Cassandra
  1. Cassandra
  2. CASSANDRA-1271

Improve permissions to allow control over creation/removal/listing of Keyspaces

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Fix Version/s: 0.7 beta 3
    • Component/s: None
    • Labels:
      None

      Description

      We'd like to improve resources/permissions so that they can be applied to the global scope, instead of just individual keyspaces.

      IAuthority currently only has one concept of a resource that it can authorize for: a keyspace. At the very least, this ticket needs to deal with one additional resource: "the keyspace list". These resources should be mapped into a hierarchy, and an object representing the path to the resource will be passed to IAuthority.

      A resource hierarchy to represent all possible resources in Cassandra might look like: /cassandra/<cluster_name>/keyspaces/<ks_name>/...
      In table form:

      resource checked perms explanation
      /cassandra/ n/a Separates Cassandra-internal resources from resources that might be provided by plugins.
      <cluster_name>/ n/a Organizations might have many clusters
      keyspaces/ READ, WRITE The list of keyspaces: READ/WRITE for this resource mean the ability to view/modify the list of keyspaces.
      <ks_name>/ READ, WRITE, READ_VALUE, WRITE_VALUE An individual keyspace: READ/WRITE mean the ability to view/modify the list of column families. Since this is the last entry in the current hierarchy, READ/WRITE_VALUE apply recursively to ancestor data of this keyspace.

      Over time Cassandra may add additional authorize calls for resources higher or lower in the chain, which IAuthority backends can choose to ignore, but this initial patch will only make authorize calls for the keyspaces list, and individual keyspaces. As authorize calls are added for child resources like <cf_name>/, the READ/WRITE_VALUE permissions will move to the lowest checked level, and will be deprecated at higher levels.

      (Note that /cassandra/ and <cluster_name>/ will not yet be checked for permissions via a call to IAuthority.authorize, so while it would be possible for an IAuthority backend to store permissions for these top level resources, they will only be able to deny access when a user attempts to access an ancestor resource.)

      1. 1271-v3.tgz
        15 kB
        Stu Hood

        Issue Links

          Activity

          Stu Hood created issue -
          Stu Hood made changes -
          Field Original Value New Value
          Link This issue depends on CASSANDRA-1237 [ CASSANDRA-1237 ]
          Jonathan Ellis made changes -
          Fix Version/s 0.7 beta 1 [ 12314533 ]
          Fix Version/s 0.7.0 [ 12315212 ]
          Stu Hood made changes -
          Link This issue is blocked by CASSANDRA-1320 [ CASSANDRA-1320 ]
          Stu Hood made changes -
          Link This issue depends on CASSANDRA-1237 [ CASSANDRA-1237 ]
          Stu Hood made changes -
          Description Once 1237 is completed, we'd like to improve AccessLevels so that they can be applied to the global scope, instead of just individual keyspaces.

          Steps for this ticket:
          * Improve/replace the AccessLevel structure to be more like a set of boolean permissions, rather than being level based
          * Store a global map of (users/groups)->AccessLevel that will define which users have permission to create/remove/list keyspaces.
          ** This map would be persisted in the "system" keyspace, or in the Migrations keyspace in such a fashion that modifying permissions on one node ripples out to the rest
          * Add a client interface method that allows adding/removing permissions in the global map (set_global_permissions ?)

          ----

          Expected usecase, starting from an empty cluster, with authentication enabled:
          # Set a password for a "super/root" user (that has been predefined in Cassandra by default) in an IAuthenticator specific way
          # Super user authenticates in Thrift
          # Super user gives more users permission to create/list/remove keyspaces via the proposed Thrift 'set_global_permissions' method
          # Users authenticate via Thrift
          # Users create/remove/list keyspaces
          We'd like to improve resources/permissions so that they can be applied to the global scope, instead of just individual keyspaces.

          IAuthority currently only has one concept of a resource that it can authorize for: a keyspace. At the very least, this ticket needs to deal with one additional resource: "the keyspace list". These resources should be mapped into a hierarchy, and an object representing the path to the resource will be passed to IAuthority.

          A resource hierarchy to represent all possible resources in Cassandra might look like: {{/cassandra/<cluster_name>/keyspaces/<ks_name>/...}}
          In table form:
          || resource || checked perms || explanation ||
          | /cassandra/ | n/a | Separates Cassandra-internal resources from resources that might be provided by plugins. |
          | <cluster_name>/ | n/a | Organizations might have many clusters |
          | keyspaces/ | READ, WRITE | The list of keyspaces: READ/WRITE for this resource mean the ability to view/modify the list of keyspaces. |
          | <ks_name>/ | READ, WRITE, MODIFY_SCHEMA | An individual keyspace: since this is the last entry in the current hierarchy, READ/WRITE apply recursively to ancestor _data_ of the keyspace, while FULL applies recursively to ancestor _schemas_ of the keyspace. |

          (Note that {{/cassandra/}} and {{<cluster_name>/}} will not yet be checked for permissions via a call to IAuthority.authorize, so while it would be possible for an IAuthority backend to store permissions for these top level resources, they will only be able to deny access when a user attempts to access an ancestor resource.)

