[jira] [Comment Edited] (CASSANDRA-18070) Add a new SELECT_MASKED permission

Wed, 08 Feb 2023 06:10:38 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17685360#comment-17685360
 ] 

Andres de la Peña edited comment on CASSANDRA-18070 at 2/8/23 2:09 PM:
-----------------------------------------------------------------------

Here is the PR adding the new {{SELECT_MASKED}} permission, and the PR updating 
auth dtests for it:
||PR||CI||
|[trunk|https://github.com/apache/cassandra/pull/2146]|[j8|https://app.circleci.com/pipelines/github/adelapena/cassandra/2627/workflows/3d39aa96-2ac3-4a61-a999-88fbcf2dc0fe]
 
[j11|https://app.circleci.com/pipelines/github/adelapena/cassandra/2627/workflows/6034b40b-6572-4fff-af7a-cca3c87ac274]|
|[dtest|https://github.com/apache/cassandra-dtest/pull/209]|

The patch is based on CASSANDRA-18069, which is based on CASSANDRA-18068.


was (Author: adelapena):
Here is the PR adding the new {{SELECT_MASKED}} permission, and the PR updating 
auth dtests for it:
||PR||CI||
|[trunk|https://github.com/apache/cassandra/pull/2146]|[j8|https://app.circleci.com/pipelines/github/adelapena/cassandra/2625/workflows/e9950fcd-6850-45fd-9199-8d28861cec9f]
 
[j11|https://app.circleci.com/pipelines/github/adelapena/cassandra/2625/workflows/ca876e61-ab6c-4f67-ac6f-f8ea2d09aaee]|
|[dtest|https://github.com/apache/cassandra-dtest/pull/209]|

The patch is based on CASSANDRA-18069, which is based on CASSANDRA-18068.

> Add a new SELECT_MASKED permission
> ----------------------------------
>
>                 Key: CASSANDRA-18070
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18070
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Feature/Dynamic Data Masking
>            Reporter: Andres de la Peña
>            Assignee: Andres de la Peña
>            Priority: Normal
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Add a table-level SELECT_MASKED permission allowing certain users to query 
> but not see the unmasked columns introduced by CASSANDRA-18068, assuming that 
> they also have the SELECT permission on the table, as defined by 
> [CEP-20|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-20%3A+Dynamic+Data+Masking].
>  
> It would look like:
> {code}
> > CREATE USER unprivileged_user WITH PASSWORD 'xyz';
> > CREATE USER privileged_user WITH PASSWORD 'zyx';
>  
> > GRANT SELECT ON ALL TABLE patients TO unprivileged_user;
> > GRANT SELECT ON ALL TABLE patients TO privileged_user;
> > GRANT SELECT_MASKED ON ALL TABLE patients TO privileged_user;
>  
> > LOGIN unprivileged_user
> > SELECT name, birth FROM patients WHERE name='alice' ALLOW FILTERING;
>  
> Unauthorized: Error from server: code=2100 [Unauthorized] message="User has 
> no UNMASK nor SELECT_UNMASK permission on <table k.patients>"
>              
> > LOGIN privileged_user
> > SELECT name, birth FROM patients WHERE name='alice' ALLOW FILTERING;
>  
>  name    | birth
> ---------+------------
>  alXXXXe | 1900-01-01
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to