Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Fix Version/s: 1.1.7
    • Component/s: None
    • Labels:

      Description

      CASSANDRA-4874 is about general improvements to authorization handling, this one is about IAuthority[2] in particular.

      • 'LIST GRANTS OF user should' become 'LIST PERMISSIONS [on resource] [of user]'.
        Currently there is no way to see all the permissions on the resource, only all the permissions of a particular user.
      • IAuthority2.listPermissions() should return a generic collection of ResoucePermission or something, not CQLResult or ResultMessage.
        That's a wrong level of abstraction. I know this issue has been raised here - https://issues.apache.org/jira/browse/CASSANDRA-4490?focusedCommentId=13449732&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13449732com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13449732, but I think it's possible to change this. Returning a list of {resource, user, permission, grant_option}

        tuples should be possible.

      • We should get rid of Permission.NO_ACCESS. An empty list of permissions should mean absence of any permission, not some magical Permission.NO_ACCESS value.
        It's insecure and error-prone and also ambiguous (what if a user has both FULL_ACCESS and NO_ACCESS permissions? If it's meant to be a way to strip a user
        of all permissions on the resource, then it should be replaced with some form of REVOKE statement. Something like 'REVOKE ALL PERMISSIONS' sounds more logical than GRANT NO_ACCESS to me.
      • Previous point will probably require adding revokeAllPermissions() method to make it explicit, special-casing IAuthority2.revoke() won't do
      • IAuthorize2.grant() and IAuthorize2.revoke() accept CFName instance for a resource, which has its ks and cf fields swapped if cf is omitted. This may cause a real security issue if IAuthorize2 implementer doesn't know about the issue. We must pass the resouce as a collection of strings ([cassandra, keyspaces[, ks_name][, cf_name]]) instead, the way we pass it to IAuthorize.authorize().
      • We should probably get rid of FULL_ACCESS as well, at least as a valid permission value (but maybe allow it in the CQL statement) and add an equivalent IAuthority2.grantAllPermissions(), separately. Why? Imagine the following sequence: GRANT FULL_ACCESS ON resource FOR user; REVOKE SELECT ON resource FROM user; should the user be allowed to SELECT anymore?
        I say no, he shouldn't. Full access should be represented by a list of all permissions, not by a magical special value.
      • P.DELETE probably should go in favour of P.UPDATE even for TRUNCATE. Presence of P.DELETE will definitely confuse users, who might think that it is somehow required to delete data, when it isn't. You can overwrite every value if you have P.UPDATE with TTL=1 and get the same result. We should also drop P.INSERT. Leave P.UPDATE (or rename it to P.MODIFY). P.MODIFY_DATA + P.READ_DATA should replace P.UPDATE, P.SELECT and P.DELETE.
      • I suggest new syntax to allow setting permissions on cassandra/keyspaces resource: GRANT <permission> ON * FOR <user>.

      The interface has to change because of the CFName argument to grant() and revoke(), and since it's going to be broken anyway (and has been introduced recently), I think we are in a position to make some other improvements while at it.

        Issue Links

          Activity

          Aleksey Yeschenko created issue -
          Aleksey Yeschenko made changes -
          Field Original Value New Value
          Link This issue relates to CASSANDRA-4874 [ CASSANDRA-4874 ]
          Hide
          Aleksey Yeschenko added a comment -

          Re: 'P.DELETE should probably go in favour of P.UPDATE' and TTL: we should just require both P.DELETE and P.UPDATE on inserts/updates with TTL set (discussed in CASSANDRA-4874)

          Show
          Aleksey Yeschenko added a comment - Re: 'P.DELETE should probably go in favour of P.UPDATE' and TTL: we should just require both P.DELETE and P.UPDATE on inserts/updates with TTL set (discussed in CASSANDRA-4874 )
          Hide
          Jonathan Ellis added a comment -
          • 'LIST PERMISSIONS [of user] [on resource]' is slightly more grammatical
          • Agreed that IAuthority2.listPermissions() should return a generic collection (Set?) of ResourcePermission
          • +1 on removing NO-ACCESS
          • We do want "REVOKE ALL" but "for permission in listPermissions(): revoke(permission)" seems adequate to implement that
          • Agreed that CFName is not a good fit for "a keyspace or a columnfamily." Not a huge fan of the List<String> approach either, though. What about adding an IPermissionable interface that could be either a KS or a CF? That would also allow adding other types of permissionable objects down the road – functions is a likely candidate.
          • I don't think FULL_ACCESS is problematic if hierarchy traversal is done correctly. In your example, select would indeed be disallowed. The problem with requiring permissions to be enumerated is, you add a new CF and now none of your GRANT ALL users have access to it unless you spell it out for each. Painful. (And not the way other databases work.)
          • Parenthetically, FULL_ACCESS should really be ALL as far as cql is concerned. Internally it doesn't matter.
          • I'm okay with MODIFY + SELECT. (Don't see any compelling reason to rename SELECT to READ.)
          • I don't think we need new syntax?

