RFC: role based access control#20149
Conversation
|
This change is |
|
Adding reviewers:
|
mberhault
force-pushed
the
marc/RFC_rbac
branch
from
ada7ff1 to
bd68423
Compare
|
BTW: I'm sending this out early for initial comments on the lookup problem. I will keep polishing it a bit. |
|
Thanks marc for tackling this feature.
-- we use both tables, the first one as the authoritative source of direct membership
create table roles(name string primary key, members string[]);
-- and the second one for lookups, `roles` contains all the direct and indirect roles the member is part of
create table members(name string primary key, roles string[]);
create table role_members(...); -- unchanged from RFC
create table role_lookup(member string primary key, role string); -- new: contains both direct and indirect membershipsthen a lookup is
Say a user X has direct (not via role) permission to access table T. Our current mechanisms ensure that if the permissions on table T are changed (e.g. X doesn't have access to T any more, or user Y gets access), this translates to an update of descriptor T, which in turn bumps the version of the descriptor, which in turn ensures that any node has to wait for existing leases to expire when they want to access T, so they see the new permission configuration. I think we can solve this by leasing user/role records to nodes for caching. I'm not sure on the details though. |
|
Reviewed 1 of 1 files at r1. Comments from Reviewable |
all files reviewed at latest revision, all discussions resolved, all commit checks successful.
|
Thanks @knz. I've updated the RFC with:
I unfortunately know nothing about leases, so I'm not sure what this would look like. I'm also trying to figure out what PostgreSQL does for privilege/role manipulation and how it interacts with existing sessions/transaction/queries. I don't think we've defined our behavior well either. |
mberhault
force-pushed
the
marc/RFC_rbac
branch
2 times, most recently
from
4390a42 to
f5e1ae8
Compare
|
Thanks for the quick turnaround. To flesh out caching and the interaction with leases you'll probably need help from Andrei, Jordan and/or Vivek. Reviewed 1 of 1 files at r2. Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 9 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 1 at r1 (raw file):
Nit but it should be "role-based" everywhere docs/RFCS/20171118_role_based_access_control.md, line 47 at r1 (raw file):
Nit I would suggest "Role-based access control is an enterprise feature." docs/RFCS/20171118_role_based_access_control.md, line 51 at r1 (raw file):
This appears to be a circular definition by using role to define role. I understand you mean that a role can contain other roles but I do not think that this is clear. I would suggest defining this as a role is a group containing one or more users. Then expand that to say, a role can also contain other roles. docs/RFCS/20171118_role_based_access_control.md, line 70 at r1 (raw file):
I also think its useful to discuss the ability to change privileges for a role rather than each individual user. docs/RFCS/20171118_role_based_access_control.md, line 135 at r1 (raw file):
Are there any limits on the number of roles that can be created? docs/RFCS/20171118_role_based_access_control.md, line 153 at r1 (raw file):
nit but this should be CockroachDB docs/RFCS/20171118_role_based_access_control.md, line 231 at r1 (raw file):
Does this mean root can never be deleted from it too? docs/RFCS/20171118_role_based_access_control.md, line 479 at r1 (raw file):
We can't sacrifice correctness this at all. docs/RFCS/20171118_role_based_access_control.md, line 575 at r1 (raw file):
I think we need to resolve our approach during the RFC period Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 10 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 577 at r1 (raw file):
We need to add control for this within the UX. Is there anything we need to do now, in the original implementation, to enable this expansion in the future? Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 10 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 1 at r1 (raw file): Previously, awoods187 (Andy Woods) wrote…
Done. That's the only place I used the phrasing. docs/RFCS/20171118_role_based_access_control.md, line 47 at r1 (raw file): Previously, awoods187 (Andy Woods) wrote…
Done. docs/RFCS/20171118_role_based_access_control.md, line 51 at r1 (raw file): Previously, awoods187 (Andy Woods) wrote…
Done. docs/RFCS/20171118_role_based_access_control.md, line 70 at r1 (raw file): Previously, awoods187 (Andy Woods) wrote…
Done. docs/RFCS/20171118_role_based_access_control.md, line 135 at r1 (raw file): Previously, awoods187 (Andy Woods) wrote…
nope. added to the list of rules above. docs/RFCS/20171118_role_based_access_control.md, line 153 at r1 (raw file): Previously, awoods187 (Andy Woods) wrote…
