that it can store role/permission bits independently, rather than being level based.
          Stu Hood made changes -
          Link This issue blocks CASSANDRA-1271 [ CASSANDRA-1271 ]
          Stu Hood made changes -
          Attachment 0001-Consolidate-KSMetaData-mutations-into-copy-methods.patch [ 12449994 ]
          Attachment 0002-Thrift-and-Avro-interface-changes.patch [ 12449995 ]
          Attachment 0003-Add-user-and-group-access-maps-to-Keyspace-metadata.patch [ 12449996 ]
          Stu Hood made changes -
          Attachment 0004-Remove-AccessLevel-return-value-from-login-and-retur.patch [ 12449997 ]
          Attachment 0005-Move-per-thread-state-into-a-ClientState-object-1-pe.patch [ 12449998 ]
          Stu Hood made changes -
          Attachment 0001-Consolidate-KSMetaData-mutations-into-copy-methods.patch [ 12449994 ]
          Stu Hood made changes -
          Attachment 0002-Thrift-and-Avro-interface-changes.patch [ 12449995 ]
          Stu Hood made changes -
          Attachment 0003-Add-user-and-group-access-maps-to-Keyspace-metadata.patch [ 12449996 ]
          Stu Hood made changes -
          Attachment 0004-Remove-AccessLevel-return-value-from-login-and-retur.patch [ 12449997 ]
          Stu Hood made changes -
          Attachment 0005-Move-per-thread-state-into-a-ClientState-object-1-pe.patch [ 12449998 ]
          Stu Hood made changes -
          Attachment 0001-Consolidate-KSMetaData-mutations-into-copy-methods.patch [ 12450088 ]
          Attachment 0002-Thrift-and-Avro-interface-changes.patch [ 12450089 ]
          Attachment 0003-Add-user-and-group-access-maps-to-Keyspace-metadata.patch [ 12450090 ]
          Stu Hood made changes -
          Attachment 0005-Move-per-thread-state-into-a-ClientState-object-1-pe.patch [ 12450091 ]
          Attachment 0004-Remove-AccessLevel-return-value-from-login-and-retur.patch [ 12450092 ]
          Attachment sample-usage.patch [ 12450093 ]
          Stu Hood made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Jonathan Ellis made changes -
          Fix Version/s 0.7.0 [ 12315212 ]
          Fix Version/s 0.7 beta 1 [ 12314533 ]
          Stu Hood made changes -
          Attachment 0003-Add-user-and-group-access-maps-to-Keyspace-metadata.patch [ 12450090 ]
          Stu Hood made changes -
          Attachment 0003-Add-user-and-group-access-maps-to-Keyspace-metadata.patch [ 12450208 ]
          Attachment 0006-Apply-access.properties-to-keyspaces-during-an-upgra.patch [ 12450209 ]
          Stu Hood made changes -
          Link This issue blocks CASSANDRA-1320 [ CASSANDRA-1320 ]
          Stu Hood made changes -
          Attachment 0003-Add-user-and-group-access-maps-to-Keyspace-metadata.patch [ 12450208 ]
          Stu Hood made changes -
          Attachment 0002-Thrift-and-Avro-interface-changes.patch [ 12450089 ]
          Stu Hood made changes -
          Attachment 0002-Thrift-and-Avro-interface-changes.patch [ 12450511 ]
          Attachment 0003-Add-user-and-group-access-maps-to-Keyspace-metadata.patch [ 12450512 ]
          Folke Behrens made changes -
          Attachment simple-JAASAuthenticator.patch.txt [ 12450549 ]
          Stu Hood made changes -
          Attachment 0001-Consolidate-KSMetaData-mutations-into-copy-methods.patch [ 12450088 ]
          Stu Hood made changes -
          Attachment 0002-Thrift-and-Avro-interface-changes.patch [ 12450511 ]
          Stu Hood made changes -
          Attachment 0003-Add-user-and-group-access-maps-to-Keyspace-metadata.patch [ 12450512 ]
          Stu Hood made changes -
          Attachment 0004-Remove-AccessLevel-return-value-from-login-and-retur.patch [ 12450092 ]
          Stu Hood made changes -
          Attachment 0005-Move-per-thread-state-into-a-ClientState-object-1-pe.patch [ 12450091 ]
          Stu Hood made changes -
          Attachment 0006-Apply-access.properties-to-keyspaces-during-an-upgra.patch [ 12450209 ]
          Stu Hood made changes -
          Fix Version/s 0.7 beta 1 [ 12314533 ]
          Fix Version/s 0.7.0 [ 12315212 ]
          Folke Behrens made changes -
          Attachment simple-JAASAuthenticator.patch.txt [ 12450549 ]
          Gary Dusbabek made changes -
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Eric Evans made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Folke Behrens made changes -
          Attachment simple-jaas-authenticator.patch [ 12450850 ]
          Jonathan Ellis made changes -
          Fix Version/s 0.7.0 [ 12315212 ]
          Fix Version/s 0.7 beta 1 [ 12314533 ]
          Stu Hood made changes -
          Fix Version/s 0.8 [ 12314820 ]
          Fix Version/s 0.7.0 [ 12315212 ]
          Stu Hood made changes -
          Description Currently, the concept of authentication (proving the identity of a user) is mixed up with permissions (determining whether a user is able to create/read/write databases). Rather than determining the permissions that a user has, the IAuthenticator should only be capable of authenticating a user, and permissions (specifically, an AccessLevel) should be stored consistently by Cassandra.