          Finally,

          • Committing IAuth2 to 1.1.6 was a mistake. Should we rip it out in 1.1.7? If we do not, how sure are we that we won't have changes for 1.1.8?
          Show
          Jonathan Ellis added a comment - 'LIST PERMISSIONS [of user] [on resource] ' is slightly more grammatical Agreed that IAuthority2.listPermissions() should return a generic collection (Set?) of ResourcePermission +1 on removing NO-ACCESS We do want "REVOKE ALL" but "for permission in listPermissions(): revoke(permission)" seems adequate to implement that Agreed that CFName is not a good fit for "a keyspace or a columnfamily." Not a huge fan of the List<String> approach either, though. What about adding an IPermissionable interface that could be either a KS or a CF? That would also allow adding other types of permissionable objects down the road – functions is a likely candidate. I don't think FULL_ACCESS is problematic if hierarchy traversal is done correctly. In your example, select would indeed be disallowed. The problem with requiring permissions to be enumerated is, you add a new CF and now none of your GRANT ALL users have access to it unless you spell it out for each. Painful. (And not the way other databases work.) Parenthetically, FULL_ACCESS should really be ALL as far as cql is concerned. Internally it doesn't matter. I'm okay with MODIFY + SELECT. (Don't see any compelling reason to rename SELECT to READ.) I don't think we need new syntax? Finally, Committing IAuth2 to 1.1.6 was a mistake. Should we rip it out in 1.1.7? If we do not, how sure are we that we won't have changes for 1.1.8?
          Hide
          Aleksey Yeschenko added a comment -

          'LIST PERMISSIONS [of user] [on resource]' is slightly more grammatical

          Is it a good thing or a bad thing? In any case, being able to list all the permissions on the resource is useful. It's currently impossible to know who has access to a particular resource - you need to somehow get the full list of users and then for user in all_users: list grants for user.

          We do want "REVOKE ALL" but "for permission in listPermissions(): revoke(permission)" seems adequate to implement that.

          I see now. And agree.

          What about adding an IPermissionable interface that could be either a KS or a CF?

          Maybe (most likely) a list of strings is not a good idea, but something capable of representing the complete hierarchy is needed.
          Currently it's cassandra/keyspaces[/ks[/cf]], and we don't check or have a way to set permissions on the first two levels. I think we should drop 'cassandra'. Make it keyspaces[/ks[/cf]] or data[/ks[/cf]] or something like that and require specifying the whole path when granting/revoking.
          'GRANT CREATE ON keyspaces' would allow creating keyspaces without explicit permission on the not-yet-existing ks, for example (the issue from 4874). 'GRANT CREATE ON keyspaces/test', 'GRANT MODIFY ON keyspaces/test/cf'. This is slightly more verbose, but also more flexible - if we add other types of permissionable objects, as you said, we won't have to change grant/revoke syntax.

          Show
          Aleksey Yeschenko added a comment - 'LIST PERMISSIONS [of user] [on resource] ' is slightly more grammatical Is it a good thing or a bad thing? In any case, being able to list all the permissions on the resource is useful. It's currently impossible to know who has access to a particular resource - you need to somehow get the full list of users and then for user in all_users: list grants for user. We do want "REVOKE ALL" but "for permission in listPermissions(): revoke(permission)" seems adequate to implement that. I see now. And agree. What about adding an IPermissionable interface that could be either a KS or a CF? Maybe (most likely) a list of strings is not a good idea, but something capable of representing the complete hierarchy is needed. Currently it's cassandra/keyspaces[/ks [/cf] ], and we don't check or have a way to set permissions on the first two levels. I think we should drop 'cassandra'. Make it keyspaces[/ks [/cf] ] or data[/ks [/cf] ] or something like that and require specifying the whole path when granting/revoking. 'GRANT CREATE ON keyspaces' would allow creating keyspaces without explicit permission on the not-yet-existing ks, for example (the issue from 4874). 'GRANT CREATE ON keyspaces/test', 'GRANT MODIFY ON keyspaces/test/cf'. This is slightly more verbose, but also more flexible - if we add other types of permissionable objects, as you said, we won't have to change grant/revoke syntax.
          Hide
          Aleksey Yeschenko added a comment -

          The problem with requiring permissions to be enumerated is, you add a new CF and now none of your GRANT ALL users have access to it unless you spell it out for each. Painful. (And not the way other databases work.)

