[CASSANDRA-4874] Possible authorizaton handling impovements - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 1.2.0 beta 3
Component/s: None
Labels:
- security

Description

I'll create another issue with my suggestions about fixing/improving IAuthority interfaces. This one lists possible improvements that aren't related to grant/revoke methods.

Inconsistencies:

CREATE COLUMNFAMILY: P.CREATE on the KS in CQL2 vs. P.CREATE on the CF in CQL3 and Thrift
BATCH: P.UPDATE or P.DELETE on CF in CQL2 vs. P.UPDATE in CQL3 and Thrift (despite remove* in Thrift asking for P.DELETE)
DELETE: P.DELETE in CQL2 and Thrift vs. P.UPDATE in CQL3
DROP INDEX: no checks in CQL2 vs. P.ALTER on the CF in CQL3

Other issues/suggestions

CQL2 DROP INDEX should require authorization
current permission checks are inconsistent since they are performed separately by CQL2 query processor, Thrift CassandraServer and CQL3 statement classes.
We should move it to one place. SomeClassWithABetterName.authorize(Operation, KS, CF, User), where operation would be a enum
(ALTER_KEYSPACE, ALTER_TABLE, CREATE_TABLE, CREATE, USE, UPDATE etc.), CF should be nullable.
we don't respect the hierarchy when checking for permissions, or, to be more specific, we are doing it wrong. take CQL3 INSERT as an example:
we require P.UPDATE on the CF or FULL_ACCESS on either KS or CF. However, having P.UPDATE on the KS won't allow you to perform the statement, only FULL_ACCESS will do.
I doubt this was intentional, and if it was, I say it's wrong. P.UPDATE on the KS should allow you to do updates on KS's cfs.
Examples in http://www.datastax.com/dev/blog/dynamic-permission-allocation-in-cassandra-1-1 point to it being a bug, since REVOKE UPDATE ON ks FROM omega is there.
currently we lack a way to set permission on cassandra/keyspaces resource. I think we should be able to do it. See the following point on why.
currently to create a keyspace you must have a P.CREATE permission on that keyspace THAT DOESN'T EVEN EXIST YET. So only a superuser can create a keyspace,
or a superuser must first grant you a permission to create it. Which doesn't look right to me. P.CREATE on cassandra/keyspaces should allow you to create new
keyspaces without an explicit permission for each of them.
same goes for CREATE TABLE. you need P.CREATE on that not-yet-existing CF of FULL_ACCESS on the whole KS. P.CREATE on the KS won't do. this is wrong.
since permissions don't map directly to statements, we should describe clearly in the documentation what permissions are required by what cql statement/thrift method.

Full list of current permission requirements: https://gist.github.com/3978182

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

4874-4875.txt
16/Nov/12 06:15
139 kB
Aleksey Yeschenko
4874-v2.txt
17/Nov/12 21:27
139 kB
Aleksey Yeschenko
4874-v3.txt
18/Nov/12 00:45
119 kB
Aleksey Yeschenko
4874-v4.txt
26/Nov/12 01:08
147 kB
Aleksey Yeschenko
move-resource-on-to-iauthorizer.txt
27/Nov/12 16:38
6 kB
Aleksey Yeschenko
remove-consistency-vestigest-cqlsh-and-cqlg.txt
26/Nov/12 01:07
5 kB
Aleksey Yeschenko
v1-v2.diff
17/Nov/12 21:27
1 kB
Aleksey Yeschenko
warn-authority.txt
27/Nov/12 00:30
2 kB
Aleksey Yeschenko

Issue Links

is related to

CASSANDRA-4875 Revert IAuthority2 interface

Resolved

Activity

People

Assignee:: Aleksey Yeschenko

Reporter:: Aleksey Yeschenko

Authors:: Aleksey Yeschenko

Reviewers:: Jonathan Ellis

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 30/Oct/12 03:46

Updated:: 16/Apr/19 09:32

Resolved:: 27/Nov/12 17:34