          Over time Cassandra _may_ add additional authorize calls for resources higher or lower in the chain, which IAuthority backends can choose to ignore, but this initial patch will only make authorize calls for the keyspaces list, and individual keyspaces.
          Stu Hood made changes -
          Description We'd like to improve resources/permissions so that they can be applied to the global scope, instead of just individual keyspaces.

          IAuthority currently only has one concept of a resource that it can authorize for: a keyspace. At the very least, this ticket needs to deal with one additional resource: "the keyspace list". These resources should be mapped into a hierarchy, and an object representing the path to the resource will be passed to IAuthority.

          A resource hierarchy to represent all possible resources in Cassandra might look like: {{/cassandra/<cluster_name>/keyspaces/<ks_name>/...}}
          In table form:
          || resource || checked perms || explanation ||
          | /cassandra/ | n/a | Separates Cassandra-internal resources from resources that might be provided by plugins. |
          | <cluster_name>/ | n/a | Organizations might have many clusters |
          | keyspaces/ | READ, WRITE | The list of keyspaces: READ/WRITE for this resource mean the ability to view/modify the list of keyspaces. |
          | <ks_name>/ | READ, WRITE, MODIFY_SCHEMA | An individual keyspace: since this is the last entry in the current hierarchy, READ/WRITE apply recursively to ancestor _data_ of the keyspace, while FULL applies recursively to ancestor _schemas_ of the keyspace. |

          (Note that {{/cassandra/}} and {{<cluster_name>/}} will not yet be checked for permissions via a call to IAuthority.authorize, so while it would be possible for an IAuthority backend to store permissions for these top level resources, they will only be able to deny access when a user attempts to access an ancestor resource.)

          Over time Cassandra _may_ add additional authorize calls for resources higher or lower in the chain, which IAuthority backends can choose to ignore, but this initial patch will only make authorize calls for the keyspaces list, and individual keyspaces.
          We'd like to improve resources/permissions so that they can be applied to the global scope, instead of just individual keyspaces.

          IAuthority currently only has one concept of a resource that it can authorize for: a keyspace. At the very least, this ticket needs to deal with one additional resource: "the keyspace list". These resources should be mapped into a hierarchy, and an object representing the path to the resource will be passed to IAuthority.

          A resource hierarchy to represent all possible resources in Cassandra might look like: {{/cassandra/<cluster_name>/keyspaces/<ks_name>/...}}
          In table form:
          || resource || checked perms || explanation ||
          | /cassandra/ | n/a | Separates Cassandra-internal resources from resources that might be provided by plugins. |
          | <cluster_name>/ | n/a | Organizations might have many clusters |
          | keyspaces/ | READ, WRITE | The list of keyspaces: READ/WRITE for this resource mean the ability to view/modify the list of keyspaces. |
          | <ks_name>/ | READ, WRITE, READ_VALUE, WRITE_VALUE | An individual keyspace: READ/WRITE mean the ability to view/modify the list of column families. Since this is the last entry in the current hierarchy, READ/WRITE_VALUE apply recursively to ancestor _data_ of this keyspace. |

          Over time Cassandra _may_ add additional authorize calls for resources higher or lower in the chain, which IAuthority backends can choose to ignore, but this initial patch will only make authorize calls for the keyspaces list, and individual keyspaces. As authorize calls are added for child resources like {{<cf_name>/}}, the READ/WRITE_VALUE permissions will move to the lowest checked level, and will be deprecated at higher levels.