          The primary goal of this ticket is to separate AccessLevels from IAuthenticators, and to persist a map of User->AccessLevel along with:
          * EDIT: Separating the addition of 'global scope' permissions into a separate ticket
          * each keyspace, where the AccessLevel continues to have its current meaning

          ----

          In separate tickets, we would like to improve the AccessLevel structure so that it can store role/permission bits independently, rather than being level based.
          Currently, the concept of authentication (proving the identity of a user) is mixed up with permissions (determining whether a user is able to create/read/write databases). Rather than determining the permissions that a user has, the IAuthenticator should only be capable of authenticating a user, and permissions (specifically, an AccessLevel) should be stored consistently by Cassandra.

          EDIT: Adding summary

          ----

          In summary, there appear to be 3 distinct options for how to move forward with authorization. Remember that this ticket is about disconnecting authorization (permissions) from authentication (user/group identification), and its goal is to leave authentication pluggable.

          Options:
          # Leave authentication and authorization in the same interface. If we choose this option, this ticket is invalid, and CASSANDRA-1271 and CASSANDRA-1320 will add-to/improve IAuthenticator
          ** Pros:
          *** Least change
          ** Cons:
          *** Very little actually implemented by Cassandra: burden is on the backend implementors
          *** Each combination of authz and authc backends would require a new implementation (PAM for authc + permissions keyspace for authz, for instance), causing an explosion of implementations
          # Separate out a pluggable IAuthority interface to implement authorization
          ## IAuthenticator interface would be called at login time to determine user/groups membership
          ## IAuthority would be called at operation time with the user/groups determined earlier, and the required permission for the operation
          ** Pros:
          *** Provides the cleanest separation of concerns
          *** Allows plugability for permissions
          ** Cons:
          *** Pluggability of permissions gains limited benefit
          *** IAuthority would need to support callbacks for keyspace/cf creation and removal to keep existing keyspaces in sync with their permissions (although technically, option 1 suffers from this as well)
          # Separate authorization, but do not make it pluggable
          ** This option is implemented by the existing patchset by attaching permissions to metadata, but could have an alternative implementation that stores permissions in a permissions keyspace.
          ** Pros:
          *** Cassandra controls the scalability of authorization, and can ensure it does not become a bottleneck
          ** Cons:
          *** Would need to support callbacks for user creation and removal to keep existing users in sync with their permissions
          Stu Hood made changes -
          Link This issue blocks CASSANDRA-1271 [ CASSANDRA-1271 ]
          Stu Hood made changes -
          Link This issue blocks CASSANDRA-1320 [ CASSANDRA-1320 ]
          Stu Hood made changes -
          Stu Hood made changes -
          Status Reopened [ 4 ] Patch Available [ 10002 ]
          Fix Version/s 0.7 beta 2 [ 12315251 ]
          Fix Version/s 0.8 [ 12314820 ]
          Stu Hood made changes -
          Attachment sample-usage.patch [ 12450093 ]
          Eric Evans made changes -
          Reviewer urandom
          Eric Evans made changes -
          Resolution Fixed [ 1 ]
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Gavin made changes -
          Workflow no-reopen-closed, patch-avail [ 12514482 ] patch-available, re-open possible [ 12752333 ]
          Gavin made changes -
          Workflow patch-available, re-open possible [ 12752333 ] reopen-resolved, no closed status, patch-avail, testing [ 12758255 ]
          Aleksey Yeschenko made changes -
          Component/s Core [ 12312978 ]

            People

            • Assignee:
              Stu Hood
              Reporter:
              Stu Hood
              Reviewer:
              Eric Evans
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development