Support Forums : DataStax

DataStax Support Forums » Apache Cassandra

GRANT and REVOKE explanation for CQL3 (cassandra 1.2.0)

(4 posts) (2 voices)

Started 5 months ago by sarch
Latest reply from khahn
This topic is not a support question

Tags:

No tags yet.

sarch
Member

I'm trying to implement an internal Cassandra-as-a-service and want to use the permissions/authorization in CQL3 to implement this.

Is there any explanation of how GRANT/REVOKE is supposed to work in cassandra >= 1.2.0? I've played around with it a bit, but it can only be done at the column-family (/table) level. I can't find a way of applying GRANT privileges on an entire keyspace or inherit them for new column families that are created.

Does anyone know how they are supposed to function?

Posted 5 months ago #
khahn
Member

I found an explanation of how GRANT/REVOKE is supposed to work in cassandra >= 1.2.0, but have not actually tried this: http://www.datastax.com/dev/blog/dynamic-permission-allocation-in-cassandra-1-1

The official DataStax 1.2 docs do not include information about GRANT/REVOKE. Authentication and authorization are briefly covered in http://www.datastax.com/docs/1.2/configuration/authentication. Hope this helps.

Posted 5 months ago #
sarch
Member

khahn, thanks for the info, but unfortunately I've already found those pages.

The datastax blog about dynamic permissions is out of date now with 1.2.0 ('GRANT FULL_ACCESS ...'; 'LIST GRANTS ...'; and 'GRANT UPDATE ON ks' all don't work).

And as you've discovered, the official 1.2 documentation don't mention GRANT and the CQL3 spec mentions that they are keywords, but do not have any more information on how to use them.

I was hoping that there would be some internal documentation or mailings that would shed some light on the issue. At the moment I'm having to bastardise the code to make it fit what it says it should do.

Posted 5 months ago #
khahn
Member

Sorry for the delay and that you were inconvenienced by the outdated material.

GRANT PERMISSIONS
Provides users access to database objects.

GRANT ALL| ALL PERMISSIONS permission_name PERMISSION ON resource TO user WITH GRANT OPTION

(there are options in this syntax that don't copy over)

permission_name is one of these:

ALL
ALL PERMISSIONS
ALTER
AUTHORIZE
CREATE
DROP
FULL_ACCESS
MODIFY
NO_ACCESS
SELECT

resource is one of these:

ALL KEYSPACES
KEYSPACE keyspace_name
TABLE keyspace_name.table_name

Description

Permissions to access all keyspaces, a named keyspace, or a table can be granted to a user. This table lists the permissions needed to use cqlsh statements:

Permission cqlsh Statements
ALTER ALTER KEYSPACE, ALTER TABLE, CREATE INDEX, DROP INDEX
AUTHORIZE GRANT, REVOKE
CREATE CREATE KEYSPACE, CREATE TABLE
DROP DROP KEYSPACE, DROP TABLE
MODIFY INSERT, DELETE, UPDATE, TRUNCATE
SELECT SELECT

The authorize permission gives a user the ability to grant access with the grant option, not just grant permissions to other users. Currently granting permissions on indexes and configuration options are not available at this time.

Examples

Give 'bashful' permission to perform SELECT queries on all tables in all keyspaces:

GRANT SELECT ON ALL KEYSPACES TO bashful;
Give 'dopey' permission to perform INSERT, UPDATE, DELETE and TRUNCATE queries on all tables in the 'woods' keyspace:

GRANT MODIFY ON KEYSPACE woods TO dopey;
Give 'doc' permission to perform ALTER KEYSPACE queries on the 'mines' keyspace, and also ALTER TABLE, CREATE INDEX and DROP INDEX queries on all tables in 'mines' keyspace:

GRANT ALTER ON KEYSPACE mines TO doc;
Give 'doc' permission to run all types of queries on cottage.chores table:

GRANT ALL PERMISSIONS ON cottage.chores TO doc;
SELECT permission

Permissions checks are recursive: To be able to perform SELECT queries on ‘my_table’ you have to have SELECT permission on the table OR on its parent keyspace OR on ALL KEYSPACES.

CREATE permission

To be able to CREATE TABLE you need CREATE permission on its parent keyspace or ALL KEYSPACES. etc. To be able to CREATE KEYSPACE you need CREATE permission on ALL KEYSPACES.

GRANT, REVOKE, and LIST

To grant access to a keyspace to just one user, assuming nobody else has ALL KEYSPACES access, you use this statement:

GRANT ALL ON KEYSPACE keyspace_name TO user_name
GRANT, REVOKE and LIST check for table/keyspace existence before execution. GRANT and REVOKE check for user existence after IAuthenticator rewrite is complete.

REVOKE PERMISSIONS

REVOKE ALL| ALL PERMISSIONS permission_name PERMISSION ON resource FROM user_name
permission_name is one of these:

ALL
ALL PERMISSIONS
ALTER
AUTHORIZE
CREATE
DROP
FULL_ACCESS
MODIFY
NO_ACCESS
SELECT

resource is one of these:

ALL KEYSPACES
KEYSPACE keyspace_name
TABLE keyspace_name.table_name

Description

Permissions to access all keyspaces, a named keyspace, or a table can be revoked from a user. This table lists the permissions needed to use cqlsh statements:

Permission cqlsh Statements
ALTER ALTER KEYSPACE, ALTER TABLE, CREATE INDEX, DROP INDEX
AUTHORIZE GRANT, REVOKE
CREATE CREATE KEYSPACE, CREATE TABLE
DROP DROP KEYSPACE, DROP TABLE
MODIFY INSERT, DELETE, UPDATE, TRUNCATE
SELECT SELECT

Example

REVOKE SELECT ON cottage.chores FROM doc;

The user doc can no longer perform SELECT queries on the cottage.chores table.

Posted 5 months ago #

RSS feed for this topic