not done. docs/RFCS/20171118_role_based_access_control.md, line 231 at r1 (raw file): Previously, awoods187 (Andy Woods) wrote…
yup. Added. docs/RFCS/20171118_role_based_access_control.md, line 479 at r1 (raw file): Previously, awoods187 (Andy Woods) wrote…
We'll have to sacrifice something if we don't want to be insanely slow. The right balance will have to be determined. docs/RFCS/20171118_role_based_access_control.md, line 575 at r1 (raw file): Previously, awoods187 (Andy Woods) wrote…
That's why it's under "unresolved questions". These must all be resolved before the RFC can be enter FCP. docs/RFCS/20171118_role_based_access_control.md, line 577 at r1 (raw file): Previously, awoods187 (Andy Woods) wrote…
added a Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 12 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 53 at r3 (raw file):
I know this doesn't say roles can have privileges exclusively on SQL objects, we need to make sure this system can scale beyond SQL. For example, would this system let us control who can do certain operations in the admin UI ? cc @awoods187 @dianasaur323 docs/RFCS/20171118_role_based_access_control.md, line 141 at r3 (raw file):
How are new privileges created and where do they live? Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 12 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 53 at r3 (raw file): Previously, nstewart (Nate) wrote…
There's no concept of privileges for the admin UI right now, and it's not within scope of this RFC to add them. That said, any privilege (including admin UI access) can be added, either applied to a specific object (eg: a table), or to a user/role (eg: user/role attributes, which are also out of scope) docs/RFCS/20171118_role_based_access_control.md, line 141 at r3 (raw file): Previously, nstewart (Nate) wrote…
there are no new privileges. roles can be granted the same privileges that users currently get and no changes are done in the way they are stored (they're in the database and table descriptors) Comments from Reviewable |
|
docs/RFCS/20171118_role_based_access_control.md, line 53 at r3 (raw file): Previously, mberhault (marc) wrote…
Right. Wasnt thinking we add them now, but just want to make sure that we had a path to support them with this system when the time comes. Comments from Reviewable |
|
cc @andreimatei @jordanlewis @vivekmenezes Could one of you provide your thoughts on how leases could interact efficiently with roles? |
|
docs/RFCS/20171118_role_based_access_control.md, line 53 at r3 (raw file): Previously, nstewart (Nate) wrote…
from the admin UI perspective, I think this LGTM for now. I believe our first step was to just persist privileges based on the roles. That being said, there could be other privileges outside of SQL at some point, so agreed that we should keep that in mind. Comments from Reviewable |
mberhault
force-pushed
the
marc/RFC_rbac
branch
from
74df0c8 to
31728f1
Compare
|
Review status: 0 of 1 files reviewed at latest revision, 7 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 571 at r5 (raw file):
Why is this the preferred solution? Won't role lookups be more frequent than role manipulation? Do we have an understanding of how large this cost will be? Doesn't this solution need to be considered in the context of cacheing memberships? E.g., how that is resolved would impact the prefered option docs/RFCS/20171118_role_based_access_control.md, line 581 at r5 (raw file):
nit but I believe this should be either "very large roles" or "every large role" docs/RFCS/20171118_role_based_access_control.md, line 667 at r5 (raw file):
What is the currently preferred solution? I'm concerned with the accuracy performance tradeoff described above Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 7 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 571 at r5 (raw file): Previously, awoods187 (Andy Woods) wrote…
It isn't, it's just the most naive approach and probably a reasonable first pass. docs/RFCS/20171118_role_based_access_control.md, line 581 at r5 (raw file): Previously, awoods187 (Andy Woods) wrote…
Done. docs/RFCS/20171118_role_based_access_control.md, line 667 at r5 (raw file): Previously, awoods187 (Andy Woods) wrote…
No idea. I'm waiting for input from people familiar with leases. Most likely the final implementation will be none of the above. Comments from Reviewable |
vivekmenezes
left a comment
vivekmenezes
left a comment
There was a problem hiding this comment.
Nice writeup! thanks for putting it together.
| We propose the addition of SQL roles to facilitate user management. | ||
|
|
||
| A role can be seen as a group containing any number of "entities" as members. An entity can be a user or | ||
| another role. |
There was a problem hiding this comment.
there can be no cycles in this relationship
There was a problem hiding this comment.
