[
https://issues.apache.org/jira/browse/CASSANDRA-13985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16243985#comment-16243985
]
Sam Tunnicliffe edited comment on CASSANDRA-13985 at 11/8/17 2:19 PM:
--
In general I agree with the aim of this ticket, but I think perhaps we should
come at it from a different angle.
First, DCs don't fit well into the authz model as it's defined currently, with
Roles, Resources & Permissions, so we have to extend that model and make DC a
first class citizen. I don't think this is huge problem in itself, but it
follows that if we do that we should do the same for Capabilities as proposed
in CASSANDRA-8303. I appreciate that that ticket is still in discussion and
also hasn't moved in quite a while, but I do think it's still worth doing and
plan/hope to get back to it soon. Adding another component to either of those
models is going to increase complexity which is always best avoided in this
area.
Second, I'm not altogether convinced that having a given user's permissions (or
capabilities) modified by DC is the right way to go. Having varying privileges
dependent on which coordinator you happen to be connected to seems like it
could end up being a bit counter-intuitive. My feeling is that it makes more
sense to control whether a role is permitted to access a location at all. If
so, then normal permissions should apply.
Third, I'm not a big fan of the implicit granting by omission, even though it's
more or less consistent with the way permissions work, it somehow feels kind of
jarring here (but I'm afraid I'm struggling to articulate exactly why).
These things make me think that this might be better implemented as an entirely
separate feature, distinct from permissions and capabilities. Rather than
adding complexity by extending those models we could add a new thing which
simply bans a user from connecting to nodes in a given DC or blocks execution
of CQL statements for already connected clients. This would be really simple to
implement and would provide better separation from the code and concepts of
permissions and capabilities.
was (Author: beobal):
In general I agree with the aim of this ticket, but I think perhaps we should
come at it from a different angle.
First, DCs don't fit well into the authz model as it's defined currently, with
Roles, Resources & Permissions, so we have to extend that model and make DC a
first class citizen. I don't think this is huge problem in itself, but it
follows that if we do that we should do the same for Capabilities as proposed
in CASSANDRA-8303. I appreciate that that ticket is still in discussion and
also hasn't moved in quite a while, but I do think it's still worth doing and
plan/hope to get back to it soon. Adding another component to either of those
models is
Second, I'm not altogether convinced that having a given user's permissions (or
capabilities) modified by DC is the right way to go. Having varying privileges
dependent on which coordinator you happen to be connected to seems like it
could end up being a bit counter-intuitive. My feeling is that it makes more
sense to control whether a role is permitted to access a location at all. If
so, then normal permissions should apply.
Third, I'm not a big fan of the implicit granting by omission, even though it's
more or less consistent with the way permissions work, it somehow feels kind of
jarring here (but I'm afraid I'm struggling to articulate exactly why).
These things make me think that this might be better implemented as an entirely
separate feature, distinct from permissions and capabilities. Rather than
adding complexity by extending those models we could add a new thing which
simply bans a user from connecting to nodes in a given DC or blocks execution
of CQL statements for already connected clients. This would be really simple to
implement and would provide better separation from the code and concepts of
permissions and capabilities.
> Support restricting reads and writes to specific datacenters on a per user
> basis
>
>
> Key: CASSANDRA-13985
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13985
> Project: Cassandra
> Issue Type: Bug
>Reporter: Blake Eggleston
>Assignee: Blake Eggleston
>Priority: Minor
>
> There are a few use cases where it makes sense to restrict the operations a
> given user can perform in specific data centers. The obvious use case is the
> production/analytics datacenter configuration. You don’t want the production
> user to be reading/or writing to the analytics datacenter, and you don’t want
> the analytics user to be reading from the production datacenter.
> Although we expect users to get this right