Abe Ratnofsky created CASSANDRA-18520:
-----------------------------------------
Summary: Support GRANT REVOKE for DESCRIBE KEYSPACES / KEYSPACE /
TABLE
Key: CASSANDRA-18520
URL: https://issues.apache.org/jira/browse/CASSANDRA-18520
Project: Cassandra
Issue Type: Improvement
Reporter: Abe Ratnofsky
Currently, users cannot REVOKE DESCRIBE KEYSPACE, based on the documentation
here[1] and my test here[2]. This means that all users can describe all
keyspaces and tables, even if they can't access the data within them.
It should be possible to prevent users from describing certain resources, since
that leaks schema information. If a user is not permitted to DESCRIBE a certain
resource, then DESCRIBE KEYSPACES should work correctly but exclude the revoked
resources.
[1]:
https://cassandra.apache.org/doc/latest/cassandra/cql/security.html#data-control
[2]: Example here:
```
cqlsh> GRANT DESCRIBE on KEYSPACE keyspace1 TO user1;
SyntaxException: Resource type DataResource does not support any of the
requested permissions
```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
