[ https://issues.apache.org/jira/browse/CASSANDRA-13985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244367#comment-16244367 ]
Blake Eggleston commented on CASSANDRA-13985: --------------------------------------------- I agree that tacking this onto the existing permission system is a little hacky. Adding this as a separately managed control makes sense. The reason I was playing around with extending the existing hooks, vs adding a new one was because of ui reasons. Today we have grant and revoke statements, 8303 will add create/drop restriction statements, this will probably add a statement for DCs, and I won’t be surprised if we see a rate/resource limitation thing get requested in the future. Depending on how this gets implemented, the cql statements behind it will probably overlap with either grant/revoke or create/drop restriction. Maybe this isn’t that big of a deal though. If that’s the case, mapping statements to different controls under the hood wouldn't be too difficult. > Support restricting reads and writes to specific datacenters on a per user > basis > -------------------------------------------------------------------------------- > > Key: CASSANDRA-13985 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13985 > Project: Cassandra > Issue Type: Improvement > Reporter: Blake Eggleston > Assignee: Blake Eggleston > Priority: Minor > Fix For: 4.0 > > > There are a few use cases where it makes sense to restrict the operations a > given user can perform in specific data centers. The obvious use case is the > production/analytics datacenter configuration. You don’t want the production > user to be reading/or writing to the analytics datacenter, and you don’t want > the analytics user to be reading from the production datacenter. > Although we expect users to get this right on that application level, we > should also be able to enforce this at the database level. The first approach > that comes to mind would be to support an optional DC parameter when granting > select and modify permissions to roles. Something like {{GRANT SELECT ON > some_keyspace TO that_user IN DC dc1}}, statements that omit the dc would > implicitly be granting permission to all dcs. However, I’m not married to > this approach. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org