[ https://issues.apache.org/jira/browse/CASSANDRA-7653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14332392#comment-14332392 ]
Sam Tunnicliffe commented on CASSANDRA-7653: -------------------------------------------- bq. Why is superuser a flag on a role instead of a permission? Because it doesn't fit nicely into the permissions hierarchy. There are things a superuser can do which are hard to model with IResource and Permission - like create other superusers. Plus, it's a handy shortcut in IAuthorizer implementations to avoid hitting the permissions tables. bq. That is possible though I would say we should require AND to delimit options e.g. {{CREATE ROLE manager WITH LOGIN AND PASSWORD 'foo'}} I've opened CASSANDRA-8850 for that. > Add role based access control to Cassandra > ------------------------------------------ > > Key: CASSANDRA-7653 > URL: https://issues.apache.org/jira/browse/CASSANDRA-7653 > Project: Cassandra > Issue Type: New Feature > Components: Core > Reporter: Mike Adamson > Assignee: Sam Tunnicliffe > Labels: docs-impacting, security > Fix For: 3.0 > > Attachments: 7653.patch, CQLSmokeTest.java, cql_smoke_test.py > > > The current authentication model supports granting permissions to individual > users. While this is OK for small or medium organizations wanting to > implement authorization, it does not work well in large organizations because > of the overhead of having to maintain the permissions for each user. > Introducing roles into the authentication model would allow sets of > permissions to be controlled in one place as a role and then the role granted > to users. Roles should also be able to be granted to other roles to allow > hierarchical sets of permissions to be built up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)