[jira] [Commented] (CASSANDRA-13985) Support restricting reads and writes to specific datacenters on a per user basis

Wed, 08 Nov 2017 09:27:17 -0800 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-13985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244367#comment-16244367
 ] 

Blake Eggleston commented on CASSANDRA-13985:
---------------------------------------------

I agree that tacking this onto the existing permission system is a little 
hacky. Adding this as a separately managed control makes sense. 

The reason I was playing around with extending the existing hooks, vs adding a 
new one was because of ui reasons. Today we have grant and revoke statements, 
8303 will add create/drop restriction statements, this will probably add a 
statement for DCs, and I won’t be surprised if we see a rate/resource 
limitation thing get requested in the future. Depending on how this gets 
implemented, the cql statements behind it will probably overlap with either 
grant/revoke or create/drop restriction.

Maybe this isn’t that big of a deal though. If that’s the case, mapping 
statements to different controls under the hood wouldn't be too difficult.


> Support restricting reads and writes to specific datacenters on a per user 
> basis
> --------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-13985
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13985
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Blake Eggleston
>            Assignee: Blake Eggleston
>            Priority: Minor
>             Fix For: 4.0
>
>
> There are a few use cases where it makes sense to restrict the operations a 
> given user can perform in specific data centers. The obvious use case is the 
> production/analytics datacenter configuration. You don’t want the production 
> user to be reading/or writing to the analytics datacenter, and you don’t want 
> the analytics user to be reading from the production datacenter.
> Although we expect users to get this right on that application level, we 
> should also be able to enforce this at the database level. The first approach 
> that comes to mind would be to support an optional DC parameter when granting 
> select and modify permissions to roles. Something like {{GRANT SELECT ON 
> some_keyspace TO that_user IN DC dc1}}, statements that omit the dc would 
> implicitly be granting permission to all dcs. However, I’m not married to 
> this approach.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to