[jira] [Commented] (CASSANDRA-18018) List command output not correct for super user, after grant command

Wed, 04 Jan 2023 04:53:05 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17654449#comment-17654449
 ] 

Sam Tunnicliffe commented on CASSANDRA-18018:
---------------------------------------------

Resources are organised hierarchically, with each \{IResource} implementation 
having a root resource which "contains" all other resources of that type. So 
you don't need to enumerate every individual resource, you can just show the 
applicable permissions for each of the root resources. 

So permissions for any superuser would look like:

{code}
cassandra@cqlsh> LIST ALL PERMISSIONS OF superuser_a;

 role        | username    | resource        | permission
-------------+-------------+-----------------+------------
 superuser_a | superuser_a | <all keyspaces> |     CREATE
 superuser_a | superuser_a | <all keyspaces> |      ALTER
 superuser_a | superuser_a | <all keyspaces> |       DROP
 superuser_a | superuser_a | <all keyspaces> |     SELECT
 superuser_a | superuser_a | <all keyspaces> |     MODIFY
 superuser_a | superuser_a | <all keyspaces> |  AUTHORIZE
 superuser_a | superuser_a | <all functions> |     CREATE
 superuser_a | superuser_a | <all functions> |      ALTER
 superuser_a | superuser_a | <all functions> |       DROP
 superuser_a | superuser_a | <all functions> |  AUTHORIZE
 superuser_a | superuser_a | <all functions> |    EXECUTE
 superuser_a | superuser_a |    <all mbeans> |     SELECT
 superuser_a | superuser_a |    <all mbeans> |     MODIFY
 superuser_a | superuser_a |    <all mbeans> |  AUTHORIZE
 superuser_a | superuser_a |    <all mbeans> |   DESCRIBE
 superuser_a | superuser_a |    <all mbeans> |    EXECUTE
 superuser_a | superuser_a |     <all roles> |     CREATE
 superuser_a | superuser_a |     <all roles> |      ALTER
 superuser_a | superuser_a |     <all roles> |       DROP
 superuser_a | superuser_a |     <all roles> |  AUTHORIZE
 superuser_a | superuser_a |     <all roles> |   DESCRIBE

(21 rows)
{code}

> List command output not correct for super user, after grant command
> -------------------------------------------------------------------
>
>                 Key: CASSANDRA-18018
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18018
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Feature/Authorization
>            Reporter: Shailaja Koppu
>            Assignee: Maxim Chanturiay
>            Priority: Normal
>              Labels: lhf
>
> Running local Cassandra with below config:
> {noformat}
> authenticator: PasswordAuthenticator
> authorizer: CassandraAuthorizer
> role_manager: CassandraRoleManager
> network_authorizer: CassandraNetworkAuthorizer{noformat}
> Created a super user and then ran *Grant select* command on a keyspace. 
> {noformat}
> shaadmin1@cqlsh> CREATE USER 'shaadmin1c1' WITH PASSWORD 'shaadmin1c1' 
> SUPERUSER;
> shaadmin1@cqlsh:system_auth> grant select on testk1.t1 to shaadmin1c1;
> shaadmin1@cqlsh:system_auth> alter role shaadmin1c1 with access to all 
> datacenters;
> {noformat}
>  
> After this, list permissions command showing only select permission for that 
> role on the resource.
> {noformat}
> shaadmin1c1@cqlsh> list all permissions of shaadmin1c1;
> role | username | resource | permission
> ----------------------------------------+-----------
> shaadmin1c1 | shaadmin1c1 | <table testk1.t1> | SELECT
> {noformat}
>  
> Row in role_permissions table:
> {noformat}
> role | resource | permissions
> ------------------------------------------------------------------------------------------
> shaadmin1c1 | data/testk1/t1 | {'SELECT'}{noformat}
> But insert command by that role on the resource is successful because role is 
> a super user
> {noformat}
> shaadmin1c1@cqlsh> insert into testk1.t1 (c1, c2) values ('a', 1);
> shaadmin1c1@cqlsh> select * from testk1.t1 ;
> c1 | c2
> ---+---
> a | 1
> (1 rows)
> {noformat}
>  
> The problem is, output of list permissions command, which indicates only 
> select permission on the resource, is misleading. I think list command need 
> to be fixed to show all permissions super user has on the resource. Also 
> grant command for a super user can be either a no-op or throw error, because 
> the role already have requested permissions.
>  
> Documentation also misleading:
> {quote}True automatically grants AUTHORIZE, CREATE and DROP permission on ALL 
> ROLES.
> Superusers can only manage roles by default. To manage other resources, 
> {color:#ff0000}you must grant the permission set to that resource. ** 
> {color}For example, to allow access management for all keyspaces: {{{}GRANT 
> ALL PERMISSIONS ON ALL KEYSPACES TO }}\{{{}{*}role_name{*}{}}}.
> {quote}
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to