Alexandre Linte created CASSANDRA-11305: -------------------------------------------
Summary: Customization of the auto granting process Key: CASSANDRA-11305 URL: https://issues.apache.org/jira/browse/CASSANDRA-11305 Project: Cassandra Issue Type: New Feature Components: CQL Environment: Apache Cassandra 3.3, cqlsh 5.0.1, CQL spec 3.4.0 Reporter: Alexandre Linte Priority: Minor Fix For: 3.3 Hello, By default, Cassandra implements an auto granting process which is applied when a USER | ROLE does a CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTION, CREATE AGGREGATE or CREATE ROLE statement. The creator is automatically granted all applicable permissions on the new resource. For example, the ROLE "toto_user" is created and has CREATE permission on its personal KEYSPACE "toto_keyspace". Today when toto_user create a TABLE, he is automatically granted the following rights: * ALTER * DROP * SELECT * MODIFY * AUTHORIZE Moreover if you want to REVOKE a permission for "toto_user" on a table, this table must exist. The idea of the issue is to improve the auto granting process. I thought about a modification of the REVOKE and GRANT SQL commands. You can find below the syntax part: {noformat} <grant-permission-stmt> ::= GRANT ( ALL ( PERMISSIONS )? | <permission> ( PERMISSION )? ) ON <resource> TO <identifier> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE | EXECUTE <resource> ::= ALL KEYSPACES | KEYSPACE <identifier> | ( TABLE )? <tablename> | ALL ROLES | ROLE <identifier> | ALL FUNCTIONS ( IN KEYSPACE <identifier> )? | FUNCTION <functionname> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE ) {noformat} {noformat} <revoke-permission-stmt> ::= REVOKE ( ALL ( PERMISSIONS )? | <permission> ( PERMISSION )? ) ON <resource> FROM <identifier> <permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE | EXECUTE <resource> ::= ALL KEYSPACES | KEYSPACE <identifier> | ( TABLE )? <tablename> | ALL ROLES | ROLE <identifier> | ALL FUNCTIONS ( IN KEYSPACE <identifier> )? | FUNCTION <functionname> <automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE ) {noformat} And now multiple the samples part: {noformat} GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user; => default functioning, when toto_user creates a table he will be automatically granted all permissions. GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE; => grant all permissions to the resource (table) created by toto_user on the keyspace toto_keyspace. GRANT SELECT ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE; => grant select permission to the resource (table) created by toto_user on the keyspace toto_keyspace. REVOKE ALL PERMISSIONS ON KEYSPACE toto_keyspace FROM toto_user; => default functioning, toto_user will not be able to do something on the keyspace toto_keyspace. REVOKE AUTHORIZE PERMISSION ON KEYSPACE toto_keyspace FROM toto_user WHEN CREATE TABLE; => revoke authorize permission to the resource (table) created by toto_user on the keyspace toto_keyspace. REVOKE DROP PERMISSION ALL KEYSPACES FROM toto_user WHEN CREATE ROLE; => revoke drop permission to the resource (role) created by toto_user on the keyspace toto_keyspace. {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)