[jira] [Commented] (CASSANDRA-8082) Support finer grained Modify CQL permissions

Wed, 08 Oct 2014 09:18:07 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-8082?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14163681#comment-14163681
 ] 

Sylvain Lebresne commented on CASSANDRA-8082:
---------------------------------------------

For what it's worth, I do think at least separating {{TRUNCATE}} would make 
sense. If a user that's not supposed to do truncate fat-finger and do one by 
mistake, I think having that user get back a permission error is *a lot* better 
than having you site go down because someone made a mistake, and this even if 
you have snapshots to somewhat fix it after the fact.

I suppose it would also be possible to have some {{REMOVE}} permission that 
would not just reject {{DELETE}} statements but also reject an update that sets 
some {{null}}. I'm a little less sure if that would actually be useful in 
practice though.

But at least adding a {{TRUNCATE}} permission feels useful to me and relatively 
simple from what I can tell (we can leave {{TRUNCATE}} part of {{MODIFY}} (so 
it's not a breaking change) but make it possible to truncate only if you have 
both {{MODIFY}} and {{TRUNCATE}}).

> Support finer grained Modify CQL permissions
> --------------------------------------------
>
>                 Key: CASSANDRA-8082
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-8082
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Johnny Miller
>
> Currently CQL permissions are grouped as:
> ALL   - All statements
> ALTER - ALTER KEYSPACE, ALTER TABLE, CREATE INDEX, DROP INDEX
> AUTHORIZE - GRANT, REVOKE
> CREATE - CREATE KEYSPACE, CREATE TABLE
> DROP - DROP KEYSPACE, DROP TABLE
> MODIFY - INSERT, DELETE, UPDATE, TRUNCATE
> SELECT -SELECT
> The MODIFY permission is too wide. There are plenty scenarios where a user 
> should not be to DELETE and TRUNCATE a table but should be able to INSERT and 
> UPDATE. 
> It would be great if Cassandra could either support defining permissions 
> dynamically or have additional finer grained MODIFY related permissions.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to