Cassandra
  1. Cassandra
  2. CASSANDRA-1271

Improve permissions to allow control over creation/removal/listing of Keyspaces

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Fix Version/s: 0.7 beta 3
    • Component/s: None
    • Labels:
      None

      Description

      We'd like to improve resources/permissions so that they can be applied to the global scope, instead of just individual keyspaces.

      IAuthority currently only has one concept of a resource that it can authorize for: a keyspace. At the very least, this ticket needs to deal with one additional resource: "the keyspace list". These resources should be mapped into a hierarchy, and an object representing the path to the resource will be passed to IAuthority.

      A resource hierarchy to represent all possible resources in Cassandra might look like: /cassandra/<cluster_name>/keyspaces/<ks_name>/...
      In table form:

      resource checked perms explanation
      /cassandra/ n/a Separates Cassandra-internal resources from resources that might be provided by plugins.
      <cluster_name>/ n/a Organizations might have many clusters
      keyspaces/ READ, WRITE The list of keyspaces: READ/WRITE for this resource mean the ability to view/modify the list of keyspaces.
      <ks_name>/ READ, WRITE, READ_VALUE, WRITE_VALUE An individual keyspace: READ/WRITE mean the ability to view/modify the list of column families. Since this is the last entry in the current hierarchy, READ/WRITE_VALUE apply recursively to ancestor data of this keyspace.

      Over time Cassandra may add additional authorize calls for resources higher or lower in the chain, which IAuthority backends can choose to ignore, but this initial patch will only make authorize calls for the keyspaces list, and individual keyspaces. As authorize calls are added for child resources like <cf_name>/, the READ/WRITE_VALUE permissions will move to the lowest checked level, and will be deprecated at higher levels.

      (Note that /cassandra/ and <cluster_name>/ will not yet be checked for permissions via a call to IAuthority.authorize, so while it would be possible for an IAuthority backend to store permissions for these top level resources, they will only be able to deny access when a user attempts to access an ancestor resource.)

      1. 1271-v3.tgz
        15 kB
        Stu Hood

        Issue Links

          Activity

          Hide
          Hudson added a comment -

          Integrated in Cassandra #550 (See https://hudson.apache.org/hudson/job/Cassandra/550/)
          eliminate

          {READ,WRITE}

          _VALUE perms

          Patch by eevans for CASSANDRA-1271
          Add authorization to describe_keyspace(s) and change Thrift exceptions.

          Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271
          Make SimpleAuthority aware of the keyspace list resource.

          Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271
          Check for permissions to modify the keyspace list.

          Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271
          Convert to List<Object> resources

          Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271
          Rather than 3 ThreadLocals (sure to continue to expand), use 1.

          Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271

          Show
          Hudson added a comment - Integrated in Cassandra #550 (See https://hudson.apache.org/hudson/job/Cassandra/550/ ) eliminate {READ,WRITE} _VALUE perms Patch by eevans for CASSANDRA-1271 Add authorization to describe_keyspace(s) and change Thrift exceptions. Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271 Make SimpleAuthority aware of the keyspace list resource. Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271 Check for permissions to modify the keyspace list. Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271 Convert to List<Object> resources Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271 Rather than 3 ThreadLocals (sure to continue to expand), use 1. Patch by Stu Hood; reviewed by eevans for CASSANDRA-1271
          Hide
          Eric Evans added a comment -

          Ok, this has been committed with one simple but significant change, namely that the READ_VALUE/WRITE_VALUE perms have been removed.

          This has no effect at all on the only implemented authority, SimpleAuthority, but it does mean that it's not possible to implement an authority that distinguishes between writing a column family versus writing the data contained within. For this, it would be better to take advantage of the resource hierarchy and authorize differently depending on the operation. I will submit a separate ticket to implement that.

          Thanks Stu, between this and the related issues this all looks significantly better than what we had before.

