[
https://issues.apache.org/jira/browse/CASSANDRA-7653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14266424#comment-14266424
]
Sam Tunnicliffe commented on CASSANDRA-7653:
--------------------------------------------
I've been thinking about constuctInitialSaslToken too and it is truly
unpleasant. It's there to support Thrift clients which could be sending
arbitrary k/v pairs to a custom IAuthenticator via the login() call. So we have
to support that somehow without changing the thrift interface.
constructInitialSaslToken is one way to do it, but it sucks so my current plan
is to replace it with a legacyAuthenticate() method which impls can decide
whether to support or not (if they support Thrift and/or native protocol v1
authentication).
On the second point, I think it's doable to support custom options using json
syntax. Something like:
{code}
CREATE ROLE foo WITH PASSWORD 'bar' AND OPTIONS {'a' : 'aaa', 'b' : 1}
NOSUPERUSER LOGIN;
{code}
> Add role based access control to Cassandra
> ------------------------------------------
>
> Key: CASSANDRA-7653
> URL: https://issues.apache.org/jira/browse/CASSANDRA-7653
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Mike Adamson
> Assignee: Sam Tunnicliffe
> Fix For: 3.0
>
> Attachments: 7653.patch, CQLSmokeTest.java, cql_smoke_test.py
>
>
> The current authentication model supports granting permissions to individual
> users. While this is OK for small or medium organizations wanting to
> implement authorization, it does not work well in large organizations because
> of the overhead of having to maintain the permissions for each user.
> Introducing roles into the authentication model would allow sets of
> permissions to be controlled in one place as a role and then the role granted
> to users. Roles should also be able to be granted to other roles to allow
> hierarchical sets of permissions to be built up.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
