Alexandre Linte created CASSANDRA-11305:
-------------------------------------------
Summary: Customization of the auto granting process
Key: CASSANDRA-11305
URL: https://issues.apache.org/jira/browse/CASSANDRA-11305
Project: Cassandra
Issue Type: New Feature
Components: CQL
Environment: Apache Cassandra 3.3, cqlsh 5.0.1, CQL spec 3.4.0
Reporter: Alexandre Linte
Priority: Minor
Fix For: 3.3
Hello,
By default, Cassandra implements an auto granting process which is applied when
a USER | ROLE does a CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTION, CREATE
AGGREGATE or CREATE ROLE statement. The creator is automatically granted all
applicable permissions on the new resource.
For example, the ROLE "toto_user" is created and has CREATE permission on its
personal KEYSPACE "toto_keyspace". Today when toto_user create a TABLE, he is
automatically granted the following rights:
* ALTER
* DROP
* SELECT
* MODIFY
* AUTHORIZE
Moreover if you want to REVOKE a permission for "toto_user" on a table, this
table must exist.
The idea of the issue is to improve the auto granting process. I thought about
a modification of the REVOKE and GRANT SQL commands. You can find below the
syntax part:
{noformat}
<grant-permission-stmt> ::= GRANT ( ALL ( PERMISSIONS )? | <permission> (
PERMISSION )? ) ON <resource> TO <identifier>
<permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE
| EXECUTE
<resource> ::= ALL KEYSPACES
| KEYSPACE <identifier>
| ( TABLE )? <tablename>
| ALL ROLES
| ROLE <identifier>
| ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
| FUNCTION <functionname>
<automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
{noformat}
{noformat}
<revoke-permission-stmt> ::= REVOKE ( ALL ( PERMISSIONS )? | <permission> (
PERMISSION )? ) ON <resource> FROM <identifier>
<permission> ::= CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESRIBE
| EXECUTE
<resource> ::= ALL KEYSPACES
| KEYSPACE <identifier>
| ( TABLE )? <tablename>
| ALL ROLES
| ROLE <identifier>
| ALL FUNCTIONS ( IN KEYSPACE <identifier> )?
| FUNCTION <functionname>
<automatic-granting> ::= WHEN CREATE ( KEYSPACE | TABLE | ROLE )
{noformat}
And now multiple the samples part:
{noformat}
GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user;
=> default functioning, when toto_user creates a table he will be automatically
granted all permissions.
GRANT ALL PERMISSIONS ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
=> grant all permissions to the resource (table) created by toto_user on the
keyspace toto_keyspace.
GRANT SELECT ON KEYSPACE toto_keyspace TO toto_user WHEN CREATE TABLE;
=> grant select permission to the resource (table) created by toto_user on the
keyspace toto_keyspace.
REVOKE ALL PERMISSIONS ON KEYSPACE toto_keyspace FROM toto_user;
=> default functioning, toto_user will not be able to do something on the
keyspace toto_keyspace.
REVOKE AUTHORIZE PERMISSION ON KEYSPACE toto_keyspace FROM toto_user WHEN
CREATE TABLE;
=> revoke authorize permission to the resource (table) created by toto_user on
the keyspace toto_keyspace.
REVOKE DROP PERMISSION ALL KEYSPACES FROM toto_user WHEN CREATE ROLE;
=> revoke drop permission to the resource (role) created by toto_user on the
keyspace toto_keyspace.
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