This is mentioned in the set of rules in Role basics
| * roles and users use the same namespace (ie: if a user `marc` exists, we cannot create a role `marc`) | ||
| * users and roles can be members of roles | ||
| * membership loops are not allowed (direct: `A ∈ B ∈ A` or indirect: `A ∈ B ∈ C ... ∈ A`) | ||
| * all privileges of a role are inherited by all its members |
There was a problem hiding this comment.
A member cannot override the privileges granted to it from its parent role by revoking the privilege
There was a problem hiding this comment.
I don't know what that means. A given user has exactly the privileges granted to itself and all the roles it's a member of (directly or indirectly).
| ``` | ||
| GRANT myrole TO marc WITH ADMIN OPTION | ||
| ``` | ||
|
|
There was a problem hiding this comment.
If you run "GRANT role1 to role2" how do you undo the relationship without dropping role2?
There was a problem hiding this comment.
I see below that you want to use REVOKE for that.
| ``` | ||
| CREATE TABLE system.role_members ( | ||
| role STRING, | ||
| member STRING, |
There was a problem hiding this comment.
Using Foreign Keys here will make it simpler to manage. Do we want to use Foreign Keys? We would need to have two columns user_member and role_member (a self referential key)
There was a problem hiding this comment.
Or should we be using the OID type to reference these?
There was a problem hiding this comment.
Self-referential keys are currently a problem and don't really add anything. We have plenty of checks and cleanup to do when dropping a user, removing its role_members entries is pretty straightforward.
AFAICT, OIS is just an alias used in the virtual tables. The virtual tables section uses those, but I don't think we need them internally.
| and must do so for every SQL operation. | ||
|
|
||
| The [Caching memberships](#caching-memberships) options would make this much more efficient but would | ||
| sacrifice correctness when roles/privileges are changed within a transaction. |
There was a problem hiding this comment.
I think we ought to do this. By caching table schema on nodes today we run into the same correctness issues. In particular we support ATOMIC transactions on Schema but not SERIALIZABLE transactions.
There was a problem hiding this comment.
From a correctness perspective, we absolutely shouldn't, but then again, we shouldn't have privileges in descriptors either.
The caching memberships section is where some of those improvements are proposed, but all of them suck. There may be something we could do w.r.t descriptor leases, but this I where I need some help understanding the options.
There was a problem hiding this comment.
Schema changes return to a user when they are fully applied. This is done by incrementing the version on the schema and waiting until there are no outstanding leases on the previous version. I think you can list this as a limitation of the current implementation and do nothing about it for 2.0 . We do not want to support schema changes (version upgrades) on system tables.
Another thought is to create another table (non system one called role_versions) that can be used by nodes needing a cache of the table data. Caching the system table data requires acquiring a lease on the role_schema table. modifying the system table will also modify the schema of the new table by publishing a new version and waiting for it to be published throughout the cluster. But I feel it's best not done in this RFC.
|
Review status: 0 of 1 files reviewed at latest revision, 13 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 652 at r6 (raw file):
There's an RFC about table descriptor leases that has been updated recently; you can read there about how they work and if you have any questions I'm happy to talk about it. Similarly, it seems to me that "leasing" a privilege shouldn't be a thing. Like, if I want to revoke access to evil_bitcoin_thief, I don't want to be told that the user had its privilege locked-in for another 5 minutes through a lease. What I think is the sane thing to do here is to divorce the storage and access of privileges from table descriptors, and have a caching mechanism with TTL for them (with background refresh), plus a best-effort cache invalidation mechanism for revocations (based on gossip). Comments from Reviewable |
|
@vivekmenezes, @jordanlewis, @knz: thank you for the brainstorming session. I still want to put more details in there including code samples, but I'm going through docs and code first. Feel free to take a look and correct any mistakes on my part. |
|
Review status: 0 of 1 files reviewed at latest revision, 13 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 304 at r7 (raw file): Previously, mberhault (marc) wrote…
I see. I suppose we can move forward with your plan. docs/RFCS/20171118_role_based_access_control.md, line 430 at r7 (raw file): Previously, mberhault (marc) wrote…
True, but in reality that doesn't seem important in the 2.0 timeframe. I'd just create a limitation that we can address later when we have someone using cockroach with like tens of thousands of users. Comments from Reviewable |
Release Note: none (mostly not a user-visible change unless they really dig around). The [rbac RFC](cockroachdb#20149) proposes the addition of a fixed `admin` role, with default member `root`. Membership management becomes a lot simpler if root actually has an entry in the users table. Root is still special in the sense that: * it cannot be dropped (already enforced by remaining permissions, but now with extra check) * it cannot have a password (`ALTER ... WITH PASSWORD` not allowed, and password always returned as nil to avoid the "hacky way" of setting it)
a-robinson
left a comment
a-robinson
left a comment
There was a problem hiding this comment.