          Show
          Eric Evans added a comment - Ok, this has been committed with one simple but significant change, namely that the READ_VALUE/WRITE_VALUE perms have been removed. This has no effect at all on the only implemented authority, SimpleAuthority, but it does mean that it's not possible to implement an authority that distinguishes between writing a column family versus writing the data contained within. For this, it would be better to take advantage of the resource hierarchy and authorize differently depending on the operation. I will submit a separate ticket to implement that. Thanks Stu, between this and the related issues this all looks significantly better than what we had before.
          Hide
          Stu Hood added a comment -

          Rebased for trunk.

          Show
          Stu Hood added a comment - Rebased for trunk.
          Hide
          Stu Hood added a comment -

          Rebase for trunk.

          Show
          Stu Hood added a comment - Rebase for trunk.
          Hide
          Stu Hood added a comment -

          On second though, let's handle changing the caching elsewhere.

          Rebased for trunk.

          Show
          Stu Hood added a comment - On second though, let's handle changing the caching elsewhere. Rebased for trunk.
          Hide
          Stu Hood added a comment -

          I mentioned in IRC that I was going to replace the per-thread cached permissions with global cached permissions, outside the authenticator.

          Show
          Stu Hood added a comment - I mentioned in IRC that I was going to replace the per-thread cached permissions with global cached permissions, outside the authenticator.
          Hide
          Stu Hood added a comment -

          Forgot to remove a mention of <cluster_name>: decided not to use it in the resource hierarchy, since it doesn't change at runtime, and is accessible elsewhere.

          Show
          Stu Hood added a comment - Forgot to remove a mention of <cluster_name>: decided not to use it in the resource hierarchy, since it doesn't change at runtime, and is accessible elsewhere.
          Hide
          Stu Hood added a comment -

          Applies atop CASSANDRA-1320.

          Show
          Stu Hood added a comment - Applies atop CASSANDRA-1320 .
          Hide
          Stu Hood added a comment - - edited

          0001 - Rather than the contents of the ClientState object being ThreadLocals, the ClientState object should be ThreadLocal (facepalm, but basically unrelated to the rest of this patchset)
          0002 - Replace the 'keyspace' argument to authorize with a List<Object>. The intention here is that we never have to create new objects to perform authorization, since we can keep the resource list and replace the positions with whatever we have on hand (namely, Strings, but also byte[]s, for when people ask for row-level auth).
          0003 - Add permissions checks for modifications to the keyspace list
          0004 - Implement keyspace list authorization in SimpleAuthority
          0005 - Adds auth checks to describe_keyspace(s), and consequently needs to add InvalidRequestException. (Rather than using InvalidRequestException, should we be throwing AuthorizationException everywhere?)

          Show
          Stu Hood added a comment - - edited 0001 - Rather than the contents of the ClientState object being ThreadLocals, the ClientState object should be ThreadLocal (facepalm, but basically unrelated to the rest of this patchset) 0002 - Replace the 'keyspace' argument to authorize with a List<Object>. The intention here is that we never have to create new objects to perform authorization, since we can keep the resource list and replace the positions with whatever we have on hand (namely, Strings, but also byte[]s, for when people ask for row-level auth). 0003 - Add permissions checks for modifications to the keyspace list 0004 - Implement keyspace list authorization in SimpleAuthority 0005 - Adds auth checks to describe_keyspace(s), and consequently needs to add InvalidRequestException. (Rather than using InvalidRequestException, should we be throwing AuthorizationException everywhere?)
          Hide
          Stu Hood added a comment -

          Modify how permissions should be applied recursively to resources which don't receive authorize() calls.

          Show
          Stu Hood added a comment - Modify how permissions should be applied recursively to resources which don't receive authorize() calls.
          Hide
          Stu Hood added a comment -

          Overhaul for the change in direction on 1237.

          Show
          Stu Hood added a comment - Overhaul for the change in direction on 1237.
          Hide
          Stu Hood added a comment -

          Separated the AccessLevel changes into CASSANDRA-1320

          Show
          Stu Hood added a comment - Separated the AccessLevel changes into CASSANDRA-1320

            People

            • Assignee:
              Eric Evans
              Reporter:
              Stu Hood
              Reviewer:
              Eric Evans
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development