[ https://issues.apache.org/jira/browse/CASSANDRA-7557?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14494249#comment-14494249 ]
Sam Tunnicliffe commented on CASSANDRA-7557: -------------------------------------------- Thanks, none of the things you mention were covered so: bq. Granting both root/ks-level permissions and individual function permissions, ensuring that revoking one does not affect revoking the other added {{function_resource_hierarchy_permissions_test}} bq. Similar to drop_function_and_keyspace_cleans_up_udf_permissions_test, test that dropping a keyspace drops function-level permissions for functions in that keyspace added {{drop_keyspace_cleans_up_function_level_permissions_test}} bq. Ensure granting permissions on a builtin function (e.g. system.now) errors nicely. Same for REVOKE on builtins and granting EXECUTE on non-function objects. added {{disallow_grant_execute_on_non_function_resources_test}} and {{disallow_grant_revoke_on_builtin_functions_test}} (plus a minor change in {{PermissionsManagementStatement}} for the latter) bq. Double granting/revoking is well-behaved (I'm not sure if it's supposed to error or succeed) as grant and revoke are idempotent, the current behaviour (for all resources, not just functions) is to silently succeed when both attemtping to grant an existing permission or revoke a non-existent one. I've added {{grant_revoke_are_idempotent_test}} to verify (right now it's only concerned with function resources, but I'll generalise it when I refactor auth_test & auth_roles_test). bq. Also, in the inheritance_of_udf_permissions_test, shouldn't the GRANT EXECUTE statement be executed by the function_user role instead of cassandra? Actually, the intent was to verify that the EXECUTE permission of function_user was inherited when that role was granted, so that final DCL statement should be granting function_user to mike. Fixed now, thanks. I also noticed I'd left a todo in the test for granting/revoking/dropping with overloaded functions, so I've added {{udf_with_overloads_permissions_test}}. > User permissions for UDFs > ------------------------- > > Key: CASSANDRA-7557 > URL: https://issues.apache.org/jira/browse/CASSANDRA-7557 > Project: Cassandra > Issue Type: Sub-task > Components: Core > Reporter: Tyler Hobbs > Assignee: Sam Tunnicliffe > Labels: client-impacting, cql, udf > Fix For: 3.0 > > > We probably want some new permissions for user defined functions. Most > RDBMSes split function permissions roughly into {{EXECUTE}} and > {{CREATE}}/{{ALTER}}/{{DROP}} permissions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)