[
https://issues.apache.org/jira/browse/CASSANDRA-7653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14332392#comment-14332392
]
Sam Tunnicliffe commented on CASSANDRA-7653:
--------------------------------------------
bq. Why is superuser a flag on a role instead of a permission?
Because it doesn't fit nicely into the permissions hierarchy. There are things
a superuser can do which are hard to model with IResource and Permission - like
create other superusers. Plus, it's a handy shortcut in IAuthorizer
implementations to avoid hitting the permissions tables.
bq.
That is possible though I would say we should require AND to delimit options
e.g.
{{CREATE ROLE manager WITH LOGIN AND PASSWORD 'foo'}}
I've opened CASSANDRA-8850 for that.
> Add role based access control to Cassandra
> ------------------------------------------
>
> Key: CASSANDRA-7653
> URL: https://issues.apache.org/jira/browse/CASSANDRA-7653
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Mike Adamson
> Assignee: Sam Tunnicliffe
> Labels: docs-impacting, security
> Fix For: 3.0
>
> Attachments: 7653.patch, CQLSmokeTest.java, cql_smoke_test.py
>
>
> The current authentication model supports granting permissions to individual
> users. While this is OK for small or medium organizations wanting to
> implement authorization, it does not work well in large organizations because
> of the overhead of having to maintain the permissions for each user.
> Introducing roles into the authentication model would allow sets of
> permissions to be controlled in one place as a role and then the role granted
> to users. Roles should also be able to be granted to other roles to allow
> hierarchical sets of permissions to be built up.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