Very well thought out!
|
|
||
| For example: | ||
| * role `employees` has `ALL` privileges on table `mydb.employee_data` | ||
| * user `marc` is a member of `employees` (also written: `marc ∈ employees` |
There was a problem hiding this comment.
Done. Feeling tense?
| * membership loops are not allowed (direct: `A ∈ B ∈ A` or indirect: `A ∈ B ∈ C ... ∈ A`) | ||
| * all privileges of a role are inherited by all its members | ||
| * privileges on a table/database can be assigned to roles and users | ||
| * only the admin role can create/drop roles |
There was a problem hiding this comment.
Why shouldn't others be able to create roles?
And why shouldn't a role admin be able to drop the role they are the admin for?
There was a problem hiding this comment.
similar to databases, we don't have the concept of an "owner". In postgresql, you need CREATEROLE privileges which are disconnected from the "role admin" membership type.
| DROP ROLE IF EXISTS myrole | ||
| ``` | ||
|
|
||
| Dropping a role will fail if it still has privileges on database objects. |
There was a problem hiding this comment.
Even indirect privileges via membership in another role?
There was a problem hiding this comment.
Nope, just privileges directly assigned. Memberships get automatically dropped but you need to clear out privileges first. Clarified the comment.
| * adding a member of a role (`GRANT myrole TO ...`) | ||
| * removing a member from a role (`REVOKE myrole TO ...`) | ||
|
|
||
| The following will function without an enterprise license: |
There was a problem hiding this comment.
How does this interact with non-CCL builds? Is it just the code for managing roles that's CCL'ed?
There was a problem hiding this comment.
Yeah, but there's some question about code location. This is so similar to users for some bits that splitting it into CCL and OSS is really making life purposefully difficult for ourselves.
There was a problem hiding this comment.
But the answer is yes: create/drop/grant/revoke for roles will be CCL. Granting privileges to a role will still work as will permission checks (obviously). We do need to make sure we get a nice "you need a CCL build and license" message if you run them in the OSS binary.
I think this is a fair way of doing it but I'm open to suggestions.
| );` | ||
| ``` | ||
|
|
||
| Depending on the complexity of migration, we may be able to rename the `username` field and even the table |
There was a problem hiding this comment.
We'd probably want to do this with a view to preserve compatibility with existing queries against the users table.
There was a problem hiding this comment.
you mean we "don't want to do this"?
There was a problem hiding this comment.
Some sort of changeover/migration is fine with me, it just seems that we'll either need a view for system.users if we do move all the data or a view for system.roles if we don't move all the data.
| ``` | ||
| CREATE TABLE system.role_members ( | ||
| role STRING, | ||
| member STRING, |
There was a problem hiding this comment.
I take it that renaming a user/role isn't possible? If it was I'd expect to see IDs be used for membership.
There was a problem hiding this comment.
correct. That would be the alter command which is not currently supported. Adding details along with other things about alter in out-of-scope section.
We could use IDs, but two things make this undesirable:
- migrations are already tricky, re-keying the users table would be horrible
- rename is rare and is not in the path of regular queries so it's ok to be slow
There was a problem hiding this comment.
Well we could get around the re-keying issue by just adding an ID column with a secondary index on it. You're right that rename is rare, we'll just need to have very good testing to make sure we don't leave any references around to the old name. Things like foreign table references and view dependencies have had bugs in their initial implementations.
|
|
||
| For alternate representations [Internal representation of memberships](#internal-representation-of-memberships). | ||
|
|
||
| ### New SQL statements |
There was a problem hiding this comment.
Is the ALTER ROLE statement being left out because we don't really need it yet or because we explicitly don't want it?
There was a problem hiding this comment.
We don't need it, the only things you can do with it is change attributes (which we don't have) and rename.
Added to out-of-scope section
There was a problem hiding this comment.
We do have the ADMIN attribute, but understood.
There was a problem hiding this comment.
