Re: Turn off automatic granting

[Jonathan Koppenhofer]

Looks like this is already logged at CASSANDRA-11305
. I will comment
there. I'd be interested if others have feedback.

On Wed, Jun 9, 2021 at 9:32 AM Jonathan Koppenhofer 
wrote:

> Thanks!
>
> I'll put in a Jira to make this configurable. Maybe submit a patch if I
> can find time.
>
> On Tue, Jun 8, 2021, 6:49 PM Erick Ramirez 
> wrote:
>
>> There's definitely a case for separation of duties. For example, admin
>> roles who have DDL permissions should not have DML access. To achieve this,
>> you'll need to manage the permissions at a granular level and revoke
>> permissions from the role. Cheers!
>>
>>>

Re: Turn off automatic granting

[Jonathan Koppenhofer]

Thanks!

I'll put in a Jira to make this configurable. Maybe submit a patch if I can
find time.

On Tue, Jun 8, 2021, 6:49 PM Erick Ramirez 
wrote:

> There's definitely a case for separation of duties. For example, admin
> roles who have DDL permissions should not have DML access. To achieve this,
> you'll need to manage the permissions at a granular level and revoke
> permissions from the role. Cheers!
>
>>

Re: Turn off automatic granting

[Erick Ramirez]

There's definitely a case for separation of duties. For example, admin
roles who have DDL permissions should not have DML access. To achieve this,
you'll need to manage the permissions at a granular level and revoke
permissions from the role. Cheers!

>

Turn off automatic granting

[Jonathan Koppenhofer]

Hi,

In a highly managed environment "automatics granting" (
https://cassandra.apache.org/doc/latest/cql/security.html#automatic-granting)
may not always be desirable. Is there any way to turn this off? Or what
have people done to work around cases where they don't want this.

Some use cases:
- We may have a user that can create schema, but don't want that user to
allow authorization to that resource
- the user already has keyspace permissions, and we don't want it
duplicated at the table level if they create a table.

Thanks