CASSANDRA-17027: Allow to grant permission for all tables in a keyspace #1263
Conversation
There was a problem hiding this comment.
Nit: there are a few double spaces around here
| assertUnauthorizedQuery("User user has no SELECT permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM %s WHERE pk = 1 AND ck = 1")); | |
| assertUnauthorizedQuery("User user has no MODIFY permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE %s")); | |
| assertUnauthorizedQuery("User user has no ALTER permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s ADD val_2 int")); | |
| assertUnauthorizedQuery("User user has no DROP permission on <table " + table + "> or any of its parents", | |
| assertUnauthorizedQuery("User user has no SELECT permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM %s WHERE pk = 1 AND ck = 1")); | |
| assertUnauthorizedQuery("User user has no MODIFY permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE %s")); | |
| assertUnauthorizedQuery("User user has no ALTER permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s ADD val_2 int")); | |
| assertUnauthorizedQuery("User user has no DROP permission on <table " + table + "> or any of its parents", |
There was a problem hiding this comment.
Nit: there are a few double spaces around here
| assertUnauthorizedQuery("User user has no SELECT permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM %s WHERE pk = 1 AND ck = 1")); | |
| assertUnauthorizedQuery("User user has no MODIFY permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE %s")); | |
| assertUnauthorizedQuery("User user has no ALTER permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s ADD val_2 int")); | |
| assertUnauthorizedQuery("User user has no DROP permission on <table " + table + "> or any of its parents", | |
| assertUnauthorizedQuery("User user has no SELECT permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "SELECT * FROM %s WHERE pk = 1 AND ck = 1")); | |
| assertUnauthorizedQuery("User user has no MODIFY permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "TRUNCATE TABLE %s")); | |
| assertUnauthorizedQuery("User user has no ALTER permission on <table " + table + "> or any of its parents", | |
| formatQuery(KEYSPACE_PER_TEST, "ALTER TABLE %s ADD val_2 int")); | |
| assertUnauthorizedQuery("User user has no DROP permission on <table " + table + "> or any of its parents", |
There was a problem hiding this comment.
I understand that this is here to generate a new currentTable() for the calls to formatQuery below, although it seems incidentally no-op here, is this right? Could we add a brief inline comment like create a new table name for the next calls to formatQuery?
There was a problem hiding this comment.
Do we need the changes in this file?
There was a problem hiding this comment.
It's great that we have this available! :)
There was a problem hiding this comment.
I guess it should be ensureAllTablesPermission
There was a problem hiding this comment.
Maybe we could add coverage for some other queries, such as as UPDATE and DELETE as it's done here, and perhaps even create/drop indexes and MVs, wdyt?
NEWS.txt
Outdated
There was a problem hiding this comment.
| - A new ALL TABLES IN KEYSPACE resource has been added. It allows to grant permission for all tables and user types | |
| in a keyspace while preventing the user to use those permission on the keyspace itself. | |
| - A new ALL TABLES IN KEYSPACE resource has been added. It allows to grant permissions for all tables and user types | |
| in a keyspace while preventing the user to use those permissions on the keyspace itself. |
There was a problem hiding this comment.
| self.trycompletions( | |
| "GR", | |
| immediate='ANT ') | |
| self.trycompletions("GR", | |
| immediate='ANT ') |
I would probably keep the formatting for this and all following invocations similar to the one used in the other tests in the same class.
There was a problem hiding this comment.
Maybe we can add before the class @SuppressWarnings("SingleCharacterStringConcatenation") to remove the noise from the warnings?
There was a problem hiding this comment.
This is warning seems to be an IDEA warning so I am reluctant to add annotation for those things to the code base.
There was a problem hiding this comment.
I am not sure, didn't you mean it to be 0 actually for disable?
There was a problem hiding this comment.
Any number less or equal to zero will disable caching. I will change it to zero if it makes things less confusing.
There was a problem hiding this comment.
Yes, while it works it is documented (both cassandra.yaml and the website documentation) to use 0 for disable and a quick check shows me that In other unit tests (JMXAuthTest, UFAuthTest) we use 0. So I think it will indeed make it less confusing and more consistent if we keep it 0. Thank you :-)
In some cases it is useful to prevent users to alter or drop a keyspace while allowing them to create new tables. This patch add support for a new DataResource below KEYSPACE but above TABLE. The syntax to grant permission at this level in ALL TABLES IN KEYSPACE.
blerer
force-pushed
the
CASSANDRA-17027
branch
from
1b89219 to
c7e0064
Compare
|
Committed manually |
We cannot go to DC yet because we need a two phase roll out where any component that reads sai indexes can already read DC, but we haven't deployed the DC reading code yet (there are still pending fixes).
We cannot go to DC yet because we need a two phase roll out where any component that reads sai indexes can already read DC, but we haven't deployed the DC reading code yet (there are still pending fixes).
We cannot go to DC yet because we need a two phase roll out where any component that reads sai indexes can already read DC, but we haven't deployed the DC reading code yet (there are still pending fixes).
3 participants
In some cases it is useful to prevent users to alter or drop a keyspace
while allowing them to create new tables.
This patch add support for a new DataResource below KEYSPACE but above
TABLE. The syntax to grant permission at this level in ALL TABLES IN
KEYSPACE.