ADMIN is an option of the membership, not the role. This can be changed in REVOKE <role> FROM <user> ADMIN OPTION.
|
|
||
| ### New SQL statements | ||
|
|
||
| We propose the some new and some modified SQL statements, all mimicking the corresponding statements |
| We should decide what to do if a user with that name exists. Some possibilities: | ||
| * just overwrite it (clear the password hash and set the `isRole` field) and document the upgrade breakage. | ||
| * rename it: this would involve renaming all privileges as well. Surfacing this to the user would be tricky. | ||
| * fail the migration with a message clearly saying the user must be removed/renamed. |
There was a problem hiding this comment.
I'd vote for this along with a release note, for what it's worth
There was a problem hiding this comment.
Except I don't think we have a good way to 1) notify users, and 2) resume the migration after the problem has been fixed.
This would involve the concept of "skippable" and "resumable" migrations. I'm voting for "just overwrite it", mostly because that's by far the safest solution.
There was a problem hiding this comment.
It's not safe for someone that has an admin user and won't be able to log in as them after the upgrade.
If it changes anything, I interpret "fail the migration" as "crash the server with a log.Fatal message explaining what needs to be done".
There was a problem hiding this comment.
So log fatal and ask them to start with an older binary and remove the user? That's one option albeit a radical one.
There was a problem hiding this comment.
Or if it's part of a cluster, just connect to one of the already running nodes and do it.
| ### Enterprise enforcement workarounds | ||
|
|
||
| Even though we disable manipulation (create, drop, add/remove members, grant/revoke privileges) or roles | ||
| for non-enterprise users, admin users can still manipulate the system tables storing roles and role |
There was a problem hiding this comment.
We'd like to make it so that only the node user/role can write to certain system tables (#19277). This is another nice motivating use case.
There was a problem hiding this comment.
Yup, I'm definitely in favor of changing that. Getting around CCL is one point in favor but the biggest one is that it's way too easy for people to shoot themselves in the foot.
|
Review status: 0 of 1 files reviewed at latest revision, 27 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 674 at r8 (raw file): Previously, a-robinson (Alex Robinson) wrote…
I'd also prefer a docs/RFCS/20171118_role_based_access_control.md, line 422 at r9 (raw file):
Using For comparison, how are non-role grants propagated? It seems like role memberships should be propagated in the same way. docs/RFCS/20171118_role_based_access_control.md, line 472 at r9 (raw file):
So we will be adding special "is admin" checks everywhere? It would be nice if we could create new permissions for all admin functionality so these permissions could be granted to other users. If introducing permissions that don't correspond to tables or other schema objects is a headache we don't have to do it here, but while we're changing all the docs/RFCS/20171118_role_based_access_control.md, line 670 at r9 (raw file):
Is it important that the new role be named How likely is it that we will need to create other special user/role names in the future? Should we think about carving out some sort of reserved namespace? docs/RFCS/20171118_role_based_access_control.md, line 674 at r9 (raw file):
Mention somewhere that you should not be able to log in with a certificate that was generated for a role instead of a user. Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 27 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 310 at r8 (raw file): Previously, a-robinson (Alex Robinson) wrote…
I'm not sure we need one. The only external tool of ours that uses it is docs/RFCS/20171118_role_based_access_control.md, line 322 at r8 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Agreed. docs/RFCS/20171118_role_based_access_control.md, line 674 at r8 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Works for me. docs/RFCS/20171118_role_based_access_control.md, line 422 at r9 (raw file): Previously, bdarnell (Ben Darnell) wrote…
grants are still stored the same way, inside the db/table descriptors (they don't care if they're given to a user or role). I really don't want to expand roles memberships into the descriptors, that seems overkill. Ideally, I would like to get privileges out of the descriptors entirely. Whatever system we use here can be used for that as well. I'm also a little iffy about using leases to do this. I should be able to start testing various methods sometime this week. docs/RFCS/20171118_role_based_access_control.md, line 472 at r9 (raw file): Previously, bdarnell (Ben Darnell) wrote…
I've already refactored some check to be A future extension will be to add user (and role, same thing really) attributes. Postgresq has a docs/RFCS/20171118_role_based_access_control.md, line 670 at r9 (raw file): Previously, bdarnell (Ben Darnell) wrote…