          (Note that {{/cassandra/}} and {{<cluster_name>/}} will not yet be checked for permissions via a call to IAuthority.authorize, so while it would be possible for an IAuthority backend to store permissions for these top level resources, they will only be able to deny access when a user attempts to access an ancestor resource.)
          Stu Hood made changes -
          Attachment 0001-Rather-than-3-ThreadLocals-sure-to-continue-to-expan.patch [ 12453333 ]
          Attachment 0002-Convert-to-List-Object-resources.patch [ 12453334 ]
          Attachment 0003-Check-for-permissions-to-modify-the-keyspace-list.patch [ 12453335 ]
          Stu Hood made changes -
          Attachment 0004-Make-SimpleAuthority-aware-of-the-keyspace-list-reso.patch [ 12453338 ]
          Attachment 0005-Add-authorization-to-describe_keyspace-s-and-change-.patch [ 12453339 ]
          Stu Hood made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Stu Hood made changes -
          Attachment 0002-Convert-to-List-Object-resources.patch [ 12453334 ]
          Stu Hood made changes -
          Attachment 0002-Convert-to-List-Object-resources.patch [ 12453341 ]
          Stu Hood made changes -
          Attachment 0003-Check-for-permissions-to-modify-the-keyspace-list.patch [ 12453335 ]
          Stu Hood made changes -
          Attachment 0003-Check-for-permissions-to-modify-the-keyspace-list.patch [ 12453342 ]
          Eric Evans made changes -
          Reviewer urandom
          Stu Hood made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Stu Hood made changes -
          Attachment 0004-Make-SimpleAuthority-aware-of-the-keyspace-list-reso.patch [ 12453338 ]
          Stu Hood made changes -
          Attachment 0003-Check-for-permissions-to-modify-the-keyspace-list.patch [ 12453342 ]
          Stu Hood made changes -
          Attachment 0002-Convert-to-List-Object-resources.patch [ 12453341 ]
          Stu Hood made changes -
          Attachment 0001-Rather-than-3-ThreadLocals-sure-to-continue-to-expan.patch [ 12453333 ]
          Stu Hood made changes -
          Attachment 0005-Add-authorization-to-describe_keyspace-s-and-change-.patch [ 12453339 ]
          Stu Hood made changes -
          Attachment 0001-Rather-than-3-ThreadLocals-sure-to-continue-to-expan.patch [ 12454772 ]
          Attachment 0002-Convert-to-List-Object-resources.patch [ 12454773 ]
          Attachment 0003-Check-for-permissions-to-modify-the-keyspace-list.patch [ 12454774 ]
          Stu Hood made changes -
          Attachment 0004-Make-SimpleAuthority-aware-of-the-keyspace-list-reso.patch [ 12454775 ]
          Attachment 0005-Add-authorization-to-describe_keyspace-s-and-change-.patch [ 12454776 ]
          Stu Hood made changes -
          Assignee Eric Evans [ urandom ]
          Stu Hood made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Stu Hood made changes -
          Attachment 0005-Add-authorization-to-describe_keyspace-s-and-change-.patch [ 12454776 ]
          Stu Hood made changes -
          Attachment 0004-Make-SimpleAuthority-aware-of-the-keyspace-list-reso.patch [ 12454775 ]
          Stu Hood made changes -
          Attachment 0003-Check-for-permissions-to-modify-the-keyspace-list.patch [ 12454774 ]
          Stu Hood made changes -
          Attachment 0002-Convert-to-List-Object-resources.patch [ 12454773 ]
          Stu Hood made changes -
          Attachment 0001-Rather-than-3-ThreadLocals-sure-to-continue-to-expan.patch [ 12454772 ]
          Stu Hood made changes -
          Attachment 0001-Rather-than-3-ThreadLocals-sure-to-continue-to-expan.patch [ 12455422 ]
          Attachment 0002-Convert-to-List-Object-resources.patch [ 12455423 ]
          Attachment 0003-Check-for-permissions-to-modify-the-keyspace-list.patch [ 12455424 ]
          Stu Hood made changes -
          Attachment 0004-Make-SimpleAuthority-aware-of-the-keyspace-list-reso.patch [ 12455425 ]
          Attachment 0005-Add-authorization-to-describe_keyspace-s-and-change-.patch [ 12455426 ]
          Stu Hood made changes -
          Attachment 1271-v3.tgz [ 12455860 ]
          Stu Hood made changes -
          Attachment 0005-Add-authorization-to-describe_keyspace-s-and-change-.patch [ 12455426 ]
          Stu Hood made changes -
          Attachment 0004-Make-SimpleAuthority-aware-of-the-keyspace-list-reso.patch [ 12455425 ]
          Stu Hood made changes -
          Attachment 0003-Check-for-permissions-to-modify-the-keyspace-list.patch [ 12455424 ]
          Stu Hood made changes -
          Attachment 0002-Convert-to-List-Object-resources.patch [ 12455423 ]
          Stu Hood made changes -
          Attachment 0001-Rather-than-3-ThreadLocals-sure-to-continue-to-expan.patch [ 12455422 ]
          Eric Evans made changes -
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Stu Hood made changes -
          Link This issue relates to CASSANDRA-1554 [ CASSANDRA-1554 ]
          Gavin made changes -
          Workflow no-reopen-closed, patch-avail [ 12515531 ] patch-available, re-open possible [ 12752353 ]
          Gavin made changes -
          Workflow patch-available, re-open possible [ 12752353 ] reopen-resolved, no closed status, patch-avail, testing [ 12758267 ]

            People

            • Assignee:
              Eric Evans
              Reporter:
              Stu Hood
              Reviewer:
              Eric Evans
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development