          I don't see how this is true. All I'm proposing is to make FULL_ACCESS the opposite of NO_ACCESS.
          REVOKE ALL ON ..: "for permission in listPermissions(): revoke(permission)"
          GRANT ALL ON ..: "for permission in listPermissions(): grant(permission)"
          If you create a new CF then your (ks level) GRANT ALL users will have complete access to it. As long as we respect the hierarchy. It doesn't matter in this case whether the have a single FULL_ACCESS on the KS or ALTER, SELECT, MODIFY.. etc. on the KS - the result is the same.

          Show
          Aleksey Yeschenko added a comment - The problem with requiring permissions to be enumerated is, you add a new CF and now none of your GRANT ALL users have access to it unless you spell it out for each. Painful. (And not the way other databases work.) I don't see how this is true. All I'm proposing is to make FULL_ACCESS the opposite of NO_ACCESS. REVOKE ALL ON ..: "for permission in listPermissions(): revoke(permission)" GRANT ALL ON ..: "for permission in listPermissions(): grant(permission)" If you create a new CF then your (ks level) GRANT ALL users will have complete access to it. As long as we respect the hierarchy. It doesn't matter in this case whether the have a single FULL_ACCESS on the KS or ALTER, SELECT, MODIFY.. etc. on the KS - the result is the same.
          Hide
          Aleksey Yeschenko added a comment -

          I don't think FULL_ACCESS is problematic if hierarchy traversal is done correctly. In your example, select would indeed be disallowed.

          This is the problem - it wouldn't be disallowed since FULL_ACCESS is a permission on its own. If you grant FULL_ACCESS, then REVOKE SELECT - you still have your FULL_ACCESS. On the other hand, if GRANT ALL works as 'for permission in listPermissions(): grant(permission)', then GRANT ALL followed by REVOKE SELECT will leave the user with all the permissions except SELECT, which is exactly how we want this whole thing to behave.

          Show
          Aleksey Yeschenko added a comment - I don't think FULL_ACCESS is problematic if hierarchy traversal is done correctly. In your example, select would indeed be disallowed. This is the problem - it wouldn't be disallowed since FULL_ACCESS is a permission on its own. If you grant FULL_ACCESS, then REVOKE SELECT - you still have your FULL_ACCESS. On the other hand, if GRANT ALL works as 'for permission in listPermissions(): grant(permission)', then GRANT ALL followed by REVOKE SELECT will leave the user with all the permissions except SELECT, which is exactly how we want this whole thing to behave.
          Hide
          Aleksey Yeschenko added a comment -

          This will also simplify permission checks - no need to check for both the requested permission AND FULL_ACCESS. If you need P.CREATE - just look for P.CREATE on every level of the hierarchy and that's all. Currently it's really complicated, since we also still have NO_ACCESS.

          Show
          Aleksey Yeschenko added a comment - This will also simplify permission checks - no need to check for both the requested permission AND FULL_ACCESS. If you need P.CREATE - just look for P.CREATE on every level of the hierarchy and that's all. Currently it's really complicated, since we also still have NO_ACCESS.
          Hide
          Aleksey Yeschenko added a comment -

          Back to representing the resource.. a list of strings is what IAuthority.authorize() expects. I think it's fine to break IAuthority2 since it's broken anyway, but can we change IAuthority as well?

          Show
          Aleksey Yeschenko added a comment - Back to representing the resource.. a list of strings is what IAuthority.authorize() expects. I think it's fine to break IAuthority2 since it's broken anyway, but can we change IAuthority as well?
          Hide
          Jonathan Ellis added a comment -

          Currently it's cassandra/keyspaces[/ks[/cf]], and we don't check or have a way to set permissions on the first two levels. I think we should drop 'cassandra'.

          I'm not sure what the goal is here tbh – i.e. if the "cassandra" prefix makes it easier for some external consumer. I could see making it "clustername/[ks[/cf]]' for instance.

          If you create a new CF then your (ks level) GRANT ALL users will have complete access to it

          +1

          a list of strings is what IAuthority.authorize() expects. I think it's fine to break IAuthority2 since it's broken anyway, but can we change IAuthority as well?

          No, would need a new method and translate the old one.