It's not that important, but I don't particularly see the appeal of a different name. The only things I can think of are: 1) collision with existing docs/RFCS/20171118_role_based_access_control.md, line 674 at r9 (raw file): Previously, bdarnell (Ben Darnell) wrote…
It's mentioned briefly in the Comments from Reviewable |
|
No more unresolved questions:
|
mberhault
force-pushed
the
marc/RFC_rbac
branch
from
6e4b282 to
ead1ea7
Compare
|
Reviewed 1 of 1 files at r10. docs/RFCS/20171118_role_based_access_control.md, line 310 at r8 (raw file): Previously, mberhault (marc) wrote…
I thought there was an implicit contract that we wouldn't break queries that rely on system tables, but maybe I'm mistaken. Someone from the SQL team would know better than me. docs/RFCS/20171118_role_based_access_control.md, line 373 at r10 (raw file):
s/remote/remove docs/RFCS/20171118_role_based_access_control.md, line 386 at r10 (raw file):
s/remote/remove Comments from Reviewable |
mberhault
force-pushed
the
marc/RFC_rbac
branch
from
ead1ea7 to
2692b53
Compare
|
Review status: 0 of 1 files reviewed at latest revision, 27 unresolved discussions. docs/RFCS/20171118_role_based_access_control.md, line 310 at r8 (raw file): Previously, a-robinson (Alex Robinson) wrote…
I've never heard of it but that would indeed seriously impact this. docs/RFCS/20171118_role_based_access_control.md, line 373 at r10 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. docs/RFCS/20171118_role_based_access_control.md, line 386 at r10 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. Comments from Reviewable |
|
Reviewed 1 of 1 files at r11. docs/RFCS/20171118_role_based_access_control.md, line 310 at r8 (raw file): Previously, mberhault (marc) wrote…
I don't think we guarantee backwards-compatibility for direct access to Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 24 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 310 at r8 (raw file): Previously, bdarnell (Ben Darnell) wrote…
This one is fairly easy, at least the fact that there's a new column (tests for migrations with backfill were a different story). Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 25 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 201 at r8 (raw file): Previously, mberhault (marc) wrote…
I think it's worth supporting a docs/RFCS/20171118_role_based_access_control.md, line 111 at r11 (raw file):
nit: s/is be/is/ Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 25 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 174 at r6 (raw file): Previously, vivekmenezes wrote…
Done. docs/RFCS/20171118_role_based_access_control.md, line 559 at r6 (raw file): Previously, vivekmenezes wrote…
Done. docs/RFCS/20171118_role_based_access_control.md, line 652 at r6 (raw file): Previously, andreimatei (Andrei Matei) wrote…
Done. docs/RFCS/20171118_role_based_access_control.md, line 201 at r8 (raw file): Previously, jordanlewis (Jordan Lewis) wrote…
Postgres doesn't use docs/RFCS/20171118_role_based_access_control.md, line 111 at r11 (raw file): Previously, jordanlewis (Jordan Lewis) wrote…
Done. Comments from Reviewable |
|
No movement in about a week. If there are no objections, I'd like to move to FCP. |
|
Review status: 0 of 1 files reviewed at latest revision, 25 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 422 at r9 (raw file): Previously, mberhault (marc) wrote…
Has thinking on this advanced? Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 25 unresolved discussions, all commit checks successful. docs/RFCS/20171118_role_based_access_control.md, line 422 at r9 (raw file): Previously, andreimatei (Andrei Matei) wrote…
Nope. My plan is to start with a naive implementation (expand role memberships every time), then experiment with various solutions to notify the cache that a refresh is needed. Leases and gossip are both candidates. Comments from Reviewable |
|
Moving to FCP. ETA for close is Wednesday Dec 20th. |
|
Reviewed 1 of 1 files at r12. Comments from Reviewable |
This is the initial RFC for role based access control. The big caveat is the cost of expanding role memberships. Until this can be done cheaply, this RFC is probably a non-starter.
mberhault
force-pushed
the
marc/RFC_rbac
branch
from
442d980 to
74a64e3
Compare
Release Note: none (mostly not a user-visible change unless they really dig around). The [rbac RFC](cockroachdb/cockroach#20149) proposes the addition of a fixed `admin` role, with default member `root`. Membership management becomes a lot simpler if root actually has an entry in the users table. Root is still special in the sense that: * it cannot be dropped (already enforced by remaining permissions, but now with extra check) * it cannot have a password (`ALTER ... WITH PASSWORD` not allowed, and password always returned as nil to avoid the "hacky way" of setting it)
12 participants
This is the initial RFC for role based access control.
The big caveat is the cost of expanding role memberships.
Until this can be done cheaply, this RFC is probably a non-starter.