[
https://issues.apache.org/jira/browse/CASSANDRA-7557?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14494249#comment-14494249
]
Sam Tunnicliffe commented on CASSANDRA-7557:
--------------------------------------------
Thanks, none of the things you mention were covered so:
bq. Granting both root/ks-level permissions and individual function
permissions, ensuring that revoking one does not affect revoking the other
added {{function_resource_hierarchy_permissions_test}}
bq. Similar to drop_function_and_keyspace_cleans_up_udf_permissions_test, test
that dropping a keyspace drops function-level permissions for functions in that
keyspace
added {{drop_keyspace_cleans_up_function_level_permissions_test}}
bq. Ensure granting permissions on a builtin function (e.g. system.now) errors
nicely. Same for REVOKE on builtins and granting EXECUTE on non-function
objects.
added {{disallow_grant_execute_on_non_function_resources_test}} and
{{disallow_grant_revoke_on_builtin_functions_test}} (plus a minor change in
{{PermissionsManagementStatement}} for the latter)
bq. Double granting/revoking is well-behaved (I'm not sure if it's supposed to
error or succeed)
as grant and revoke are idempotent, the current behaviour (for all resources,
not just functions) is to silently succeed when both attemtping to grant an
existing permission or revoke a non-existent one. I've added
{{grant_revoke_are_idempotent_test}} to verify (right now it's only concerned
with function resources, but I'll generalise it when I refactor auth_test &
auth_roles_test).
bq. Also, in the inheritance_of_udf_permissions_test, shouldn't the GRANT
EXECUTE statement be executed by the function_user role instead of cassandra?
Actually, the intent was to verify that the EXECUTE permission of function_user
was inherited when that role was granted, so that final DCL statement should be
granting function_user to mike. Fixed now, thanks.
I also noticed I'd left a todo in the test for granting/revoking/dropping with
overloaded functions, so I've added {{udf_with_overloads_permissions_test}}.
> User permissions for UDFs
> -------------------------
>
> Key: CASSANDRA-7557
> URL: https://issues.apache.org/jira/browse/CASSANDRA-7557
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Reporter: Tyler Hobbs
> Assignee: Sam Tunnicliffe
> Labels: client-impacting, cql, udf
> Fix For: 3.0
>
>
> We probably want some new permissions for user defined functions. Most
> RDBMSes split function permissions roughly into {{EXECUTE}} and
> {{CREATE}}/{{ALTER}}/{{DROP}} permissions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