          Show
          Jonathan Ellis added a comment - Currently it's cassandra/keyspaces[/ks [/cf] ], and we don't check or have a way to set permissions on the first two levels. I think we should drop 'cassandra'. I'm not sure what the goal is here tbh – i.e. if the "cassandra" prefix makes it easier for some external consumer. I could see making it "clustername/[ks [/cf] ]' for instance. If you create a new CF then your (ks level) GRANT ALL users will have complete access to it +1 a list of strings is what IAuthority.authorize() expects. I think it's fine to break IAuthority2 since it's broken anyway, but can we change IAuthority as well? No, would need a new method and translate the old one.
          Hide
          Aleksey Yeschenko added a comment -

          No, would need a new method and translate the old one.

          Right.

          Any thoughts on other points?

          Show
          Aleksey Yeschenko added a comment - No, would need a new method and translate the old one. Right. Any thoughts on other points?
          Hide
          Jonathan Ellis added a comment -

          I think we covered everything?

          Show
          Jonathan Ellis added a comment - I think we covered everything?
          Hide
          Aleksey Yeschenko added a comment -

          What about requiring the full name of the resource, without the option to omit parts of the hierarchy? What about the syntax itself ('fully/qualified/name') ?
          Do you agree with GRANT ALL ON mapping to "for permission in listPermissions(): grant(permission)" and getting rid of P.FULL_ACCESS? And I don't understand whether "'LIST PERMISSIONS [of user] [on resource]' is slightly more grammatical" is a yes or a no.
          Otherwise yes, we covered everything.

          Show
          Aleksey Yeschenko added a comment - What about requiring the full name of the resource, without the option to omit parts of the hierarchy? What about the syntax itself ('fully/qualified/name') ? Do you agree with GRANT ALL ON mapping to "for permission in listPermissions(): grant(permission)" and getting rid of P.FULL_ACCESS? And I don't understand whether "'LIST PERMISSIONS [of user] [on resource] ' is slightly more grammatical" is a yes or a no. Otherwise yes, we covered everything.
          Hide
          Jonathan Ellis added a comment -

          What about requiring the full name of the resource

          Yes.

          getting rid of P.FULL_ACCESS

          Yes.

          'LIST PERMISSIONS [of user] [on resource]'

          I misunderstood what you were saying, it's a yes.

          Show
          Jonathan Ellis added a comment - What about requiring the full name of the resource Yes. getting rid of P.FULL_ACCESS Yes. 'LIST PERMISSIONS [of user] [on resource] ' I misunderstood what you were saying, it's a yes.
          Aleksey Yeschenko made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Aleksey Yeschenko made changes -
          Fix Version/s 1.2.0 rc1 [ 12323481 ]
          Aleksey Yeschenko made changes -
          Attachment 0001-Rip-out-IAuthority2-from-1.1.txt [ 12552346 ]
          Hide
          Jonathan Ellis added a comment -

          committed patch to remove IA2 from 1.1

          Show
          Jonathan Ellis added a comment - committed patch to remove IA2 from 1.1
          Show
          Aleksey Yeschenko added a comment - The patch for both CASSANDRA-4874 and CASSANDRA-4875 is inside CASSANDRA-4874 issue ( https://issues.apache.org/jira/secure/attachment/12553744/4874-4875.txt ).
          Aleksey Yeschenko made changes -
          Status In Progress [ 3 ] Patch Available [ 10002 ]
          Aleksey Yeschenko made changes -
          Reviewer jbellis
          Jonathan Ellis made changes -
          Summary Possible improvements to IAuthority[2] interface Revert IAuthority2 interface
          Fix Version/s 1.1.7 [ 12323354 ]
          Fix Version/s 1.2.0 rc1 [ 12323481 ]
          Affects Version/s 1.2.0 beta 1 [ 12319262 ]
          Hide
          Jonathan Ellis added a comment -

          Changing title here to simply "revert iauthority2" and resolving as Fixed, then.

          Show
          Jonathan Ellis added a comment - Changing title here to simply "revert iauthority2" and resolving as Fixed, then.
          Jonathan Ellis made changes -
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Gavin made changes -
          Workflow no-reopen-closed, patch-avail [ 12731904 ] patch-available, re-open possible [ 12753605 ]
          Gavin made changes -
          Workflow patch-available, re-open possible [ 12753605 ] reopen-resolved, no closed status, patch-avail, testing [ 12757356 ]

            People

            • Assignee:
              Aleksey Yeschenko
              Reporter:
              Aleksey Yeschenko
              Reviewer:
              Jonathan Ellis
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development